diff --git a/.kitchen.yml b/.kitchen.yml index 2a8ac944..71d748a2 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -16,11 +16,10 @@ provisioner: idempotency_test: true extra_vars: st2repo_name: <%= ENV['ST2_REPO'] || 'stable' %> - ewc_repo: <%= ENV['EWC_REPO'] || 'enterprise' %> - ewc_license: "<%= ENV['LICENSE'] ? ENV[ENV['LICENSE']] : ENV['BWC_LICENSE_ENTERPRISE'] %>" st2chatops_hubot_adapter: slack st2chatops_config: HUBOT_SLACK_TOKEN: <%= ENV['HUBOT_SLACK_TOKEN'] %> + st2_rbac_enable: yes platforms: # Ubuntu Xenial with Systemd diff --git a/.travis.yml b/.travis.yml index 0fabe3fc..fbbaa975 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,16 +9,16 @@ branches: env: # default is stable repo - - DISTRO=ubuntu-16 LICENSE='BWC_LICENSE_ENTERPRISE' - - DISTRO=ubuntu-18 LICENSE='BWC_LICENSE_ENTERPRISE' - - DISTRO=centos-7 LICENSE='BWC_LICENSE_ENTERPRISE' - - DISTRO=centos-8 LICENSE='BWC_LICENSE_ENTERPRISE' + - DISTRO=ubuntu-16 + - DISTRO=ubuntu-18 + - DISTRO=centos-7 + - DISTRO=centos-8 # StackStorm 'unstable' repo check - - DISTRO=ubuntu-16 ST2_REPO=unstable EWC_REPO=enterprise-unstable LICENSE='BWC_LICENSE_ENTERPRISE_UNSTABLE' - - DISTRO=ubuntu-18 ST2_REPO=unstable EWC_REPO=enterprise-unstable LICENSE='BWC_LICENSE_ENTERPRISE_UNSTABLE' - - DISTRO=centos-7 ST2_REPO=unstable EWC_REPO=enterprise-unstable LICENSE='BWC_LICENSE_ENTERPRISE_UNSTABLE' - - DISTRO=centos-8 ST2_REPO=unstable EWC_REPO=enterprise-unstable LICENSE='BWC_LICENSE_ENTERPRISE_UNSTABLE' + - DISTRO=ubuntu-16 ST2_REPO=unstable + - DISTRO=ubuntu-18 ST2_REPO=unstable + - DISTRO=centos-7 ST2_REPO=unstable + - DISTRO=centos-8 ST2_REPO=unstable before_script: # Personal token for forked PRs diff --git a/README.md b/README.md index 92642fa0..4b0a0831 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,10 @@ Below is the list of variables you can redefine in your playbook to customize st | `st2_auth_username` | `testu` | Username used by StackStorm standalone authentication. | `st2_auth_password` | `testp` | Password used by StackStorm standalone authentication. | `st2_save_credentials` | `yes` | Save credentials for local CLI in `/root/.st2/config` file. +| `st2_rbac_enable` | `no` | Enable RBAC. | +| `st2_rbac` | [See `st2_rbac` variable in role defaults](roles/st2/defaults/main.yml) | RBAC roles and assignments. This is a dictionary with two keys `roles` and `assignments`. `roles` and `assignments` are in turn both arrays. Each element in the array follows the exact YAML schema for [roles](https://docs.stackstorm.com/rbac.html#user-permissions) and [assignments](https://docs.stackstorm.com/rbac.html#defining-user-role-assignments) defined in ST2 documentation. +| `st2_ldap_enable` | `no` | Enable LDAP authentication backend. | +| `st2_ldap` | [See `st2_ldap` variable in role defaults](roles/st2/defaults/main.yml) | Settings for LDAP authentication backend. `st2_ldap` is a dictionary and has one item `backend_kwargs`. `backend_kwargs` should be provided as exactly listed in ST2 documentation for [LDAP configuration](https://docs.stackstorm.com/authentication.html#ldap). | `st2_packs` | `[ st2 ]` | List of packs to install. This flag does not work with a `--python3` only pack. | `st2_python_packages` | `[ ]` | List of python packages to install into the `/opt/stackstorm/st2` virtualenv. This is needed when deploying alternative auth or coordination backends which depend on Python modules to make them work. | `st2_u16_add_insecure_py3_ppa` | `false` | Whether permission is granted to install the deadsnakes Python3.6 PPA for Ubuntu 16. @@ -52,13 +56,6 @@ Below is the list of variables you can redefine in your playbook to customize st | `st2web_ssl_certificate` | `null` | String with custom SSL certificate (`.crt`). If not provided, self-signed certificate will be generated. | `st2web_ssl_certificate_key` | `null` | String with custom SSL certificate secret key (`.key`). If not provided, self-signed certificate will be generated. | `st2web_nginx_config` | `null` | String with a custom nginx configuration file (`st2.conf`). If not provided, the default st2.conf will be used. -| **ewc** -| `ewc_license` | `null` | EWC license key is required for installing EWC enteprise bits via this ansible role. -| `ewc_repo` | `enterprise` | EWC PackageCloud repository to install. [`enterprise`](https://packagecloud.io/StackStorm/enterprise/), [`enterprise-unstable`](https://packagecloud.io/StackStorm/enterprise-unstable/), [`staging-enterprise`](https://packagecloud.io/StackStorm/staging-enteprise/), [`staging-enterprise-unstable`](https://packagecloud.io/StackStorm/staging-enterprise-unstable/) -| `ewc_version` | `latest` | EWC enterprise version to install. `present` to install available package, `latest` to get automatic updates, or pin it to numeric version like `2.2.0`. The version used here should match `st2_version`. -| `ewc_revision` | `1` | EWC enterprise revision to install. Used only with pinned `ewc_version`. -| `ewc_rbac` | [See `ewc_rbac` variable in role defaults](roles/StackStorm.ewc/defaults/main.yml) | EWC RBAC roles and assignments. This is a dictionary with two keys `roles` and `assignments`. `roles` and `assignments` are in turn both arrays. Each element in the array follows the exact YAML schema for [roles](https://ewc-docs.extremenetworks.com/rbac.html#user-permissions) and [assignments](https://ewc-docs.extremenetworks.com/rbac.html#defining-user-role-assignments) defined in EWC documentation. -| `ewc_ldap` | [See `ewc_ldap` variable in role defaults](roles/StackStorm.ewc/defaults/main.yml) | Settings for EWC LDAP authentication backend. `ewc_ldap` is a dictionary and has one item `backend_kwargs`. `backend_kwargs` should be provided as exactly listed in EWC documentation for [LDAP configuration](https://ewc-docs.extremenetworks.com/authentication.html#auth-backends). | **st2chatops** | `st2chatops_version` | `latest` | st2chatops version to install. `present` to install available package, `latest` to get automatic updates, or pin it to numeric version like `2.2.0` or with revision like `2.2.0-1`. | `st2chatops_st2_api_key` | | st2 API key to be updated in st2chatops.env using "st2 apikey create -k" in a task diff --git a/meta/main.yml b/meta/main.yml index dc1f7536..9c7d3550 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -8,7 +8,7 @@ # roles_path = /etc/ansible/roles/:/etc/ansible/roles/StackStorm.stackstorm/roles/ --- galaxy_info: - description: Install StackStorm (IFTTT for Ops) with all the components like Web UI, ChatOps, EWC and dependant services including RabbitMQ, MongoDB, nginx. + description: Install StackStorm (IFTTT for Ops) with all the components like Web UI, ChatOps and dependant services including RabbitMQ, MongoDB, nginx. author: armab company: StackStorm license: Apache 2.0 @@ -34,8 +34,6 @@ galaxy_info: - st2 - st2web - st2chatops - - bwc - - ewc - rabbitmq - mongodb - nginx diff --git a/roles/StackStorm.ewc/defaults/main.yml b/roles/StackStorm.ewc/defaults/main.yml deleted file mode 100644 index 20f10faa..00000000 --- a/roles/StackStorm.ewc/defaults/main.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -# EWC PackageCloud repository to install: enterprise, enterprise-unstable, staging-enterprise, staging-enterprise-unstable. -ewc_repo: "enterprise" -# `present` to install available package, `latest` to get automatic updates, or pin it to numeric version like `2.2.0`. -ewc_version: latest -# used only if 'ewc_version' is numeric -ewc_revision: 1 - -# EWC license to install EWC enterprise bits -ewc_license: null - -# Specify roles and assignments for EWC RBAC. -# Roles are pushed as YML files to /opt/stackstorm/rbac/roles -# Assignments are pushed as YML files to /opt/stackstorm/rbac/assignments/ -# The schema for roles and assignments follow the exact schema definition -# define in https://ewc-docs.extremenetworks.com/rbac.html#defining-roles-and-permission-grants -# and https://ewc-docs.extremenetworks.com/rbac.html#defining-user-role-assignments. - -ewc_rbac_default_roles: [] - -ewc_rbac_default_assignments: - - name: "{{ st2_system_user }}" - roles: - - admin - - - name: "{{ st2_auth_username }}" - roles: - - system_admin - -ewc_rbac: - roles: "{{ ewc_rbac_default_roles }}" - - assignments: "{{ ewc_rbac_default_assignments }}" - - -# By specifying a valid configuration for LDAP, -# (See https://ewc-docs.extremenetworks.com/authentication.html#ldap ) -# LDAP auth backend is setup for st2 and EWC. -# Note that you just need to provide the backend_kwargs. -ewc_ldap: - backend_kwargs: {} diff --git a/roles/StackStorm.ewc/handlers/main.yml b/roles/StackStorm.ewc/handlers/main.yml deleted file mode 100644 index 6770f3ad..00000000 --- a/roles/StackStorm.ewc/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- name: reload ewc_rbac - become: yes - command: st2-apply-rbac-definitions --config-file /etc/st2/st2.conf diff --git a/roles/StackStorm.ewc/meta/main.yml b/roles/StackStorm.ewc/meta/main.yml deleted file mode 100644 index fa59154f..00000000 --- a/roles/StackStorm.ewc/meta/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -galaxy_info: - description: Install EWC Entperprise components, setup RBAC and LDAP - author: lakshmi-kannan - company: StackStorm - license: Apache 2.0 - min_ansible_version: 2.5 - platforms: - - name: Ubuntu - versions: - - bionic - - xenial - - name: EL - versions: - - 7 - - 8 - galaxy_tags: - - system - - stackstorm - - bwc - - ewc - - repositories - - packagecloud -dependencies: - - role: StackStorm.st2repo - - role: StackStorm.st2 - - role: StackStorm.st2web diff --git a/roles/StackStorm.ewc/tasks/ewc_repos_cleanup_debian.yml b/roles/StackStorm.ewc/tasks/ewc_repos_cleanup_debian.yml deleted file mode 100644 index f1afcc57..00000000 --- a/roles/StackStorm.ewc/tasks/ewc_repos_cleanup_debian.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Cleanup repo list file from disk - become: yes - file: - path: /etc/apt/sources.list.d/StackStorm_{{ ewc_repo }} - state: absent - tags: - - ewc - - enterprise diff --git a/roles/StackStorm.ewc/tasks/ewc_repos_cleanup_redhat.yml b/roles/StackStorm.ewc/tasks/ewc_repos_cleanup_redhat.yml deleted file mode 100644 index 9aeb9348..00000000 --- a/roles/StackStorm.ewc/tasks/ewc_repos_cleanup_redhat.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Cleanup repo list file from disk - become: yes - yum_repository: - name: "StackStorm_{{ ewc_repo }}" - state: absent - tags: - - ewc - - enterprise diff --git a/roles/StackStorm.ewc/tasks/ewc_repos_debian.yml b/roles/StackStorm.ewc/tasks/ewc_repos_debian.yml deleted file mode 100644 index 55cf6f9c..00000000 --- a/roles/StackStorm.ewc/tasks/ewc_repos_debian.yml +++ /dev/null @@ -1,93 +0,0 @@ ---- -- name: Install prereqs (Debian) - become: yes - apt: - name: - - debian-archive-keyring - - apt-transport-https - state: present - register: _task - retries: 5 - delay: 3 - until: _task is succeeded - tags: - - ewc - - enterprise - -- name: "Including ID variable for {{ ewc_repo }}" - include_vars: - file: "{{ ewc_repo }}.yml" - -- name: Get keyring URL - become: yes - no_log: yes - changed_when: no - uri: - url: https://{{ ewc_license }}:@packagecloud.io/install/repositories/StackStorm/{{ ewc_repo }}/gpg_key_url.list?os={{ ansible_facts.distribution | lower }}&dist={{ ansible_facts.distribution_release | lower }}&name={{ ansible_facts.nodename }} - dest: "/etc/packagecloud/StackStorm_{{ ewc_repo }}_gpgkey_url.txt" - force_basic_auth: yes - method: GET - status_code: 201,200 - headers: - Content-Type: "application/x-www-form-urlencoded" - register: _task - retries: 5 - delay: 3 - until: _task is succeeded - -- name: Read ewc_gpgkey_url from file - become: yes - no_log: yes - changed_when: no - command: cat "/etc/packagecloud/StackStorm_{{ ewc_repo }}_gpgkey_url.txt" - register: _ewc_gpgkey_url - -- name: Set ewc_gpgkey_url variable - no_log: yes - set_fact: - ewc_gpgkey_url: "{{ _ewc_gpgkey_url.stdout }}" - - # This is a nasty hack necessary because of how AWS Redirects are interfering - # with both get_url and uri modules in Ansible. The redirect is somehow - # appending another authorization method to the request which AWS rejects. - # This will ultimately need to be fixed upstream. -- name: Download gpgkey - become: yes - command: "curl -L -o /etc/packagecloud/StackStorm_{{ ewc_repo }}_gpgkey.asc {{ ewc_gpgkey_url }}" - args: - creates: "/etc/packagecloud/StackStorm_{{ ewc_repo }}_gpgkey.asc" - warn: False - register: _task - retries: 5 - delay: 3 - until: _task is succeeded - -- name: Add keys to keyring - become: yes - apt_key: - id: "{{ enterprise_key_id }}" - file: "/etc/packagecloud/StackStorm_{{ ewc_repo }}_gpgkey.asc" - state: present - register: _task - retries: 5 - delay: 3 - until: _task is succeeded - tags: - - ewc - - enterprise - -- name: "Add packagecloud.io repository: StackStorm/{{ ewc_repo }}" - become: yes - no_log: yes - apt_repository: - filename: "StackStorm_{{ ewc_repo }}" - repo: 'deb https://{{ ewc_read_token }}:@packagecloud.io/StackStorm/{{ ewc_repo }}/{{ ansible_facts.distribution|lower }}/ {{ ansible_facts.distribution_release|lower }} main' - state: present - update_cache: yes - register: added_ewc_deb_repository - retries: 5 - delay: 3 - until: added_ewc_deb_repository is succeeded - tags: - - ewc - - enterprise diff --git a/roles/StackStorm.ewc/tasks/ewc_repos_redhat.yml b/roles/StackStorm.ewc/tasks/ewc_repos_redhat.yml deleted file mode 100644 index c085d54f..00000000 --- a/roles/StackStorm.ewc/tasks/ewc_repos_redhat.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# Fixes "Failure talking to yum: Cannot retrieve repository metadata (repomd.xml) for repository: StackStorm_stable. Please verify its path and try again" when installing st2 -- name: Update ca-certificates package - become: yes - yum: - name: ca-certificates - state: latest - register: _task - retries: 5 - delay: 3 - until: _task is succeeded - tags: - - ewc - - enterprise - - skip_ansible_lint - -- name: "Add packagecloud.io repository: StackStorm/{{ ewc_repo }}" - become: yes - no_log: yes - yum_repository: - name: "StackStorm_{{ ewc_repo }}" - description: "StackStorm_{{ ewc_repo }}" - file: "StackStorm_{{ ewc_repo }}" - baseurl: https://{{ ewc_read_token }}:@packagecloud.io/StackStorm/{{ ewc_repo }}/el/{{ ansible_facts.distribution_major_version }}/$basearch - repo_gpgcheck: yes - gpgkey: "https://{{ ewc_read_token }}:@packagecloud.io/StackStorm/{{ ewc_repo }}/gpgkey" - sslcacert: /etc/pki/tls/certs/ca-bundle.crt - metadata_expire: 300 - gpgcheck: no - enabled: yes - sslverify: yes - register: added_ewc_rpm_repository - tags: - - ewc - - enterprise diff --git a/roles/StackStorm.ewc/tasks/ewc_repos_setup.yml b/roles/StackStorm.ewc/tasks/ewc_repos_setup.yml deleted file mode 100644 index b5418278..00000000 --- a/roles/StackStorm.ewc/tasks/ewc_repos_setup.yml +++ /dev/null @@ -1,66 +0,0 @@ ---- -- name: Create packagecloud dir - become: yes - file: - path: "/etc/packagecloud" - mode: "u=rwx,g=rx,o=rx" - owner: st2 - group: st2 - state: directory - tags: - - ewc - - enterprise - -- name: Handle ewc_license change - include_tasks: license.yml - tags: - - ewc - - enterprise - -- name: Get read token for repo from packagecloud - become: yes - no_log: yes - changed_when: no - uri: - url: https://{{ ewc_license }}:@packagecloud.io/install/repositories/StackStorm/{{ ewc_repo }}/tokens.text - # creates: "/etc/packagecloud/StackStorm_{{ ewc_repo }}_read_token.txt" # Don't download if file already exists - dest: "/etc/packagecloud/StackStorm_{{ ewc_repo }}_read_token.txt" - force_basic_auth: yes - method: POST - status_code: 201,200 - headers: - Content-Type: "application/x-www-form-urlencoded" - body: "name={{ ansible_facts.nodename }}" - register: _task - retries: 5 - delay: 3 - until: _task is succeeded - tags: - - ewc - - enterprise - -- name: Read ewc_read_token from file - become: yes - no_log: yes - changed_when: no - command: cat "/etc/packagecloud/StackStorm_{{ ewc_repo }}_read_token.txt" - register: _ewc_read_token - tags: - - ewc - - enterprise - -- name: Set ewc_read_token variable - no_log: yes - set_fact: - ewc_read_token: "{{ _ewc_read_token.stdout }}" - tags: - - ewc - - enterprise - -- name: Add EWC enterprise repos on {{ ansible_os_family | lower }} - include_tasks: ewc_repos_{{ ansible_os_family | lower }}.yml - tags: - - ewc - - enterprise - register: ewc_repo_added - when: ewc_read_token | length > 0 diff --git a/roles/StackStorm.ewc/tasks/license.yml b/roles/StackStorm.ewc/tasks/license.yml deleted file mode 100644 index cc8fc587..00000000 --- a/roles/StackStorm.ewc/tasks/license.yml +++ /dev/null @@ -1,76 +0,0 @@ ---- -- name: Check if EWC license hash file is present - stat: - path: /etc/packagecloud/ewc_license_hash.txt - register: ewc_license_hash_file - tags: - - ewc - - enterprise - -- name: Read ewc_license_hash_file if it exits - command: cat /etc/packagecloud/ewc_license_hash.txt - register: _ewc_license_hash - no_log: yes - changed_when: no - when: ewc_license_hash_file.stat.exists - tags: - - ewc - - enterprise - -- name: Set ewc_license_hash from file context - set_fact: - ewc_license_hash: "{{ _ewc_license_hash.stdout }}" - no_log: yes - when: ewc_license_hash_file.stat.exists - tags: - - ewc - - enterprise - -- name: Set ewc_license_hash to incoming hash if not defined - no_log: yes - set_fact: - ewc_license_hash: '{{ ewc_license | hash("sha512") }}' - when: not ewc_license_hash_file.stat.exists - tags: - - ewc - - enterprise - -- name: Write ewc_license_hash to file if file not found on disk - copy: - content: "{{ ewc_license | hash('sha512') }}" - dest: "/etc/packagecloud/ewc_license_hash.txt" - force: yes - become: yes - when: not ewc_license_hash_file.stat.exists - tags: - - ewc - - enterprise - -- name: "Cleanup read token cached file from disk" - become: yes - file: - path: "/etc/packagecloud/StackStorm_{{ ewc_repo }}_read_token.txt" - state: absent - when: ewc_license | hash("sha512") != ewc_license_hash - tags: - - ewc - - enterprise - -- name: "Cleanup repo list file from disk" - include_tasks: "ewc_repos_cleanup_{{ ansible_os_family | lower }}.yml" - when: ewc_license | hash("sha512") != ewc_license_hash - tags: - - ewc - - enterprise - -- name: Write new ewc_license_hash to file - copy: - content: "{{ ewc_license | hash('sha512') }}" - dest: "/etc/packagecloud/ewc_license_hash.txt" - force: yes - become: yes - no_log: yes - when: ewc_license | hash("sha512") != ewc_license_hash - tags: - - ewc - - enterprise diff --git a/roles/StackStorm.ewc/tasks/main.yml b/roles/StackStorm.ewc/tasks/main.yml deleted file mode 100644 index 86dc54bc..00000000 --- a/roles/StackStorm.ewc/tasks/main.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -- name: Assert that 'ewc_license' is specified correctly - fail: - msg: "License key must be supplied for EWC enterprise installation." - when: ewc_license is not defined or ewc_license is none or ewc_license|length != 48 - -- name: Add EWC enterprise repos - include_tasks: ewc_repos_setup.yml - tags: - - ewc - - enterprise - -- name: Install latest bwc-enterprise package, auto-update - become: yes - package: - name: bwc-enterprise - state: latest - register: ewc_installed - retries: 5 - delay: 3 - until: ewc_installed is succeeded - when: ewc_version == "latest" - tags: - - ewc - - st2 enterprise - - skip_ansible_lint - notify: - - restart st2api - - restart st2auth - -- name: Install present bwc-enterprise package, no auto-update - become: yes - package: - name: bwc-enterprise - state: present - register: ewc_installed - retries: 5 - delay: 3 - until: ewc_installed is succeeded - when: ewc_version == "present" - tags: - - ewc - - st2 enterprise - notify: - - restart st2api - - restart st2auth - -- name: Install pinned bwc-enterprise package - become: yes - package: - name: bwc-enterprise{{ '-' if ansible_os_family == 'RedHat' else '=' }}{{ ewc_version }}-{{ ewc_revision }} - state: present - register: ewc_installed - retries: 5 - delay: 3 - until: ewc_installed is succeeded - when: - - ewc_version != "latest" - - ewc_version != "present" - tags: - - ewc - - st2 enterprise - notify: - - restart st2api - - restart st2auth - -- name: Setup RBAC and setup roles and assignments if ewc_rbac is defined - import_tasks: rbac.yml - when: ewc_rbac is defined - -- name: Setup LDAP and set up LDAP configuration - import_tasks: ldap.yml - when: ewc_ldap is defined diff --git a/roles/StackStorm.ewc/tasks/rbac.yml b/roles/StackStorm.ewc/tasks/rbac.yml deleted file mode 100644 index 937a7aa7..00000000 --- a/roles/StackStorm.ewc/tasks/rbac.yml +++ /dev/null @@ -1,70 +0,0 @@ ---- -- name: Copy default RBAC roles to /opt/stackstorm/rbac/roles directory - become: yes - template: - src: rbac_roles/roles.yml.j2 - dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml - owner: st2 - group: st2 - loop: "{{ ewc_rbac_default_roles }}" - notify: - - reload ewc_rbac - -- name: Copy user defined RBAC roles to /opt/stackstorm/rbac/roles directory - become: yes - template: - src: rbac_roles/roles.yml.j2 - dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml - owner: st2 - group: st2 - loop: "{{ ewc_rbac.roles }}" - when: ewc_rbac.roles is defined - notify: - - reload ewc_rbac - -- name: Copy default RBAC assignments to /opt/stackstorm/rbac/assignments directory - become: yes - template: - src: rbac_assignments/assignments.yml.j2 - dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml - owner: st2 - group: st2 - loop: "{{ ewc_rbac_default_assignments }}" - notify: - - reload ewc_rbac - -- name: Copy user defined RBAC assignments to /opt/stackstorm/rbac/assignments directory - become: yes - template: - src: rbac_assignments/assignments.yml.j2 - dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml - owner: st2 - group: st2 - loop: "{{ ewc_rbac.assignments }}" - when: ewc_rbac.assignments is defined - notify: - - reload ewc_rbac - -- name: Enable RBAC in st2 configuration - become: yes - ini_file: - dest: /etc/st2/st2.conf - section: rbac - option: enable - value: True - backup: yes - notify: - - restart st2api - - reload ewc_rbac - -- name: Configure RBAC backend in st2 configuration - become: yes - ini_file: - dest: /etc/st2/st2.conf - section: rbac - option: backend - value: enterprise - backup: yes - notify: - - restart st2api - - reload ewc_rbac diff --git a/roles/StackStorm.ewc/vars/enterprise-unstable.yml b/roles/StackStorm.ewc/vars/enterprise-unstable.yml deleted file mode 100644 index d0d98525..00000000 --- a/roles/StackStorm.ewc/vars/enterprise-unstable.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -enterprise_key_id: AEFF7A20DC68594D diff --git a/roles/StackStorm.ewc/vars/enterprise.yml b/roles/StackStorm.ewc/vars/enterprise.yml deleted file mode 100644 index 3ee124bd..00000000 --- a/roles/StackStorm.ewc/vars/enterprise.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -enterprise_key_id: E8518D3790C81C76 diff --git a/roles/StackStorm.ewc/vars/staging-enterprise-unstable.yml b/roles/StackStorm.ewc/vars/staging-enterprise-unstable.yml deleted file mode 100644 index aef603fd..00000000 --- a/roles/StackStorm.ewc/vars/staging-enterprise-unstable.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -enterprise_key_id: D8A9369569165CC0 diff --git a/roles/StackStorm.ewc/vars/staging-enterprise.yml b/roles/StackStorm.ewc/vars/staging-enterprise.yml deleted file mode 100644 index b8e98530..00000000 --- a/roles/StackStorm.ewc/vars/staging-enterprise.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -enterprise_key_id: 216C528AB257619D diff --git a/roles/StackStorm.ewc_smoketests/meta/main.yml b/roles/StackStorm.ewc_smoketests/meta/main.yml deleted file mode 100644 index 2052740a..00000000 --- a/roles/StackStorm.ewc_smoketests/meta/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -galaxy_info: - description: Test EWC enteprise components were installed correctly. - author: lakshmi-kannan - company: StackStorm - license: Apache 2.0 - min_ansible_version: 2.5 - platforms: - - name: Ubuntu - versions: - - bionic - - xenial - - name: EL - versions: - - 7 - - 8 - galaxy_tags: - - stackstorm - - bwc - - ewc - - repositories - - packagecloud -dependencies: - - role: StackStorm.st2repo - - role: StackStorm.st2 - - role: StackStorm.st2web - - role: StackStorm.ewc diff --git a/roles/StackStorm.ewc_smoketests/tasks/main.yml b/roles/StackStorm.ewc_smoketests/tasks/main.yml deleted file mode 100644 index 9fc8665d..00000000 --- a/roles/StackStorm.ewc_smoketests/tasks/main.yml +++ /dev/null @@ -1,89 +0,0 @@ ---- - -# Small suite of smoke tests to ensure that EWC role has deployed as expected - -- name: auth | Add a new ewc_smoke_tests_user in st2 htpasswd file - become: true - htpasswd: - path: /etc/st2/htpasswd - name: "{{ ewc_smoke_tests_user }}" - password: "{{ ewc_smoke_tests_password }}" - changed_when: no - notify: - - restart st2api - - restart st2stream - tags: - - ewc-smoke-tests - -- name: Copy smoke tests RBAC roles to /opt/stackstorm/rbac/roles directory - become: yes - template: - src: rbac_roles/roles.yml.j2 - dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml - owner: st2 - group: st2 - loop: "{{ ewc_smoke_tests_rbac.roles }}" - changed_when: no - when: ewc_smoke_tests_rbac.roles is defined - notify: - - reload ewc_rbac - tags: - - ewc-smoke-tests - -- name: Copy smoke tests RBAC assignments to /opt/stackstorm/rbac/assignments directory - become: yes - template: - src: rbac_assignments/assignments.yml.j2 - dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml - owner: st2 - group: st2 - loop: "{{ ewc_smoke_tests_rbac.assignments }}" - changed_when: no - when: ewc_smoke_tests_rbac.assignments is defined - notify: - - reload ewc_rbac - tags: - - ewc-smoke-tests - -- meta: flush_handlers - tags: - - ewc-smoke-tests - -- name: Get authentication token for ewc_smoke_tests # Note this will not use LDAP. - command: st2 auth "{{ ewc_smoke_tests_user }}" -p "{{ ewc_smoke_tests_password }}" -t - register: st2_token_smoke_tests_user - changed_when: no - tags: - - ewc-smoke-tests - -- name: Test a simple core.local action as user ``ewc_smoke_tests_user`` - command: st2 run core.local -- date -R - environment: - ST2_AUTH_TOKEN: "{{ st2_token_smoke_tests_user.stdout }}" - changed_when: no - tags: - - ewc-smoke-tests - -- name: Test some other action that "{{ ewc_smoke_tests_user }}" cannot run - command: st2 run core.http url="https://www.google.com" - environment: - ST2_AUTH_TOKEN: "{{ st2_token_smoke_tests_user.stdout }}" - ignore_errors: yes - changed_when: no - register: ewc_smoke_tests_forbidden_action - tags: - - ewc-smoke-tests - -- name: Assert forbidden error was indeed thrown - fail: - msg: "St2 action was forbidden to run because of RBAC permissions but action still ran." - changed_when: no - when: "ewc_smoke_tests_forbidden_action.stdout.find('Forbidden') == -1" - tags: - - ewc-smoke-tests - -- name: Teardown test artifacts - import_tasks: teardown.yml - changed_when: no - tags: - - ewc-smoke-tests diff --git a/roles/StackStorm.ewc_smoketests/tasks/teardown.yml b/roles/StackStorm.ewc_smoketests/tasks/teardown.yml deleted file mode 100644 index a4b3084f..00000000 --- a/roles/StackStorm.ewc_smoketests/tasks/teardown.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- - -- name: Remove EWC smoke tests user from htpasswd file - become: yes - htpasswd: - path: /etc/st2/htpasswd - name: "{{ ewc_smoke_tests_user }}" - state: absent - changed_when: no - notify: - - reload ewc_rbac - tags: - - ewc-smoke-tests - -- name: Remove RBAC smoke tests roles # This doesn't cleanup role from DB. - become: yes - file: - state: absent - path: /opt/stackstorm/rbac/roles/{{ item.name }}.yml - loop: "{{ ewc_smoke_tests_rbac.roles }}" - when: ewc_smoke_tests_rbac.roles is defined - changed_when: no - notify: - - reload ewc_rbac - tags: - - ewc-smoke-tests - -- name: Remove RBAC smoke tests assignments # This doesn't cleanup assignment from DB. - become: yes - file: - state: absent - path: /opt/stackstorm/rbac/assignments/{{ ewc_smoke_tests_user }}.yml - when: ewc_smoke_tests_rbac.assignments is defined - changed_when: no - notify: - - reload ewc_rbac - tags: - - ewc-smoke-tests diff --git a/roles/StackStorm.st2/defaults/main.yml b/roles/StackStorm.st2/defaults/main.yml index e1565701..44213243 100644 --- a/roles/StackStorm.st2/defaults/main.yml +++ b/roles/StackStorm.st2/defaults/main.yml @@ -37,6 +37,36 @@ st2_auth_enable: yes st2_auth_username: testu # Password used by StackStorm standalone authentication st2_auth_password: testp + + +# By specifying a valid configuration for LDAP, +# (See https://docs.stackstorm.com/latest/authentication.html#ldap ) +# LDAP auth backend is setup for st2. +# Note that you just need to provide the backend_kwargs. +st2_ldap_enable: no +# "enable" is not a key of st2_ldap because the defaults would be lost if any key in the dictionary is changed +st2_ldap: + backend_kwargs: {} + +# Specify roles and assignments for RBAC. +# Roles are pushed as YML files to /opt/stackstorm/rbac/roles +# Assignments are pushed as YML files to /opt/stackstorm/rbac/assignments/ +# The schema for roles and assignments follow the exact schema definition +# define in https://docs.stackstorm.com/latest/rbac.html#defining-roles-and-permission-grants +# and https://docs.stackstorm.com/latest/rbac.html#defining-user-role-assignments +st2_rbac_enable: no +# "enable" is not a key of st2_rbac because the defaults would be lost if any key in the dictionary is changed +st2_rbac: + roles: [] + assignments: + - name: "{{ st2_system_user }}" + roles: + - admin + - name: "{{ st2_auth_username }}" + roles: + - system_admin + + # Save credentials in ~/.st2/config file st2_save_credentials: yes # ST2 packs to be installed (list) diff --git a/roles/StackStorm.st2/handlers/main.yml b/roles/StackStorm.st2/handlers/main.yml index b2b40213..5e929df3 100644 --- a/roles/StackStorm.st2/handlers/main.yml +++ b/roles/StackStorm.st2/handlers/main.yml @@ -32,3 +32,7 @@ service: name: st2stream state: restarted + +- name: reload rbac + become: yes + command: st2-apply-rbac-definitions --config-file /etc/st2/st2.conf diff --git a/roles/StackStorm.ewc/tasks/ldap.yml b/roles/StackStorm.st2/tasks/auth-ldap.yml similarity index 79% rename from roles/StackStorm.ewc/tasks/ldap.yml rename to roles/StackStorm.st2/tasks/auth-ldap.yml index 8a44a529..bab92ecb 100644 --- a/roles/StackStorm.ewc/tasks/ldap.yml +++ b/roles/StackStorm.st2/tasks/auth-ldap.yml @@ -10,7 +10,7 @@ value: ldap backup: yes # Don't even setup LDAP if backend_kwargs is not defined - when: ewc_ldap.backend_kwargs is defined and ewc_ldap.backend_kwargs|length > 0 + when: st2_ldap.backend_kwargs is defined and st2_ldap.backend_kwargs|length > 0 notify: - restart st2auth @@ -22,9 +22,9 @@ dest: /etc/st2/st2.conf section: auth option: backend_kwargs - value: "{{ ewc_ldap.backend_kwargs | to_json | string }}" + value: "{{ st2_ldap.backend_kwargs | to_json | string }}" backup: yes # Don't even setup LDAP if backend_kwargs is not defined - when: ewc_ldap.backend_kwargs is defined and ewc_ldap.backend_kwargs|length > 0 + when: st2_ldap.backend_kwargs is defined and st2_ldap.backend_kwargs|length > 0 notify: - restart st2auth diff --git a/roles/StackStorm.st2/tasks/auth-rbac.yml b/roles/StackStorm.st2/tasks/auth-rbac.yml new file mode 100644 index 00000000..e78bf50f --- /dev/null +++ b/roles/StackStorm.st2/tasks/auth-rbac.yml @@ -0,0 +1,75 @@ +--- +- name: Create directory to store roles and assignments + become: yes + file: + path: "/opt/stackstorm/rbac/{{ item }}" + recurse: yes + state: directory + loop: + - roles + - assignments + when: st2_rbac_enable|bool + +- name: Copy defined RBAC roles to /opt/stackstorm/rbac/roles directory + become: yes + template: + src: rbac_roles/roles.yml.j2 + dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml + owner: st2 + group: st2 + loop: "{{ st2_rbac.roles }}" + when: st2_rbac_enable|bool and st2_rbac.roles is defined + notify: + - reload rbac + +- name: Copy RBAC assignments to /opt/stackstorm/rbac/assignments directory + become: yes + template: + src: rbac_assignments/assignments.yml.j2 + dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml + owner: st2 + group: st2 + loop: "{{ st2_rbac.assignments }}" + when: st2_rbac_enable|bool + notify: + - reload rbac + +- name: Enable RBAC in st2 configuration + become: yes + ini_file: + dest: /etc/st2/st2.conf + section: rbac + option: enable + value: True + backup: yes + when: st2_rbac_enable|bool + notify: + - restart st2api + - restart st2auth + - reload rbac + +- name: Set RBAC backend to default in st2 configuration + become: yes + ini_file: + dest: /etc/st2/st2.conf + section: rbac + option: backend + value: default + backup: yes + when: st2_rbac_enable|bool + notify: + - restart st2api + - restart st2auth + +- name: Disable RBAC in st2 configuration + become: yes + ini_file: + dest: /etc/st2/st2.conf + section: rbac + option: enable + value: False + backup: yes + when: not st2_rbac_enable|bool + notify: + - restart st2api + - restart st2auth diff --git a/roles/StackStorm.st2/tasks/auth.yml b/roles/StackStorm.st2/tasks/auth.yml index 357eac94..1ebac416 100644 --- a/roles/StackStorm.st2/tasks/auth.yml +++ b/roles/StackStorm.st2/tasks/auth.yml @@ -74,3 +74,12 @@ username = {{ st2_auth_username }} password = {{ st2_auth_password }} when: st2_save_credentials | bool + +- name: auth | Setup LDAP + include_tasks: auth-ldap.yml + when: st2_ldap_enable + tags: st2, auth, ldap + +- name: auth | Setup RBAC + include_tasks: auth-rbac.yml + tags: st2, auth, rbac diff --git a/roles/StackStorm.ewc/templates/rbac_assignments/assignments.yml.j2 b/roles/StackStorm.st2/templates/rbac_assignments/assignments.yml.j2 similarity index 100% rename from roles/StackStorm.ewc/templates/rbac_assignments/assignments.yml.j2 rename to roles/StackStorm.st2/templates/rbac_assignments/assignments.yml.j2 diff --git a/roles/StackStorm.ewc/templates/rbac_roles/roles.yml.j2 b/roles/StackStorm.st2/templates/rbac_roles/roles.yml.j2 similarity index 100% rename from roles/StackStorm.ewc/templates/rbac_roles/roles.yml.j2 rename to roles/StackStorm.st2/templates/rbac_roles/roles.yml.j2 diff --git a/roles/StackStorm.ewc_smoketests/defaults/main.yml b/roles/StackStorm.st2smoketests/defaults/main.yml similarity index 62% rename from roles/StackStorm.ewc_smoketests/defaults/main.yml rename to roles/StackStorm.st2smoketests/defaults/main.yml index 6a2d9b4f..aa7a594f 100644 --- a/roles/StackStorm.ewc_smoketests/defaults/main.yml +++ b/roles/StackStorm.st2smoketests/defaults/main.yml @@ -1,11 +1,11 @@ --- -ewc_smoke_tests_user: ewc_smoke_tests_user -ewc_smoke_tests_password: holyjolly +smoke_tests_rbac_user: smoke_tests_rbac_user +smoke_tests_rbac_password: holyjolly -ewc_smoke_tests_rbac: +smoke_tests_rbac: roles: - - name: ewc_smoke_tests_basic + - name: smoke_tests_rbac_basic description: "This role has access only to action core.local in pack 'core'" permission_grants: @@ -18,6 +18,6 @@ ewc_smoke_tests_rbac: - "runner_type_list" assignments: - - name: "{{ ewc_smoke_tests_user }}" + - name: "{{ smoke_tests_rbac_user }}" roles: - - ewc_smoke_tests_basic + - smoke_tests_rbac_basic diff --git a/roles/StackStorm.st2smoketests/tasks/main.yml b/roles/StackStorm.st2smoketests/tasks/main.yml index a7c74217..0824b6a2 100644 --- a/roles/StackStorm.st2smoketests/tasks/main.yml +++ b/roles/StackStorm.st2smoketests/tasks/main.yml @@ -66,3 +66,10 @@ tags: - smoke-tests - st2chatops + +- name: Run RBAC tests to verify the setup + import_tasks: st2rbac_verification.yml + when: st2_rbac_enable|bool + tags: + - smoke-tests + - rbac-tests diff --git a/roles/StackStorm.st2smoketests/tasks/st2rbac_verification.yml b/roles/StackStorm.st2smoketests/tasks/st2rbac_verification.yml new file mode 100644 index 00000000..95444e78 --- /dev/null +++ b/roles/StackStorm.st2smoketests/tasks/st2rbac_verification.yml @@ -0,0 +1,96 @@ +--- + +# Small suite of smoke tests to ensure that RBAC works as expected + +- name: auth | Add a new smoke_tests_rbac_user in st2 htpasswd file + become: true + htpasswd: + path: /etc/st2/htpasswd + name: "{{ smoke_tests_rbac_user }}" + password: "{{ smoke_tests_rbac_password }}" + changed_when: no + notify: + - restart st2api + - restart st2stream + +- name: Copy smoke tests RBAC roles to /opt/stackstorm/rbac/roles directory + become: yes + template: + src: rbac_roles.yml.j2 + dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml + owner: st2 + group: st2 + loop: "{{ smoke_tests_rbac.roles }}" + when: smoke_tests_rbac.roles is defined + notify: + - reload rbac + +- name: Copy smoke tests RBAC assignments to /opt/stackstorm/rbac/assignments directory + become: yes + template: + src: rbac_assignments.yml.j2 + dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml + owner: st2 + group: st2 + loop: "{{ smoke_tests_rbac.assignments }}" + when: smoke_tests_rbac.assignments is defined + notify: + - reload rbac + +- meta: flush_handlers + +- name: Get authentication token for rbac_smoke_tests # Note this will not use LDAP. + command: st2 auth "{{ smoke_tests_rbac_user }}" -p "{{ smoke_tests_rbac_password }}" -t + register: st2_token_smoke_tests_user + changed_when: no + +- name: Test a simple core.local action as user ``smoke_tests_rbac_user`` + command: st2 run core.local -- date -R + environment: + ST2_AUTH_TOKEN: "{{ st2_token_smoke_tests_user.stdout }}" + changed_when: no + +- name: Test some other action that "{{ smoke_tests_rbac_user }}" cannot run + command: st2 run core.http url="https://www.google.com" + environment: + ST2_AUTH_TOKEN: "{{ st2_token_smoke_tests_user.stdout }}" + ignore_errors: yes + changed_when: no + register: smoke_tests_rbac_forbidden_action + +- name: Assert forbidden error was indeed thrown + fail: + msg: "St2 action was forbidden to run because of RBAC permissions but action still ran." + changed_when: no + when: "smoke_tests_rbac_forbidden_action.stdout.find('Forbidden') == -1" + +- name: Remove RBAC smoke tests user from htpasswd file + become: yes + htpasswd: + path: /etc/st2/htpasswd + name: "{{ smoke_tests_rbac_user }}" + state: absent + changed_when: no + notify: + - reload rbac + +- name: Remove RBAC smoke tests roles # This doesn't cleanup role from DB. + become: yes + file: + state: absent + path: /opt/stackstorm/rbac/roles/{{ item.name }}.yml + loop: "{{ smoke_tests_rbac.roles }}" + when: smoke_tests_rbac.roles is defined + changed_when: no + notify: + - reload rbac + +- name: Remove RBAC smoke tests assignments # This doesn't cleanup assignment from DB. + become: yes + file: + state: absent + path: /opt/stackstorm/rbac/assignments/{{ smoke_tests_rbac_user }}.yml + when: smoke_tests_rbac.assignments is defined + changed_when: no + notify: + - reload rbac diff --git a/roles/StackStorm.ewc_smoketests/templates/rbac_assignments/assignments.yml.j2 b/roles/StackStorm.st2smoketests/templates/rbac_assignments.yml.j2 similarity index 100% rename from roles/StackStorm.ewc_smoketests/templates/rbac_assignments/assignments.yml.j2 rename to roles/StackStorm.st2smoketests/templates/rbac_assignments.yml.j2 diff --git a/roles/StackStorm.ewc_smoketests/templates/rbac_roles/roles.yml.j2 b/roles/StackStorm.st2smoketests/templates/rbac_roles.yml.j2 similarity index 100% rename from roles/StackStorm.ewc_smoketests/templates/rbac_roles/roles.yml.j2 rename to roles/StackStorm.st2smoketests/templates/rbac_roles.yml.j2 diff --git a/roles/StackStorm.st2web/tasks/main.yml b/roles/StackStorm.st2web/tasks/main.yml index c03fcfc5..f4cfc616 100644 --- a/roles/StackStorm.st2web/tasks/main.yml +++ b/roles/StackStorm.st2web/tasks/main.yml @@ -1,20 +1,8 @@ --- -- name: Check if enterprise is installed - become: yes - stat: - path: /opt/stackstorm/static/webui/flow/ - register: ewc_installed - -# For enterprise 'bwc-ui' replaces 'st2web' package -- name: "Decide which package to use: 'st2web' vs 'bwc-ui'" - set_fact: - st2web_package_name: bwc-ui - when: ewc_installed.stat.exists - -- name: Install latest {{ st2web_package_name }} package, auto-update +- name: Install latest st2web package, auto-update become: yes package: - name: "{{ st2web_package_name }}" + name: "st2web" state: latest register: _task retries: 5 @@ -23,10 +11,10 @@ when: st2web_version == "latest" tags: st2web, skip_ansible_lint -- name: Install present {{ st2web_package_name }} package, no auto-update +- name: Install present st2web package, no auto-update become: yes package: - name: "{{ st2web_package_name }}" + name: "st2web" state: present register: _task retries: 5 @@ -35,7 +23,7 @@ when: st2web_version == "present" tags: st2web -- name: Install pinned {{ st2web_package_name }} package +- name: Install pinned st2web package become: yes package: name: "{{ st2web_package_name }}{{ '=' if ansible_facts.pkg_mgr == 'apt' else '-' }}{{ st2web_version }}" diff --git a/roles/StackStorm.st2web/vars/main.yml b/roles/StackStorm.st2web/vars/main.yml deleted file mode 100644 index e125b116..00000000 --- a/roles/StackStorm.st2web/vars/main.yml +++ /dev/null @@ -1,5 +0,0 @@ -# Default st2web immutable vars ---- -# Default StackStorm WebUI package name to install -# For enterprise 'bwc-ui' replaces 'st2web' package -st2web_package_name: st2web diff --git a/stackstorm.yml b/stackstorm.yml index c392a95a..a96788d0 100644 --- a/stackstorm.yml +++ b/stackstorm.yml @@ -13,7 +13,3 @@ - StackStorm.nodejs - StackStorm.st2chatops - StackStorm.st2smoketests - - role: StackStorm.ewc - when: ewc_license is defined and ewc_license is not none and ewc_license | length > 1 - - role: StackStorm.ewc_smoketests - when: ewc_license is defined and ewc_license is not none and ewc_license | length > 1