From 1eabfffc7e095814b689bd14d5c559b496ab056a Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Thu, 18 Mar 2021 00:15:23 +0100
Subject: [PATCH 01/21] Move rbac roles and assignments to Stackstorm.st2 and
 setup rbac if st2_rbac_enable

---
 roles/StackStorm.st2/defaults/main.yml        | 30 +++++++++++++++++++
 roles/StackStorm.st2/tasks/auth.yml           | 11 +++++++
 .../rbac_assignments/assignments.yml.j2       |  0
 .../templates/rbac_roles/roles.yml.j2         |  0
 4 files changed, 41 insertions(+)
 rename roles/{StackStorm.ewc => StackStorm.st2}/templates/rbac_assignments/assignments.yml.j2 (100%)
 rename roles/{StackStorm.ewc => StackStorm.st2}/templates/rbac_roles/roles.yml.j2 (100%)

diff --git a/roles/StackStorm.st2/defaults/main.yml b/roles/StackStorm.st2/defaults/main.yml
index 89abb301..80a975ac 100644
--- a/roles/StackStorm.st2/defaults/main.yml
+++ b/roles/StackStorm.st2/defaults/main.yml
@@ -32,6 +32,36 @@ st2_auth_enable: yes
 st2_auth_username: testu
 # Password used by StackStorm standalone authentication
 st2_auth_password: testp
+
+
+# By specifying a valid configuration for LDAP,
+# (See https://docs.stackstorm.com/latest/authentication.html#ldap )
+# LDAP auth backend is setup for st2.
+# Note that you just need to provide the backend_kwargs.
+st2_ldap_enable: no
+# "enable" is not a key of st2_ldap because the defaults would be lost if any key in the dictionary is changed
+st2_ldap:
+  backend_kwargs: {}
+
+# Specify roles and assignments for RBAC.
+# Roles are pushed as YML files to /opt/stackstorm/rbac/roles
+# Assignments are pushed as YML files to /opt/stackstorm/rbac/assignments/
+# The schema for roles and assignments follow the exact schema definition
+# define in https://docs.stackstorm.com/latest/rbac.html#defining-roles-and-permission-grants
+# and https://docs.stackstorm.com/latest/rbac.html#defining-user-role-assignments
+st2_rbac_enable: no
+# "enable" is not a key of st2_rbac because the defaults would be lost if any key in the dictionary is changed
+st2_rbac:
+  roles: []
+  assignments:
+    - name: "{{ st2_system_user }}"
+      roles:
+        - admin
+    - name: "{{ st2_auth_username }}"
+      roles:
+        - system_admin
+
+
 # Save credentials in ~/.st2/config file
 st2_save_credentials: yes
 # ST2 packs to be installed (list)
diff --git a/roles/StackStorm.st2/tasks/auth.yml b/roles/StackStorm.st2/tasks/auth.yml
index 357eac94..0c829d51 100644
--- a/roles/StackStorm.st2/tasks/auth.yml
+++ b/roles/StackStorm.st2/tasks/auth.yml
@@ -74,3 +74,14 @@
       username = {{ st2_auth_username }}
       password = {{ st2_auth_password }}
   when: st2_save_credentials | bool
+
+- name: auth | Setup LDAP
+  include_tasks: auth-ldap.yml
+  when: st2_ldap_enable
+  tags: st2, auth, ldap
+
+- name: auth | Setup RBAC
+  include_tasks: auth-rbac.yml
+  when: st2_rbac_enable
+  tags: st2, auth, rbac
+
diff --git a/roles/StackStorm.ewc/templates/rbac_assignments/assignments.yml.j2 b/roles/StackStorm.st2/templates/rbac_assignments/assignments.yml.j2
similarity index 100%
rename from roles/StackStorm.ewc/templates/rbac_assignments/assignments.yml.j2
rename to roles/StackStorm.st2/templates/rbac_assignments/assignments.yml.j2
diff --git a/roles/StackStorm.ewc/templates/rbac_roles/roles.yml.j2 b/roles/StackStorm.st2/templates/rbac_roles/roles.yml.j2
similarity index 100%
rename from roles/StackStorm.ewc/templates/rbac_roles/roles.yml.j2
rename to roles/StackStorm.st2/templates/rbac_roles/roles.yml.j2

From 61323fb9bee5c2bfa6ab556c194b63e35747a44b Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Thu, 18 Mar 2021 00:15:57 +0100
Subject: [PATCH 02/21] Add auth-ldap and auth-rbac tasks to configure the
 authentication backend if enabled

---
 roles/StackStorm.st2/tasks/auth-ldap.yml |  0
 roles/StackStorm.st2/tasks/auth-rbac.yml | 40 ++++++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 roles/StackStorm.st2/tasks/auth-ldap.yml
 create mode 100644 roles/StackStorm.st2/tasks/auth-rbac.yml

diff --git a/roles/StackStorm.st2/tasks/auth-ldap.yml b/roles/StackStorm.st2/tasks/auth-ldap.yml
new file mode 100644
index 00000000..e69de29b
diff --git a/roles/StackStorm.st2/tasks/auth-rbac.yml b/roles/StackStorm.st2/tasks/auth-rbac.yml
new file mode 100644
index 00000000..864e9387
--- /dev/null
+++ b/roles/StackStorm.st2/tasks/auth-rbac.yml
@@ -0,0 +1,40 @@
+---
+- block:
+  become: yes
+  - name: Copy default RBAC roles to /opt/stackstorm/rbac/roles directory
+    template:
+      src: rbac_roles/roles.yml.j2
+      dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml
+      owner: st2
+      group: st2
+    loop: "{{ st2_rbac_roles }}"
+
+  - name: Copy user defined RBAC roles to /opt/stackstorm/rbac/roles directory
+    template:
+      src: rbac_roles/roles.yml.j2
+      dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml
+      owner: st2
+      group: st2
+    loop: "{{ st2_rbac.roles }}"
+    when: st2_rbac.roles is defined
+
+  - name: Copy RBAC assignments to /opt/stackstorm/rbac/assignments directory
+    template:
+      src: rbac_assignments/assignments.yml.j2
+      dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml
+      owner: st2
+      group: st2
+    loop: "{{ st2_rbac_assignments }}"
+
+  - name: Enable RBAC in st2 configuration
+    become: yes
+    ini_file:
+      dest: /etc/st2/st2.conf
+      section: rbac
+      option: enable
+      value: True
+      backup: yes
+    notify:
+      - restart st2api
+  when: st2_rbac_enable
+  notify: restart st2auth
\ No newline at end of file

From 402d30438233ada0be43fb45192ffa34eb0a892b Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Fri, 19 Mar 2021 00:23:37 +0100
Subject: [PATCH 03/21] Remove ewc roles from the playbook

---
 stackstorm.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/stackstorm.yml b/stackstorm.yml
index d1bf6858..d17f8298 100644
--- a/stackstorm.yml
+++ b/stackstorm.yml
@@ -12,7 +12,3 @@
     - StackStorm.nodejs
     - StackStorm.st2chatops
     - StackStorm.st2smoketests
-    - role: StackStorm.ewc
-      when: ewc_license is defined and ewc_license is not none and ewc_license | length > 1
-    - role: StackStorm.ewc_smoketests
-      when: ewc_license is defined and ewc_license is not none and ewc_license | length > 1

From 8490869dc402ad787e9ec073226ba813f053afe3 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Fri, 19 Mar 2021 00:24:30 +0100
Subject: [PATCH 04/21] Fix auth ldap and rbac tasks, boolean conditionals and
 remove the block as notify is not a blog parameter

---
 roles/StackStorm.st2/tasks/auth-ldap.yml | 30 ++++++++
 roles/StackStorm.st2/tasks/auth-rbac.yml | 90 ++++++++++++++----------
 roles/StackStorm.st2/tasks/auth.yml      |  1 -
 3 files changed, 84 insertions(+), 37 deletions(-)

diff --git a/roles/StackStorm.st2/tasks/auth-ldap.yml b/roles/StackStorm.st2/tasks/auth-ldap.yml
index e69de29b..696e2256 100644
--- a/roles/StackStorm.st2/tasks/auth-ldap.yml
+++ b/roles/StackStorm.st2/tasks/auth-ldap.yml
@@ -0,0 +1,30 @@
+---
+- name: Setup st2.conf auth backend to LDAP
+  become: yes
+  # Unfortunately, ``with_dict`` also logs the dict which could leak passwords.
+  no_log: yes
+  ini_file:
+    dest: /etc/st2/st2.conf
+    section: auth
+    option: backend
+    value: ldap
+    backup: yes
+  # Don't even setup LDAP if backend_kwargs is not defined
+  when: st2_ldap.backend_kwargs is defined and st2_ldap.backend_kwargs|length > 0
+  notify:
+    - restart st2auth
+
+- name: Setup st2.conf auth backend_kwargs for LDAP
+  become: yes
+  # Unfortunately, ``with_dict`` also logs the dict which could leak passwords.
+  no_log: yes
+  ini_file:
+    dest: /etc/st2/st2.conf
+    section: auth
+    option: backend_kwargs
+    value: "{{ ewc_ldap.backend_kwargs | to_json | string }}"
+    backup: yes
+  # Don't even setup LDAP if backend_kwargs is not defined
+  when: st2_ldap.backend_kwargs is defined and st2_ldap.backend_kwargs|length > 0
+  notify:
+    - restart st2auth
diff --git a/roles/StackStorm.st2/tasks/auth-rbac.yml b/roles/StackStorm.st2/tasks/auth-rbac.yml
index 864e9387..d661931c 100644
--- a/roles/StackStorm.st2/tasks/auth-rbac.yml
+++ b/roles/StackStorm.st2/tasks/auth-rbac.yml
@@ -1,40 +1,58 @@
 ---
-- block:
-  become: yes
-  - name: Copy default RBAC roles to /opt/stackstorm/rbac/roles directory
-    template:
-      src: rbac_roles/roles.yml.j2
-      dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml
-      owner: st2
-      group: st2
-    loop: "{{ st2_rbac_roles }}"
+- name: Create directory to store roles and assignments
+  file:
+    path: "/opt/stackstorm/rbac/{{ item }}"
+    recurse: yes
+    state: directory
+  loop:
+    - roles
+    - assignments
+  when: st2_rbac_enable|bool
+
+- name: Copy defined RBAC roles to /opt/stackstorm/rbac/roles directory
+  become: yes 
+  template:
+    src: rbac_roles/roles.yml.j2
+    dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml
+    owner: st2
+    group: st2
+  loop: "{{ st2_rbac.roles }}"
+  when: st2_rbac_enable|bool and st2_rbac.roles is defined
+  notify: restart st2auth
 
-  - name: Copy user defined RBAC roles to /opt/stackstorm/rbac/roles directory
-    template:
-      src: rbac_roles/roles.yml.j2
-      dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml
-      owner: st2
-      group: st2
-    loop: "{{ st2_rbac.roles }}"
-    when: st2_rbac.roles is defined
+- name: Copy RBAC assignments to /opt/stackstorm/rbac/assignments directory
+  become: yes 
+  template:
+    src: rbac_assignments/assignments.yml.j2
+    dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml
+    owner: st2
+    group: st2
+  loop: "{{ st2_rbac.assignments }}"
+  when: st2_rbac_enable|bool
+  notify: restart st2auth
 
-  - name: Copy RBAC assignments to /opt/stackstorm/rbac/assignments directory
-    template:
-      src: rbac_assignments/assignments.yml.j2
-      dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml
-      owner: st2
-      group: st2
-    loop: "{{ st2_rbac_assignments }}"
+- name: Enable RBAC in st2 configuration
+  become: yes
+  ini_file:
+    dest: /etc/st2/st2.conf
+    section: rbac
+    option: enable
+    value: True
+    backup: yes
+  when: st2_rbac_enable|bool
+  notify:
+    - restart st2api
+    - restart st2auth
 
-  - name: Enable RBAC in st2 configuration
-    become: yes
-    ini_file:
-      dest: /etc/st2/st2.conf
-      section: rbac
-      option: enable
-      value: True
-      backup: yes
-    notify:
-      - restart st2api
-  when: st2_rbac_enable
-  notify: restart st2auth
\ No newline at end of file
+- name: Disable RBAC in st2 configuration
+  become: yes
+  ini_file:
+    dest: /etc/st2/st2.conf
+    section: rbac
+    option: enable
+    value: False
+    backup: yes
+  when: not st2_rbac_enable|bool
+  notify:
+    - restart st2api
+    - restart st2auth
\ No newline at end of file
diff --git a/roles/StackStorm.st2/tasks/auth.yml b/roles/StackStorm.st2/tasks/auth.yml
index 0c829d51..701a4e5f 100644
--- a/roles/StackStorm.st2/tasks/auth.yml
+++ b/roles/StackStorm.st2/tasks/auth.yml
@@ -82,6 +82,5 @@
 
 - name: auth | Setup RBAC
   include_tasks: auth-rbac.yml
-  when: st2_rbac_enable
   tags: st2, auth, rbac
 

From ef7f7532ef92fc5ed4e58725cd53e4537fb71e75 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Fri, 19 Mar 2021 00:25:03 +0100
Subject: [PATCH 05/21] Remove Stackstorm.ewc roles

---
 roles/StackStorm.ewc/defaults/main.yml        | 41 --------
 roles/StackStorm.ewc/handlers/main.yml        |  5 -
 roles/StackStorm.ewc/meta/main.yml            | 27 ------
 .../tasks/ewc_repos_cleanup_debian.yml        |  9 --
 .../tasks/ewc_repos_cleanup_redhat.yml        |  9 --
 .../StackStorm.ewc/tasks/ewc_repos_debian.yml | 93 -------------------
 .../StackStorm.ewc/tasks/ewc_repos_redhat.yml | 35 -------
 .../StackStorm.ewc/tasks/ewc_repos_setup.yml  | 66 -------------
 roles/StackStorm.ewc/tasks/ldap.yml           | 30 ------
 roles/StackStorm.ewc/tasks/license.yml        | 76 ---------------
 roles/StackStorm.ewc/tasks/main.yml           | 73 ---------------
 roles/StackStorm.ewc/tasks/rbac.yml           | 70 --------------
 .../vars/enterprise-unstable.yml              |  2 -
 roles/StackStorm.ewc/vars/enterprise.yml      |  2 -
 .../vars/staging-enterprise-unstable.yml      |  2 -
 .../vars/staging-enterprise.yml               |  2 -
 .../defaults/main.yml                         | 23 -----
 roles/StackStorm.ewc_smoketests/meta/main.yml | 27 ------
 .../StackStorm.ewc_smoketests/tasks/main.yml  | 89 ------------------
 .../tasks/teardown.yml                        | 38 --------
 .../rbac_assignments/assignments.yml.j2       |  5 -
 .../templates/rbac_roles/roles.yml.j2         |  6 --
 22 files changed, 730 deletions(-)
 delete mode 100644 roles/StackStorm.ewc/defaults/main.yml
 delete mode 100644 roles/StackStorm.ewc/handlers/main.yml
 delete mode 100644 roles/StackStorm.ewc/meta/main.yml
 delete mode 100644 roles/StackStorm.ewc/tasks/ewc_repos_cleanup_debian.yml
 delete mode 100644 roles/StackStorm.ewc/tasks/ewc_repos_cleanup_redhat.yml
 delete mode 100644 roles/StackStorm.ewc/tasks/ewc_repos_debian.yml
 delete mode 100644 roles/StackStorm.ewc/tasks/ewc_repos_redhat.yml
 delete mode 100644 roles/StackStorm.ewc/tasks/ewc_repos_setup.yml
 delete mode 100644 roles/StackStorm.ewc/tasks/ldap.yml
 delete mode 100644 roles/StackStorm.ewc/tasks/license.yml
 delete mode 100644 roles/StackStorm.ewc/tasks/main.yml
 delete mode 100644 roles/StackStorm.ewc/tasks/rbac.yml
 delete mode 100644 roles/StackStorm.ewc/vars/enterprise-unstable.yml
 delete mode 100644 roles/StackStorm.ewc/vars/enterprise.yml
 delete mode 100644 roles/StackStorm.ewc/vars/staging-enterprise-unstable.yml
 delete mode 100644 roles/StackStorm.ewc/vars/staging-enterprise.yml
 delete mode 100644 roles/StackStorm.ewc_smoketests/defaults/main.yml
 delete mode 100644 roles/StackStorm.ewc_smoketests/meta/main.yml
 delete mode 100644 roles/StackStorm.ewc_smoketests/tasks/main.yml
 delete mode 100644 roles/StackStorm.ewc_smoketests/tasks/teardown.yml
 delete mode 100644 roles/StackStorm.ewc_smoketests/templates/rbac_assignments/assignments.yml.j2
 delete mode 100644 roles/StackStorm.ewc_smoketests/templates/rbac_roles/roles.yml.j2

diff --git a/roles/StackStorm.ewc/defaults/main.yml b/roles/StackStorm.ewc/defaults/main.yml
deleted file mode 100644
index 20f10faa..00000000
--- a/roles/StackStorm.ewc/defaults/main.yml
+++ /dev/null
@@ -1,41 +0,0 @@
----
-# EWC PackageCloud repository to install: enterprise, enterprise-unstable, staging-enterprise, staging-enterprise-unstable.
-ewc_repo: "enterprise"
-# `present` to install available package, `latest` to get automatic updates, or pin it to numeric version like `2.2.0`.
-ewc_version: latest
-# used only if 'ewc_version' is numeric
-ewc_revision: 1
-
-# EWC license to install EWC enterprise bits
-ewc_license: null
-
-# Specify roles and assignments for EWC RBAC.
-# Roles are pushed as YML files to /opt/stackstorm/rbac/roles
-# Assignments are pushed as YML files to /opt/stackstorm/rbac/assignments/
-# The schema for roles and assignments follow the exact schema definition
-# define in https://ewc-docs.extremenetworks.com/rbac.html#defining-roles-and-permission-grants
-# and https://ewc-docs.extremenetworks.com/rbac.html#defining-user-role-assignments.
-
-ewc_rbac_default_roles: []
-
-ewc_rbac_default_assignments:
-  - name: "{{ st2_system_user }}"
-    roles:
-      - admin
-
-  - name: "{{ st2_auth_username }}"
-    roles:
-      - system_admin
-
-ewc_rbac:
-  roles: "{{ ewc_rbac_default_roles }}"
-
-  assignments: "{{ ewc_rbac_default_assignments }}"
-
-
-# By specifying a valid configuration for LDAP,
-# (See https://ewc-docs.extremenetworks.com/authentication.html#ldap )
-# LDAP auth backend is setup for st2 and EWC.
-# Note that you just need to provide the backend_kwargs.
-ewc_ldap:
-  backend_kwargs: {}
diff --git a/roles/StackStorm.ewc/handlers/main.yml b/roles/StackStorm.ewc/handlers/main.yml
deleted file mode 100644
index 6770f3ad..00000000
--- a/roles/StackStorm.ewc/handlers/main.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-
-- name: reload ewc_rbac
-  become: yes
-  command: st2-apply-rbac-definitions --config-file /etc/st2/st2.conf
diff --git a/roles/StackStorm.ewc/meta/main.yml b/roles/StackStorm.ewc/meta/main.yml
deleted file mode 100644
index fa59154f..00000000
--- a/roles/StackStorm.ewc/meta/main.yml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-galaxy_info:
-  description: Install EWC Entperprise components, setup RBAC and LDAP
-  author: lakshmi-kannan
-  company: StackStorm
-  license: Apache 2.0
-  min_ansible_version: 2.5
-  platforms:
-    - name: Ubuntu
-      versions:
-        - bionic
-        - xenial
-    - name: EL
-      versions:
-        - 7
-        - 8
-  galaxy_tags:
-    - system
-    - stackstorm
-    - bwc
-    - ewc
-    - repositories
-    - packagecloud
-dependencies:
-  - role: StackStorm.st2repo
-  - role: StackStorm.st2
-  - role: StackStorm.st2web
diff --git a/roles/StackStorm.ewc/tasks/ewc_repos_cleanup_debian.yml b/roles/StackStorm.ewc/tasks/ewc_repos_cleanup_debian.yml
deleted file mode 100644
index f1afcc57..00000000
--- a/roles/StackStorm.ewc/tasks/ewc_repos_cleanup_debian.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- name: Cleanup repo list file from disk
-  become: yes
-  file:
-    path: /etc/apt/sources.list.d/StackStorm_{{ ewc_repo }}
-    state: absent
-  tags:
-    - ewc
-    - enterprise
diff --git a/roles/StackStorm.ewc/tasks/ewc_repos_cleanup_redhat.yml b/roles/StackStorm.ewc/tasks/ewc_repos_cleanup_redhat.yml
deleted file mode 100644
index 9aeb9348..00000000
--- a/roles/StackStorm.ewc/tasks/ewc_repos_cleanup_redhat.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- name: Cleanup repo list file from disk
-  become: yes
-  yum_repository:
-    name: "StackStorm_{{ ewc_repo }}"
-    state: absent
-  tags:
-    - ewc
-    - enterprise
diff --git a/roles/StackStorm.ewc/tasks/ewc_repos_debian.yml b/roles/StackStorm.ewc/tasks/ewc_repos_debian.yml
deleted file mode 100644
index 55cf6f9c..00000000
--- a/roles/StackStorm.ewc/tasks/ewc_repos_debian.yml
+++ /dev/null
@@ -1,93 +0,0 @@
----
-- name: Install prereqs (Debian)
-  become: yes
-  apt:
-    name:
-      - debian-archive-keyring
-      - apt-transport-https
-    state: present
-  register: _task
-  retries: 5
-  delay: 3
-  until: _task is succeeded
-  tags:
-    - ewc
-    - enterprise
-
-- name: "Including ID variable for {{ ewc_repo }}"
-  include_vars:
-    file: "{{ ewc_repo }}.yml"
-
-- name: Get keyring URL
-  become: yes
-  no_log: yes
-  changed_when: no
-  uri:
-    url: https://{{ ewc_license }}:@packagecloud.io/install/repositories/StackStorm/{{ ewc_repo }}/gpg_key_url.list?os={{ ansible_facts.distribution | lower }}&dist={{ ansible_facts.distribution_release | lower }}&name={{ ansible_facts.nodename }}
-    dest: "/etc/packagecloud/StackStorm_{{ ewc_repo }}_gpgkey_url.txt"
-    force_basic_auth: yes
-    method: GET
-    status_code: 201,200
-    headers:
-      Content-Type: "application/x-www-form-urlencoded"
-  register: _task
-  retries: 5
-  delay: 3
-  until: _task is succeeded
-
-- name: Read ewc_gpgkey_url from file
-  become: yes
-  no_log: yes
-  changed_when: no
-  command: cat "/etc/packagecloud/StackStorm_{{ ewc_repo }}_gpgkey_url.txt"
-  register: _ewc_gpgkey_url
-
-- name: Set ewc_gpgkey_url variable
-  no_log: yes
-  set_fact:
-    ewc_gpgkey_url: "{{ _ewc_gpgkey_url.stdout }}"
-
-  # This is a nasty hack necessary because of how AWS Redirects are interfering
-  # with both get_url and uri modules in Ansible. The redirect is somehow
-  # appending another authorization method to the request which AWS rejects.
-  # This will ultimately need to be fixed upstream.
-- name: Download gpgkey
-  become: yes
-  command: "curl -L -o /etc/packagecloud/StackStorm_{{ ewc_repo }}_gpgkey.asc {{ ewc_gpgkey_url }}"
-  args:
-    creates: "/etc/packagecloud/StackStorm_{{ ewc_repo }}_gpgkey.asc"
-    warn: False
-  register: _task
-  retries: 5
-  delay: 3
-  until: _task is succeeded
-
-- name: Add keys to keyring
-  become: yes
-  apt_key:
-    id: "{{ enterprise_key_id }}"
-    file: "/etc/packagecloud/StackStorm_{{ ewc_repo }}_gpgkey.asc"
-    state: present
-  register: _task
-  retries: 5
-  delay: 3
-  until: _task is succeeded
-  tags:
-    - ewc
-    - enterprise
-
-- name: "Add packagecloud.io repository: StackStorm/{{ ewc_repo }}"
-  become: yes
-  no_log: yes
-  apt_repository:
-    filename: "StackStorm_{{ ewc_repo }}"
-    repo: 'deb https://{{ ewc_read_token }}:@packagecloud.io/StackStorm/{{ ewc_repo }}/{{ ansible_facts.distribution|lower }}/ {{ ansible_facts.distribution_release|lower }} main'
-    state: present
-    update_cache: yes
-  register: added_ewc_deb_repository
-  retries: 5
-  delay: 3
-  until: added_ewc_deb_repository is succeeded
-  tags:
-    - ewc
-    - enterprise
diff --git a/roles/StackStorm.ewc/tasks/ewc_repos_redhat.yml b/roles/StackStorm.ewc/tasks/ewc_repos_redhat.yml
deleted file mode 100644
index c085d54f..00000000
--- a/roles/StackStorm.ewc/tasks/ewc_repos_redhat.yml
+++ /dev/null
@@ -1,35 +0,0 @@
----
-# Fixes "Failure talking to yum: Cannot retrieve repository metadata (repomd.xml) for repository: StackStorm_stable. Please verify its path and try again" when installing st2
-- name: Update ca-certificates package
-  become: yes
-  yum:
-    name: ca-certificates
-    state: latest
-  register: _task
-  retries: 5
-  delay: 3
-  until: _task is succeeded
-  tags:
-    - ewc
-    - enterprise
-    - skip_ansible_lint
-
-- name: "Add packagecloud.io repository: StackStorm/{{ ewc_repo }}"
-  become: yes
-  no_log: yes
-  yum_repository:
-    name: "StackStorm_{{ ewc_repo }}"
-    description: "StackStorm_{{ ewc_repo }}"
-    file: "StackStorm_{{ ewc_repo }}"
-    baseurl: https://{{ ewc_read_token }}:@packagecloud.io/StackStorm/{{ ewc_repo }}/el/{{ ansible_facts.distribution_major_version }}/$basearch
-    repo_gpgcheck: yes
-    gpgkey: "https://{{ ewc_read_token }}:@packagecloud.io/StackStorm/{{ ewc_repo }}/gpgkey"
-    sslcacert: /etc/pki/tls/certs/ca-bundle.crt
-    metadata_expire: 300
-    gpgcheck: no
-    enabled: yes
-    sslverify: yes
-  register: added_ewc_rpm_repository
-  tags:
-    - ewc
-    - enterprise
diff --git a/roles/StackStorm.ewc/tasks/ewc_repos_setup.yml b/roles/StackStorm.ewc/tasks/ewc_repos_setup.yml
deleted file mode 100644
index b5418278..00000000
--- a/roles/StackStorm.ewc/tasks/ewc_repos_setup.yml
+++ /dev/null
@@ -1,66 +0,0 @@
----
-- name: Create packagecloud dir
-  become: yes
-  file:
-    path: "/etc/packagecloud"
-    mode: "u=rwx,g=rx,o=rx"
-    owner: st2
-    group: st2
-    state: directory
-  tags:
-    - ewc
-    - enterprise
-
-- name: Handle ewc_license change
-  include_tasks: license.yml
-  tags:
-    - ewc
-    - enterprise
-
-- name: Get read token for repo from packagecloud
-  become: yes
-  no_log: yes
-  changed_when: no
-  uri:
-    url: https://{{ ewc_license }}:@packagecloud.io/install/repositories/StackStorm/{{ ewc_repo }}/tokens.text
-    # creates: "/etc/packagecloud/StackStorm_{{ ewc_repo }}_read_token.txt"  # Don't download if file already exists
-    dest: "/etc/packagecloud/StackStorm_{{ ewc_repo }}_read_token.txt"
-    force_basic_auth: yes
-    method: POST
-    status_code: 201,200
-    headers:
-      Content-Type: "application/x-www-form-urlencoded"
-    body: "name={{ ansible_facts.nodename }}"
-  register: _task
-  retries: 5
-  delay: 3
-  until: _task is succeeded
-  tags:
-    - ewc
-    - enterprise
-
-- name: Read ewc_read_token from file
-  become: yes
-  no_log: yes
-  changed_when: no
-  command: cat "/etc/packagecloud/StackStorm_{{ ewc_repo }}_read_token.txt"
-  register: _ewc_read_token
-  tags:
-    - ewc
-    - enterprise
-
-- name: Set ewc_read_token variable
-  no_log: yes
-  set_fact:
-    ewc_read_token: "{{ _ewc_read_token.stdout }}"
-  tags:
-    - ewc
-    - enterprise
-
-- name: Add EWC enterprise repos on {{ ansible_os_family | lower }}
-  include_tasks: ewc_repos_{{ ansible_os_family | lower }}.yml
-  tags:
-    - ewc
-    - enterprise
-  register: ewc_repo_added
-  when: ewc_read_token | length > 0
diff --git a/roles/StackStorm.ewc/tasks/ldap.yml b/roles/StackStorm.ewc/tasks/ldap.yml
deleted file mode 100644
index 8a44a529..00000000
--- a/roles/StackStorm.ewc/tasks/ldap.yml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-- name: Setup st2.conf auth backend to LDAP
-  become: yes
-  # Unfortunately, ``with_dict`` also logs the dict which could leak passwords.
-  no_log: yes
-  ini_file:
-    dest: /etc/st2/st2.conf
-    section: auth
-    option: backend
-    value: ldap
-    backup: yes
-  # Don't even setup LDAP if backend_kwargs is not defined
-  when: ewc_ldap.backend_kwargs is defined and ewc_ldap.backend_kwargs|length > 0
-  notify:
-    - restart st2auth
-
-- name: Setup st2.conf auth backend_kwargs for LDAP
-  become: yes
-  # Unfortunately, ``with_dict`` also logs the dict which could leak passwords.
-  no_log: yes
-  ini_file:
-    dest: /etc/st2/st2.conf
-    section: auth
-    option: backend_kwargs
-    value: "{{ ewc_ldap.backend_kwargs | to_json | string }}"
-    backup: yes
-  # Don't even setup LDAP if backend_kwargs is not defined
-  when: ewc_ldap.backend_kwargs is defined and ewc_ldap.backend_kwargs|length > 0
-  notify:
-    - restart st2auth
diff --git a/roles/StackStorm.ewc/tasks/license.yml b/roles/StackStorm.ewc/tasks/license.yml
deleted file mode 100644
index cc8fc587..00000000
--- a/roles/StackStorm.ewc/tasks/license.yml
+++ /dev/null
@@ -1,76 +0,0 @@
----
-- name: Check if EWC license hash file is present
-  stat:
-    path: /etc/packagecloud/ewc_license_hash.txt
-  register: ewc_license_hash_file
-  tags:
-    - ewc
-    - enterprise
-
-- name: Read ewc_license_hash_file if it exits
-  command: cat /etc/packagecloud/ewc_license_hash.txt
-  register: _ewc_license_hash
-  no_log: yes
-  changed_when: no
-  when: ewc_license_hash_file.stat.exists
-  tags:
-    - ewc
-    - enterprise
-
-- name: Set ewc_license_hash from file context
-  set_fact:
-    ewc_license_hash: "{{ _ewc_license_hash.stdout }}"
-  no_log: yes
-  when: ewc_license_hash_file.stat.exists
-  tags:
-    - ewc
-    - enterprise
-
-- name: Set ewc_license_hash to incoming hash if not defined
-  no_log: yes
-  set_fact:
-    ewc_license_hash: '{{ ewc_license | hash("sha512") }}'
-  when: not ewc_license_hash_file.stat.exists
-  tags:
-    - ewc
-    - enterprise
-
-- name: Write ewc_license_hash to file if file not found on disk
-  copy:
-    content: "{{ ewc_license | hash('sha512') }}"
-    dest: "/etc/packagecloud/ewc_license_hash.txt"
-    force: yes
-  become: yes
-  when: not ewc_license_hash_file.stat.exists
-  tags:
-    - ewc
-    - enterprise
-
-- name: "Cleanup read token cached file from disk"
-  become: yes
-  file:
-    path: "/etc/packagecloud/StackStorm_{{ ewc_repo }}_read_token.txt"
-    state: absent
-  when: ewc_license | hash("sha512") != ewc_license_hash
-  tags:
-    - ewc
-    - enterprise
-
-- name: "Cleanup repo list file from disk"
-  include_tasks: "ewc_repos_cleanup_{{ ansible_os_family | lower  }}.yml"
-  when: ewc_license | hash("sha512") != ewc_license_hash
-  tags:
-    - ewc
-    - enterprise
-
-- name: Write new ewc_license_hash to file
-  copy:
-    content: "{{ ewc_license | hash('sha512') }}"
-    dest: "/etc/packagecloud/ewc_license_hash.txt"
-    force: yes
-  become: yes
-  no_log: yes
-  when: ewc_license | hash("sha512") != ewc_license_hash
-  tags:
-    - ewc
-    - enterprise
diff --git a/roles/StackStorm.ewc/tasks/main.yml b/roles/StackStorm.ewc/tasks/main.yml
deleted file mode 100644
index 86dc54bc..00000000
--- a/roles/StackStorm.ewc/tasks/main.yml
+++ /dev/null
@@ -1,73 +0,0 @@
----
-- name: Assert that 'ewc_license' is specified correctly
-  fail:
-    msg: "License key must be supplied for EWC enterprise installation."
-  when: ewc_license is not defined or ewc_license is none or ewc_license|length != 48
-
-- name: Add EWC enterprise repos
-  include_tasks: ewc_repos_setup.yml
-  tags:
-    - ewc
-    - enterprise
-
-- name: Install latest bwc-enterprise package, auto-update
-  become: yes
-  package:
-    name: bwc-enterprise
-    state: latest
-  register: ewc_installed
-  retries: 5
-  delay: 3
-  until: ewc_installed is succeeded
-  when: ewc_version == "latest"
-  tags:
-    - ewc
-    - st2 enterprise
-    - skip_ansible_lint
-  notify:
-    - restart st2api
-    - restart st2auth
-
-- name: Install present bwc-enterprise package, no auto-update
-  become: yes
-  package:
-    name: bwc-enterprise
-    state: present
-  register: ewc_installed
-  retries: 5
-  delay: 3
-  until: ewc_installed is succeeded
-  when: ewc_version == "present"
-  tags:
-    - ewc
-    - st2 enterprise
-  notify:
-    - restart st2api
-    - restart st2auth
-
-- name: Install pinned bwc-enterprise package
-  become: yes
-  package:
-    name: bwc-enterprise{{ '-' if ansible_os_family == 'RedHat' else '=' }}{{ ewc_version }}-{{ ewc_revision }}
-    state: present
-  register: ewc_installed
-  retries: 5
-  delay: 3
-  until: ewc_installed is succeeded
-  when:
-    - ewc_version != "latest"
-    - ewc_version != "present"
-  tags:
-    - ewc
-    - st2 enterprise
-  notify:
-    - restart st2api
-    - restart st2auth
-
-- name: Setup RBAC and setup roles and assignments if ewc_rbac is defined
-  import_tasks: rbac.yml
-  when: ewc_rbac is defined
-
-- name: Setup LDAP and set up LDAP configuration
-  import_tasks: ldap.yml
-  when: ewc_ldap is defined
diff --git a/roles/StackStorm.ewc/tasks/rbac.yml b/roles/StackStorm.ewc/tasks/rbac.yml
deleted file mode 100644
index 937a7aa7..00000000
--- a/roles/StackStorm.ewc/tasks/rbac.yml
+++ /dev/null
@@ -1,70 +0,0 @@
----
-- name: Copy default RBAC roles to /opt/stackstorm/rbac/roles directory
-  become: yes
-  template:
-    src: rbac_roles/roles.yml.j2
-    dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml
-    owner: st2
-    group: st2
-  loop: "{{ ewc_rbac_default_roles }}"
-  notify:
-    - reload ewc_rbac
-
-- name: Copy user defined RBAC roles to /opt/stackstorm/rbac/roles directory
-  become: yes
-  template:
-    src: rbac_roles/roles.yml.j2
-    dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml
-    owner: st2
-    group: st2
-  loop: "{{ ewc_rbac.roles }}"
-  when: ewc_rbac.roles is defined
-  notify:
-    - reload ewc_rbac
-
-- name: Copy default RBAC assignments to /opt/stackstorm/rbac/assignments directory
-  become: yes
-  template:
-    src: rbac_assignments/assignments.yml.j2
-    dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml
-    owner: st2
-    group: st2
-  loop: "{{ ewc_rbac_default_assignments }}"
-  notify:
-    - reload ewc_rbac
-
-- name: Copy user defined RBAC assignments to /opt/stackstorm/rbac/assignments directory
-  become: yes
-  template:
-    src: rbac_assignments/assignments.yml.j2
-    dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml
-    owner: st2
-    group: st2
-  loop: "{{ ewc_rbac.assignments }}"
-  when: ewc_rbac.assignments is defined
-  notify:
-    - reload ewc_rbac
-
-- name: Enable RBAC in st2 configuration
-  become: yes
-  ini_file:
-    dest: /etc/st2/st2.conf
-    section: rbac
-    option: enable
-    value: True
-    backup: yes
-  notify:
-    - restart st2api
-    - reload ewc_rbac
-
-- name: Configure RBAC backend in st2 configuration
-  become: yes
-  ini_file:
-    dest: /etc/st2/st2.conf
-    section: rbac
-    option: backend
-    value: enterprise
-    backup: yes
-  notify:
-    - restart st2api
-    - reload ewc_rbac
diff --git a/roles/StackStorm.ewc/vars/enterprise-unstable.yml b/roles/StackStorm.ewc/vars/enterprise-unstable.yml
deleted file mode 100644
index d0d98525..00000000
--- a/roles/StackStorm.ewc/vars/enterprise-unstable.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-enterprise_key_id: AEFF7A20DC68594D
diff --git a/roles/StackStorm.ewc/vars/enterprise.yml b/roles/StackStorm.ewc/vars/enterprise.yml
deleted file mode 100644
index 3ee124bd..00000000
--- a/roles/StackStorm.ewc/vars/enterprise.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-enterprise_key_id: E8518D3790C81C76
diff --git a/roles/StackStorm.ewc/vars/staging-enterprise-unstable.yml b/roles/StackStorm.ewc/vars/staging-enterprise-unstable.yml
deleted file mode 100644
index aef603fd..00000000
--- a/roles/StackStorm.ewc/vars/staging-enterprise-unstable.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-enterprise_key_id: D8A9369569165CC0
diff --git a/roles/StackStorm.ewc/vars/staging-enterprise.yml b/roles/StackStorm.ewc/vars/staging-enterprise.yml
deleted file mode 100644
index b8e98530..00000000
--- a/roles/StackStorm.ewc/vars/staging-enterprise.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-enterprise_key_id: 216C528AB257619D
diff --git a/roles/StackStorm.ewc_smoketests/defaults/main.yml b/roles/StackStorm.ewc_smoketests/defaults/main.yml
deleted file mode 100644
index 6a2d9b4f..00000000
--- a/roles/StackStorm.ewc_smoketests/defaults/main.yml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-
-ewc_smoke_tests_user: ewc_smoke_tests_user
-ewc_smoke_tests_password: holyjolly
-
-ewc_smoke_tests_rbac:
-  roles:
-    - name: ewc_smoke_tests_basic
-      description: "This role has access only to action core.local in pack 'core'"
-      permission_grants:
-
-        - resource_uid: "action:core:local"
-          permission_types:
-            - "action_execute"
-            - "action_view"
-
-        - permission_types:
-            - "runner_type_list"
-
-  assignments:
-    - name: "{{ ewc_smoke_tests_user }}"
-      roles:
-        - ewc_smoke_tests_basic
diff --git a/roles/StackStorm.ewc_smoketests/meta/main.yml b/roles/StackStorm.ewc_smoketests/meta/main.yml
deleted file mode 100644
index 2052740a..00000000
--- a/roles/StackStorm.ewc_smoketests/meta/main.yml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-galaxy_info:
-  description: Test EWC enteprise components were installed correctly.
-  author: lakshmi-kannan
-  company: StackStorm
-  license: Apache 2.0
-  min_ansible_version: 2.5
-  platforms:
-    - name: Ubuntu
-      versions:
-        - bionic
-        - xenial
-    - name: EL
-      versions:
-        - 7
-        - 8
-  galaxy_tags:
-    - stackstorm
-    - bwc
-    - ewc
-    - repositories
-    - packagecloud
-dependencies:
-  - role: StackStorm.st2repo
-  - role: StackStorm.st2
-  - role: StackStorm.st2web
-  - role: StackStorm.ewc
diff --git a/roles/StackStorm.ewc_smoketests/tasks/main.yml b/roles/StackStorm.ewc_smoketests/tasks/main.yml
deleted file mode 100644
index 9fc8665d..00000000
--- a/roles/StackStorm.ewc_smoketests/tasks/main.yml
+++ /dev/null
@@ -1,89 +0,0 @@
----
-
-# Small suite of smoke tests to ensure that EWC role has deployed as expected
-
-- name: auth | Add a new ewc_smoke_tests_user in st2 htpasswd file
-  become: true
-  htpasswd:
-    path: /etc/st2/htpasswd
-    name: "{{ ewc_smoke_tests_user }}"
-    password: "{{ ewc_smoke_tests_password }}"
-  changed_when: no
-  notify:
-    - restart st2api
-    - restart st2stream
-  tags:
-    - ewc-smoke-tests
-
-- name: Copy smoke tests RBAC roles to /opt/stackstorm/rbac/roles directory
-  become: yes
-  template:
-    src: rbac_roles/roles.yml.j2
-    dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml
-    owner: st2
-    group: st2
-  loop: "{{ ewc_smoke_tests_rbac.roles }}"
-  changed_when: no
-  when: ewc_smoke_tests_rbac.roles is defined
-  notify:
-    - reload ewc_rbac
-  tags:
-    - ewc-smoke-tests
-
-- name: Copy smoke tests RBAC assignments to /opt/stackstorm/rbac/assignments directory
-  become: yes
-  template:
-    src: rbac_assignments/assignments.yml.j2
-    dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml
-    owner: st2
-    group: st2
-  loop: "{{ ewc_smoke_tests_rbac.assignments }}"
-  changed_when: no
-  when: ewc_smoke_tests_rbac.assignments is defined
-  notify:
-    - reload ewc_rbac
-  tags:
-    - ewc-smoke-tests
-
-- meta: flush_handlers
-  tags:
-    - ewc-smoke-tests
-
-- name: Get authentication token for ewc_smoke_tests  # Note this will not use LDAP.
-  command: st2 auth "{{ ewc_smoke_tests_user }}" -p "{{ ewc_smoke_tests_password }}"  -t
-  register: st2_token_smoke_tests_user
-  changed_when: no
-  tags:
-    - ewc-smoke-tests
-
-- name: Test a simple core.local action as user ``ewc_smoke_tests_user``
-  command: st2 run core.local -- date -R
-  environment:
-    ST2_AUTH_TOKEN: "{{ st2_token_smoke_tests_user.stdout }}"
-  changed_when: no
-  tags:
-    - ewc-smoke-tests
-
-- name: Test some other action that "{{ ewc_smoke_tests_user }}" cannot run
-  command: st2 run core.http url="https://www.google.com"
-  environment:
-    ST2_AUTH_TOKEN: "{{ st2_token_smoke_tests_user.stdout }}"
-  ignore_errors: yes
-  changed_when: no
-  register: ewc_smoke_tests_forbidden_action
-  tags:
-    - ewc-smoke-tests
-
-- name: Assert forbidden error was indeed thrown
-  fail:
-    msg: "St2 action was forbidden to run because of RBAC permissions but action still ran."
-  changed_when: no
-  when: "ewc_smoke_tests_forbidden_action.stdout.find('Forbidden') == -1"
-  tags:
-    - ewc-smoke-tests
-
-- name: Teardown test artifacts
-  import_tasks: teardown.yml
-  changed_when: no
-  tags:
-    - ewc-smoke-tests
diff --git a/roles/StackStorm.ewc_smoketests/tasks/teardown.yml b/roles/StackStorm.ewc_smoketests/tasks/teardown.yml
deleted file mode 100644
index a4b3084f..00000000
--- a/roles/StackStorm.ewc_smoketests/tasks/teardown.yml
+++ /dev/null
@@ -1,38 +0,0 @@
----
-
-- name: Remove EWC smoke tests user from htpasswd file
-  become: yes
-  htpasswd:
-    path: /etc/st2/htpasswd
-    name: "{{ ewc_smoke_tests_user }}"
-    state: absent
-  changed_when: no
-  notify:
-    - reload ewc_rbac
-  tags:
-    - ewc-smoke-tests
-
-- name: Remove RBAC smoke tests roles  # This doesn't cleanup role from DB.
-  become: yes
-  file:
-    state: absent
-    path: /opt/stackstorm/rbac/roles/{{ item.name }}.yml
-  loop: "{{ ewc_smoke_tests_rbac.roles }}"
-  when: ewc_smoke_tests_rbac.roles is defined
-  changed_when: no
-  notify:
-    - reload ewc_rbac
-  tags:
-    - ewc-smoke-tests
-
-- name: Remove RBAC smoke tests assignments  # This doesn't cleanup assignment from DB.
-  become: yes
-  file:
-    state: absent
-    path: /opt/stackstorm/rbac/assignments/{{ ewc_smoke_tests_user }}.yml
-  when: ewc_smoke_tests_rbac.assignments is defined
-  changed_when: no
-  notify:
-    - reload ewc_rbac
-  tags:
-    - ewc-smoke-tests
diff --git a/roles/StackStorm.ewc_smoketests/templates/rbac_assignments/assignments.yml.j2 b/roles/StackStorm.ewc_smoketests/templates/rbac_assignments/assignments.yml.j2
deleted file mode 100644
index 67a90ec1..00000000
--- a/roles/StackStorm.ewc_smoketests/templates/rbac_assignments/assignments.yml.j2
+++ /dev/null
@@ -1,5 +0,0 @@
----
-
-username: {{ item.name }}
-roles:
-  {{ item.roles | to_nice_yaml(2) | indent(2) }}
diff --git a/roles/StackStorm.ewc_smoketests/templates/rbac_roles/roles.yml.j2 b/roles/StackStorm.ewc_smoketests/templates/rbac_roles/roles.yml.j2
deleted file mode 100644
index 13d512a9..00000000
--- a/roles/StackStorm.ewc_smoketests/templates/rbac_roles/roles.yml.j2
+++ /dev/null
@@ -1,6 +0,0 @@
----
-
-name: {{ item.name }}
-description: {{ item.description }}
-permission_grants:
-  {{ item.permission_grants | to_nice_yaml(2) | indent(2) }}

From d1e687848d375af6ffafe06a89adbd1e91f16e29 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Fri, 19 Mar 2021 00:32:23 +0100
Subject: [PATCH 06/21] Remove EWC related variables from the README and add
 st2_(ldap|auth) and st2_(ldap|auth)_enable

---
 README.md | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 7bae4fd2..a1d878f7 100644
--- a/README.md
+++ b/README.md
@@ -45,6 +45,10 @@ Below is the list of variables you can redefine in your playbook to customize st
 | `st2_auth_username`      | `testu`       | Username used by StackStorm standalone authentication.
 | `st2_auth_password`      | `testp`       | Password used by StackStorm standalone authentication.
 | `st2_save_credentials`   | `yes`         | Save credentials for local CLI in `/root/.st2/config` file.
+| `st2_rbac_enable`        | `no`          | Enable RBAC. |
+| `st2_rbac`               | [See `st2_rbac` variable in role defaults](roles/st2/defaults/main.yml) | RBAC roles and assignments. This is a dictionary with two keys `roles` and `assignments`. `roles` and `assignments` are in turn both arrays. Each element in the array follows the exact YAML schema for [roles](https://docs.stackstorm.com/rbac.html#user-permissions) and [assignments](https://docs.stackstorm.com/rbac.html#defining-user-role-assignments) defined in ST2 documentation.
+| `st2_ldap_enable`        | `no`          | Enable LDAP authentication backend. |
+| `st2_ldap`               | [See `st2_ldap` variable in role defaults](roles/st2/defaults/main.yml) | Settings for LDAP authentication backend. `st2_ldap` is a dictionary and has one item `backend_kwargs`. `backend_kwargs` should be provided as exactly listed in ST2 documentation for [LDAP configuration](https://docs.stackstorm.com/authentication.html#ldap).
 | `st2_packs`              | `[ st2 ]`     | List of packs to install. This flag does not work with a `--python3` only pack.
 | `st2_python_packages`    | `[ ]`         | List of python packages to install into the `/opt/stackstorm/st2` virtualenv. This is needed when deploying alternative auth or coordination backends which depend on Python modules to make them work.
 | `st2_u16_add_insecure_py3_ppa`	| `false`     | Whether permission is granted to install the deadsnakes Python3.6 PPA for Ubuntu 16. 
@@ -52,13 +56,6 @@ Below is the list of variables you can redefine in your playbook to customize st
 | `st2web_ssl_certificate`     | `null` | String with custom SSL certificate (`.crt`). If not provided, self-signed certificate will be generated.
 | `st2web_ssl_certificate_key` | `null` | String with custom SSL certificate secret key (`.key`). If not provided, self-signed certificate will be generated.
 | `st2web_nginx_config`     | `null` | String with a custom nginx configuration file (`st2.conf`). If not provided, the default st2.conf will be used.
-| **ewc**
-| `ewc_license`            | `null`        | EWC license key is required for installing EWC enteprise bits via this ansible role.
-| `ewc_repo`               | `enterprise`  | EWC PackageCloud repository to install. [`enterprise`](https://packagecloud.io/StackStorm/enterprise/), [`enterprise-unstable`](https://packagecloud.io/StackStorm/enterprise-unstable/), [`staging-enterprise`](https://packagecloud.io/StackStorm/staging-enteprise/), [`staging-enterprise-unstable`](https://packagecloud.io/StackStorm/staging-enterprise-unstable/)
-| `ewc_version`            | `latest`      | EWC enterprise version to install. `present` to install available package, `latest` to get automatic updates, or pin it to numeric version like `2.2.0`. The version used here should match `st2_version`.
-| `ewc_revision`           | `1`           | EWC enterprise revision to install. Used only with pinned `ewc_version`.
-| `ewc_rbac` | [See `ewc_rbac` variable in role defaults](roles/StackStorm.ewc/defaults/main.yml) | EWC RBAC roles and assignments. This is a dictionary with two keys `roles` and `assignments`. `roles` and `assignments` are in turn both arrays. Each element in the array follows the exact YAML schema for [roles](https://ewc-docs.extremenetworks.com/rbac.html#user-permissions) and [assignments](https://ewc-docs.extremenetworks.com/rbac.html#defining-user-role-assignments) defined in EWC documentation.
-| `ewc_ldap` | [See `ewc_ldap` variable in role defaults](roles/StackStorm.ewc/defaults/main.yml) | Settings for EWC LDAP authentication backend. `ewc_ldap` is a dictionary and has one item `backend_kwargs`. `backend_kwargs` should be provided as exactly listed in EWC documentation for [LDAP configuration](https://ewc-docs.extremenetworks.com/authentication.html#auth-backends).
 | **st2chatops**
 | `st2chatops_version`     | `latest`      | st2chatops version to install. `present` to install available package, `latest` to get automatic updates, or pin it to numeric version like `2.2.0`.
 | `st2chatops_st2_api_key` |               | st2 API key to be updated in st2chatops.env using "st2 apikey create -k" in a task

From 5519b8fb2a2fcec9c9644ec9f234919a75002128 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Fri, 19 Mar 2021 00:33:57 +0100
Subject: [PATCH 07/21] Remove EWC/BWC mentions from the meta/main.yml

---
 meta/main.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/meta/main.yml b/meta/main.yml
index dc1f7536..9c7d3550 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -8,7 +8,7 @@
 # roles_path = /etc/ansible/roles/:/etc/ansible/roles/StackStorm.stackstorm/roles/
 ---
 galaxy_info:
-  description: Install StackStorm (IFTTT for Ops) with all the components like Web UI, ChatOps, EWC and dependant services including RabbitMQ, MongoDB, nginx.
+  description: Install StackStorm (IFTTT for Ops) with all the components like Web UI, ChatOps and dependant services including RabbitMQ, MongoDB, nginx.
   author: armab
   company: StackStorm
   license: Apache 2.0
@@ -34,8 +34,6 @@ galaxy_info:
     - st2
     - st2web
     - st2chatops
-    - bwc
-    - ewc
     - rabbitmq
     - mongodb
     - nginx

From 1a9857016ea1a3b26731270bc1716f7e463ec124 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Fri, 19 Mar 2021 00:41:27 +0100
Subject: [PATCH 08/21] Don't distinguish between st2web and ewc/bwc any longer

---
 roles/StackStorm.st2web/tasks/main.yml | 24 ++++++------------------
 roles/StackStorm.st2web/vars/main.yml  |  5 -----
 2 files changed, 6 insertions(+), 23 deletions(-)
 delete mode 100644 roles/StackStorm.st2web/vars/main.yml

diff --git a/roles/StackStorm.st2web/tasks/main.yml b/roles/StackStorm.st2web/tasks/main.yml
index e84d422f..abea96a0 100644
--- a/roles/StackStorm.st2web/tasks/main.yml
+++ b/roles/StackStorm.st2web/tasks/main.yml
@@ -1,20 +1,8 @@
 ---
-- name: Check if enterprise is installed
-  become: yes
-  stat:
-    path: /opt/stackstorm/static/webui/flow/
-  register: ewc_installed
-
-# For enterprise 'bwc-ui' replaces 'st2web' package
-- name: "Decide which package to use: 'st2web' vs 'bwc-ui'"
-  set_fact:
-    st2web_package_name: bwc-ui
-  when: ewc_installed.stat.exists
-
-- name: Install latest {{ st2web_package_name }} package, auto-update
+- name: Install latest st2web package, auto-update
   become: yes
   package:
-    name: "{{ st2web_package_name }}"
+    name: "st2web"
     state: latest
   register: _task
   retries: 5
@@ -23,10 +11,10 @@
   when: st2_version == "latest"
   tags: st2web, skip_ansible_lint
 
-- name: Install present {{ st2web_package_name }} package, no auto-update
+- name: Install present st2web package, no auto-update
   become: yes
   package:
-    name: "{{ st2web_package_name }}"
+    name: "st2web"
     state: present
   register: _task
   retries: 5
@@ -35,10 +23,10 @@
   when: st2_version == "present"
   tags: st2web
 
-- name: Install pinned {{ st2web_package_name }} package
+- name: Install pinned st2web package
   become: yes
   package:
-    name: "{{ st2web_package_name }}{{ '-' if ansible_facts.pkg_mgr == 'yum' else '=' }}{{ st2_version }}-{{ st2web_revision }}"
+    name: "st2web{{ '-' if ansible_facts.pkg_mgr == 'yum' else '=' }}{{ st2_version }}-{{ st2web_revision }}"
     state: present
   register: _task
   retries: 5
diff --git a/roles/StackStorm.st2web/vars/main.yml b/roles/StackStorm.st2web/vars/main.yml
deleted file mode 100644
index e125b116..00000000
--- a/roles/StackStorm.st2web/vars/main.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-# Default st2web immutable vars
----
-# Default StackStorm WebUI package name to install
-# For enterprise 'bwc-ui' replaces 'st2web' package
-st2web_package_name: st2web

From 71da33561227a1cfce5d96f1ce723b7b42628801 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Fri, 19 Mar 2021 00:43:37 +0100
Subject: [PATCH 09/21] Rename ewc_ldap to st2_ldap where it slipped on a task

---
 roles/StackStorm.st2/tasks/auth-ldap.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/StackStorm.st2/tasks/auth-ldap.yml b/roles/StackStorm.st2/tasks/auth-ldap.yml
index 696e2256..bab92ecb 100644
--- a/roles/StackStorm.st2/tasks/auth-ldap.yml
+++ b/roles/StackStorm.st2/tasks/auth-ldap.yml
@@ -22,7 +22,7 @@
     dest: /etc/st2/st2.conf
     section: auth
     option: backend_kwargs
-    value: "{{ ewc_ldap.backend_kwargs | to_json | string }}"
+    value: "{{ st2_ldap.backend_kwargs | to_json | string }}"
     backup: yes
   # Don't even setup LDAP if backend_kwargs is not defined
   when: st2_ldap.backend_kwargs is defined and st2_ldap.backend_kwargs|length > 0

From 8d201b9d1f6d271dc0b9b064d3331a6ff11bec76 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Fri, 19 Mar 2021 22:49:10 +0100
Subject: [PATCH 10/21] Fix lint checks

---
 roles/StackStorm.st2/tasks/auth-rbac.yml | 5 +++--
 roles/StackStorm.st2/tasks/auth.yml      | 1 -
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/StackStorm.st2/tasks/auth-rbac.yml b/roles/StackStorm.st2/tasks/auth-rbac.yml
index d661931c..6852915f 100644
--- a/roles/StackStorm.st2/tasks/auth-rbac.yml
+++ b/roles/StackStorm.st2/tasks/auth-rbac.yml
@@ -1,5 +1,6 @@
 ---
 - name: Create directory to store roles and assignments
+  become: yes
   file:
     path: "/opt/stackstorm/rbac/{{ item }}"
     recurse: yes
@@ -10,7 +11,7 @@
   when: st2_rbac_enable|bool
 
 - name: Copy defined RBAC roles to /opt/stackstorm/rbac/roles directory
-  become: yes 
+  become: yes
   template:
     src: rbac_roles/roles.yml.j2
     dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml
@@ -21,7 +22,7 @@
   notify: restart st2auth
 
 - name: Copy RBAC assignments to /opt/stackstorm/rbac/assignments directory
-  become: yes 
+  become: yes
   template:
     src: rbac_assignments/assignments.yml.j2
     dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml
diff --git a/roles/StackStorm.st2/tasks/auth.yml b/roles/StackStorm.st2/tasks/auth.yml
index 701a4e5f..1ebac416 100644
--- a/roles/StackStorm.st2/tasks/auth.yml
+++ b/roles/StackStorm.st2/tasks/auth.yml
@@ -83,4 +83,3 @@
 - name: auth | Setup RBAC
   include_tasks: auth-rbac.yml
   tags: st2, auth, rbac
-

From 95dde19d234d6ee878f55e0f663f820b99950556 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Fri, 19 Mar 2021 22:50:04 +0100
Subject: [PATCH 11/21] Add empty line at auth-rbac.yml

---
 roles/StackStorm.st2/tasks/auth-rbac.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/StackStorm.st2/tasks/auth-rbac.yml b/roles/StackStorm.st2/tasks/auth-rbac.yml
index 6852915f..ddf50bbd 100644
--- a/roles/StackStorm.st2/tasks/auth-rbac.yml
+++ b/roles/StackStorm.st2/tasks/auth-rbac.yml
@@ -56,4 +56,4 @@
   when: not st2_rbac_enable|bool
   notify:
     - restart st2api
-    - restart st2auth
\ No newline at end of file
+    - restart st2auth

From 9af24115e6d394423c233b61c603c8c2ed77cef6 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Sat, 20 Mar 2021 01:01:26 +0100
Subject: [PATCH 12/21] Add a handler to reload rbac and fix st2api from
 crashing by setting rbac.backend to default

---
 roles/StackStorm.st2/handlers/main.yml   |  4 ++++
 roles/StackStorm.st2/tasks/auth-rbac.yml | 20 ++++++++++++++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/roles/StackStorm.st2/handlers/main.yml b/roles/StackStorm.st2/handlers/main.yml
index b2b40213..7a903801 100644
--- a/roles/StackStorm.st2/handlers/main.yml
+++ b/roles/StackStorm.st2/handlers/main.yml
@@ -32,3 +32,7 @@
   service:
     name: st2stream
     state: restarted
+
+- name: reload rbac
+  become: yes
+  command: st2-apply-rbac-definitions --config-file /etc/st2/st2.conf
\ No newline at end of file
diff --git a/roles/StackStorm.st2/tasks/auth-rbac.yml b/roles/StackStorm.st2/tasks/auth-rbac.yml
index ddf50bbd..e78bf50f 100644
--- a/roles/StackStorm.st2/tasks/auth-rbac.yml
+++ b/roles/StackStorm.st2/tasks/auth-rbac.yml
@@ -19,7 +19,8 @@
     group: st2
   loop: "{{ st2_rbac.roles }}"
   when: st2_rbac_enable|bool and st2_rbac.roles is defined
-  notify: restart st2auth
+  notify:
+    - reload rbac
 
 - name: Copy RBAC assignments to /opt/stackstorm/rbac/assignments directory
   become: yes
@@ -30,7 +31,8 @@
     group: st2
   loop: "{{ st2_rbac.assignments }}"
   when: st2_rbac_enable|bool
-  notify: restart st2auth
+  notify:
+    - reload rbac
 
 - name: Enable RBAC in st2 configuration
   become: yes
@@ -44,6 +46,20 @@
   notify:
     - restart st2api
     - restart st2auth
+    - reload rbac
+
+- name: Set RBAC backend to default in st2 configuration
+  become: yes
+  ini_file:
+    dest: /etc/st2/st2.conf
+    section: rbac
+    option: backend
+    value: default
+    backup: yes
+  when: st2_rbac_enable|bool
+  notify:
+    - restart st2api
+    - restart st2auth
 
 - name: Disable RBAC in st2 configuration
   become: yes

From bdaf1c2847ec7292f158a0cf6f8c15bd8cdc7c32 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Sat, 20 Mar 2021 23:43:59 +0100
Subject: [PATCH 13/21] Remove BWC / EWC environment variables from travis
 config

---
 .travis.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 0fabe3fc..fbbaa975 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -9,16 +9,16 @@ branches:
 
 env:
   # default is stable repo
-  - DISTRO=ubuntu-16 LICENSE='BWC_LICENSE_ENTERPRISE'
-  - DISTRO=ubuntu-18 LICENSE='BWC_LICENSE_ENTERPRISE'
-  - DISTRO=centos-7 LICENSE='BWC_LICENSE_ENTERPRISE'
-  - DISTRO=centos-8 LICENSE='BWC_LICENSE_ENTERPRISE'
+  - DISTRO=ubuntu-16
+  - DISTRO=ubuntu-18
+  - DISTRO=centos-7
+  - DISTRO=centos-8
 
   # StackStorm 'unstable' repo check
-  - DISTRO=ubuntu-16 ST2_REPO=unstable EWC_REPO=enterprise-unstable LICENSE='BWC_LICENSE_ENTERPRISE_UNSTABLE'
-  - DISTRO=ubuntu-18 ST2_REPO=unstable EWC_REPO=enterprise-unstable LICENSE='BWC_LICENSE_ENTERPRISE_UNSTABLE'
-  - DISTRO=centos-7 ST2_REPO=unstable EWC_REPO=enterprise-unstable LICENSE='BWC_LICENSE_ENTERPRISE_UNSTABLE'
-  - DISTRO=centos-8 ST2_REPO=unstable EWC_REPO=enterprise-unstable LICENSE='BWC_LICENSE_ENTERPRISE_UNSTABLE'
+  - DISTRO=ubuntu-16 ST2_REPO=unstable
+  - DISTRO=ubuntu-18 ST2_REPO=unstable
+  - DISTRO=centos-7 ST2_REPO=unstable
+  - DISTRO=centos-8 ST2_REPO=unstable
 
 before_script:
   # Personal token for forked PRs

From d9f76d349efe374ecc59725a6e06eb4edf2f67a3 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Thu, 25 Mar 2021 00:02:49 +0100
Subject: [PATCH 14/21] Remove EWC license code from kitchen.yml

---
 .kitchen.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.kitchen.yml b/.kitchen.yml
index 2a8ac944..5e0ba68f 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -16,8 +16,6 @@ provisioner:
   idempotency_test: true
   extra_vars:
     st2repo_name: <%= ENV['ST2_REPO'] || 'stable' %>
-    ewc_repo: <%= ENV['EWC_REPO'] || 'enterprise' %>
-    ewc_license: "<%= ENV['LICENSE'] ? ENV[ENV['LICENSE']] : ENV['BWC_LICENSE_ENTERPRISE'] %>"
     st2chatops_hubot_adapter: slack
     st2chatops_config:
       HUBOT_SLACK_TOKEN: <%= ENV['HUBOT_SLACK_TOKEN'] %>

From 8ea8acb75b7f01c8c6ede669d0a52171eaf3aaa1 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Sat, 27 Mar 2021 22:55:00 +0100
Subject: [PATCH 15/21] Add RBAC smoketests

---
 .../defaults/main.yml                         | 23 +++++
 roles/StackStorm.st2smoketests/tasks/main.yml |  7 ++
 .../tasks/st2rbac_verification.yml            | 96 +++++++++++++++++++
 .../templates/rbac_assignments.yml.j2         |  5 +
 .../templates/rbac_roles.yml.j2               |  6 ++
 5 files changed, 137 insertions(+)
 create mode 100644 roles/StackStorm.st2smoketests/defaults/main.yml
 create mode 100644 roles/StackStorm.st2smoketests/tasks/st2rbac_verification.yml
 create mode 100644 roles/StackStorm.st2smoketests/templates/rbac_assignments.yml.j2
 create mode 100644 roles/StackStorm.st2smoketests/templates/rbac_roles.yml.j2

diff --git a/roles/StackStorm.st2smoketests/defaults/main.yml b/roles/StackStorm.st2smoketests/defaults/main.yml
new file mode 100644
index 00000000..a22ba4cd
--- /dev/null
+++ b/roles/StackStorm.st2smoketests/defaults/main.yml
@@ -0,0 +1,23 @@
+---
+
+smoke_tests_rbac_user: smoke_tests_rbac_user
+smoke_tests_rbac_password: holyjolly
+
+smoke_tests_rbac:
+  roles:
+    - name: smoke_tests_rbac_basic
+      description: "This role has access only to action core.local in pack 'core'"
+      permission_grants:
+
+        - resource_uid: "action:core:local"
+          permission_types:
+            - "action_execute"
+            - "action_view"
+
+        - permission_types:
+            - "runner_type_list"
+
+  assignments:
+    - name: "{{ smoke_tests_rbac_user }}"
+      roles:
+        - smoke_tests_rbac_basic
\ No newline at end of file
diff --git a/roles/StackStorm.st2smoketests/tasks/main.yml b/roles/StackStorm.st2smoketests/tasks/main.yml
index a7c74217..ded4fd98 100644
--- a/roles/StackStorm.st2smoketests/tasks/main.yml
+++ b/roles/StackStorm.st2smoketests/tasks/main.yml
@@ -66,3 +66,10 @@
   tags:
     - smoke-tests
     - st2chatops
+
+- name: Run RBAC tests to verify the setup
+  import_tasks: st2rbac_verification.yml
+  when: st2_rbac_enable|bool
+  tags:
+    - smoke-tests
+    - rbac-tests
\ No newline at end of file
diff --git a/roles/StackStorm.st2smoketests/tasks/st2rbac_verification.yml b/roles/StackStorm.st2smoketests/tasks/st2rbac_verification.yml
new file mode 100644
index 00000000..95444e78
--- /dev/null
+++ b/roles/StackStorm.st2smoketests/tasks/st2rbac_verification.yml
@@ -0,0 +1,96 @@
+---
+
+# Small suite of smoke tests to ensure that RBAC works as expected
+
+- name: auth | Add a new smoke_tests_rbac_user in st2 htpasswd file
+  become: true
+  htpasswd:
+    path: /etc/st2/htpasswd
+    name: "{{ smoke_tests_rbac_user }}"
+    password: "{{ smoke_tests_rbac_password }}"
+  changed_when: no
+  notify:
+    - restart st2api
+    - restart st2stream
+
+- name: Copy smoke tests RBAC roles to /opt/stackstorm/rbac/roles directory
+  become: yes
+  template:
+    src: rbac_roles.yml.j2
+    dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml
+    owner: st2
+    group: st2
+  loop: "{{ smoke_tests_rbac.roles }}"
+  when: smoke_tests_rbac.roles is defined
+  notify:
+    - reload rbac
+
+- name: Copy smoke tests RBAC assignments to /opt/stackstorm/rbac/assignments directory
+  become: yes
+  template:
+    src: rbac_assignments.yml.j2
+    dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml
+    owner: st2
+    group: st2
+  loop: "{{ smoke_tests_rbac.assignments }}"
+  when: smoke_tests_rbac.assignments is defined
+  notify:
+    - reload rbac
+
+- meta: flush_handlers
+
+- name: Get authentication token for rbac_smoke_tests  # Note this will not use LDAP.
+  command: st2 auth "{{ smoke_tests_rbac_user }}" -p "{{ smoke_tests_rbac_password }}"  -t
+  register: st2_token_smoke_tests_user
+  changed_when: no
+
+- name: Test a simple core.local action as user ``smoke_tests_rbac_user``
+  command: st2 run core.local -- date -R
+  environment:
+    ST2_AUTH_TOKEN: "{{ st2_token_smoke_tests_user.stdout }}"
+  changed_when: no
+
+- name: Test some other action that "{{ smoke_tests_rbac_user }}" cannot run
+  command: st2 run core.http url="https://www.google.com"
+  environment:
+    ST2_AUTH_TOKEN: "{{ st2_token_smoke_tests_user.stdout }}"
+  ignore_errors: yes
+  changed_when: no
+  register: smoke_tests_rbac_forbidden_action
+
+- name: Assert forbidden error was indeed thrown
+  fail:
+    msg: "St2 action was forbidden to run because of RBAC permissions but action still ran."
+  changed_when: no
+  when: "smoke_tests_rbac_forbidden_action.stdout.find('Forbidden') == -1"
+
+- name: Remove RBAC smoke tests user from htpasswd file
+  become: yes
+  htpasswd:
+    path: /etc/st2/htpasswd
+    name: "{{ smoke_tests_rbac_user }}"
+    state: absent
+  changed_when: no
+  notify:
+    - reload rbac
+
+- name: Remove RBAC smoke tests roles  # This doesn't cleanup role from DB.
+  become: yes
+  file:
+    state: absent
+    path: /opt/stackstorm/rbac/roles/{{ item.name }}.yml
+  loop: "{{ smoke_tests_rbac.roles }}"
+  when: smoke_tests_rbac.roles is defined
+  changed_when: no
+  notify:
+    - reload rbac
+
+- name: Remove RBAC smoke tests assignments  # This doesn't cleanup assignment from DB.
+  become: yes
+  file:
+    state: absent
+    path: /opt/stackstorm/rbac/assignments/{{ smoke_tests_rbac_user }}.yml
+  when: smoke_tests_rbac.assignments is defined
+  changed_when: no
+  notify:
+    - reload rbac
diff --git a/roles/StackStorm.st2smoketests/templates/rbac_assignments.yml.j2 b/roles/StackStorm.st2smoketests/templates/rbac_assignments.yml.j2
new file mode 100644
index 00000000..67a90ec1
--- /dev/null
+++ b/roles/StackStorm.st2smoketests/templates/rbac_assignments.yml.j2
@@ -0,0 +1,5 @@
+---
+
+username: {{ item.name }}
+roles:
+  {{ item.roles | to_nice_yaml(2) | indent(2) }}
diff --git a/roles/StackStorm.st2smoketests/templates/rbac_roles.yml.j2 b/roles/StackStorm.st2smoketests/templates/rbac_roles.yml.j2
new file mode 100644
index 00000000..4bd931d2
--- /dev/null
+++ b/roles/StackStorm.st2smoketests/templates/rbac_roles.yml.j2
@@ -0,0 +1,6 @@
+---
+
+name: {{ item.name }}
+description: {{ item.description }}
+permission_grants:
+  {{ item.permission_grants | to_nice_yaml(2) | indent(2) }}
\ No newline at end of file

From addab9f3034207b46de9e66ac885db0835e1e29d Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Sat, 24 Apr 2021 23:23:16 +0200
Subject: [PATCH 16/21] Add newlines at the end of files

---
 roles/StackStorm.st2/handlers/main.yml                     | 2 +-
 roles/StackStorm.st2smoketests/defaults/main.yml           | 2 +-
 roles/StackStorm.st2smoketests/tasks/main.yml              | 2 +-
 roles/StackStorm.st2smoketests/templates/rbac_roles.yml.j2 | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/roles/StackStorm.st2/handlers/main.yml b/roles/StackStorm.st2/handlers/main.yml
index 7a903801..5e929df3 100644
--- a/roles/StackStorm.st2/handlers/main.yml
+++ b/roles/StackStorm.st2/handlers/main.yml
@@ -35,4 +35,4 @@
 
 - name: reload rbac
   become: yes
-  command: st2-apply-rbac-definitions --config-file /etc/st2/st2.conf
\ No newline at end of file
+  command: st2-apply-rbac-definitions --config-file /etc/st2/st2.conf
diff --git a/roles/StackStorm.st2smoketests/defaults/main.yml b/roles/StackStorm.st2smoketests/defaults/main.yml
index a22ba4cd..aa7a594f 100644
--- a/roles/StackStorm.st2smoketests/defaults/main.yml
+++ b/roles/StackStorm.st2smoketests/defaults/main.yml
@@ -20,4 +20,4 @@ smoke_tests_rbac:
   assignments:
     - name: "{{ smoke_tests_rbac_user }}"
       roles:
-        - smoke_tests_rbac_basic
\ No newline at end of file
+        - smoke_tests_rbac_basic
diff --git a/roles/StackStorm.st2smoketests/tasks/main.yml b/roles/StackStorm.st2smoketests/tasks/main.yml
index ded4fd98..0824b6a2 100644
--- a/roles/StackStorm.st2smoketests/tasks/main.yml
+++ b/roles/StackStorm.st2smoketests/tasks/main.yml
@@ -72,4 +72,4 @@
   when: st2_rbac_enable|bool
   tags:
     - smoke-tests
-    - rbac-tests
\ No newline at end of file
+    - rbac-tests
diff --git a/roles/StackStorm.st2smoketests/templates/rbac_roles.yml.j2 b/roles/StackStorm.st2smoketests/templates/rbac_roles.yml.j2
index 4bd931d2..13d512a9 100644
--- a/roles/StackStorm.st2smoketests/templates/rbac_roles.yml.j2
+++ b/roles/StackStorm.st2smoketests/templates/rbac_roles.yml.j2
@@ -3,4 +3,4 @@
 name: {{ item.name }}
 description: {{ item.description }}
 permission_grants:
-  {{ item.permission_grants | to_nice_yaml(2) | indent(2) }}
\ No newline at end of file
+  {{ item.permission_grants | to_nice_yaml(2) | indent(2) }}

From 7dc92445d8cba52749838c784e726cef5d6c63c6 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Wed, 28 Apr 2021 21:50:08 +0200
Subject: [PATCH 17/21] Remove when conditional for rbac smoketests

---
 roles/StackStorm.st2smoketests/tasks/main.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/roles/StackStorm.st2smoketests/tasks/main.yml b/roles/StackStorm.st2smoketests/tasks/main.yml
index 0824b6a2..cad263fd 100644
--- a/roles/StackStorm.st2smoketests/tasks/main.yml
+++ b/roles/StackStorm.st2smoketests/tasks/main.yml
@@ -69,7 +69,6 @@
 
 - name: Run RBAC tests to verify the setup
   import_tasks: st2rbac_verification.yml
-  when: st2_rbac_enable|bool
   tags:
     - smoke-tests
     - rbac-tests

From faaf5fa5fde0b05082046541d408a47250261a40 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Wed, 28 Apr 2021 22:13:20 +0200
Subject: [PATCH 18/21] Enable rbac just for the smoketests

---
 .../tasks/st2rbac_verification.yml            | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/roles/StackStorm.st2smoketests/tasks/st2rbac_verification.yml b/roles/StackStorm.st2smoketests/tasks/st2rbac_verification.yml
index 95444e78..343a1669 100644
--- a/roles/StackStorm.st2smoketests/tasks/st2rbac_verification.yml
+++ b/roles/StackStorm.st2smoketests/tasks/st2rbac_verification.yml
@@ -1,6 +1,15 @@
 ---
 
 # Small suite of smoke tests to ensure that RBAC works as expected
+- name: Create directory to store roles and assignments
+  become: yes
+  file:
+    path: "/opt/stackstorm/rbac/{{ item }}"
+    recurse: yes
+    state: directory
+  loop:
+    - roles
+    - assignments
 
 - name: auth | Add a new smoke_tests_rbac_user in st2 htpasswd file
   become: true
@@ -37,6 +46,31 @@
   notify:
     - reload rbac
 
+- name: Enable RBAC in st2 configuration
+  become: yes
+  ini_file:
+    dest: /etc/st2/st2.conf
+    section: rbac
+    option: enable
+    value: True
+    backup: yes
+  notify:
+    - restart st2api
+    - restart st2auth
+    - reload rbac
+
+- name: Set RBAC backend to default in st2 configuration
+  become: yes
+  ini_file:
+    dest: /etc/st2/st2.conf
+    section: rbac
+    option: backend
+    value: default
+    backup: yes
+  notify:
+    - restart st2api
+    - restart st2auth
+
 - meta: flush_handlers
 
 - name: Get authentication token for rbac_smoke_tests  # Note this will not use LDAP.
@@ -94,3 +128,15 @@
   changed_when: no
   notify:
     - reload rbac
+
+- name: Disable RBAC in st2 configuration
+  become: yes
+  ini_file:
+    dest: /etc/st2/st2.conf
+    section: rbac
+    option: enable
+    value: False
+    backup: yes
+  notify:
+    - restart st2api
+    - restart st2auth
\ No newline at end of file

From b4413cbde5e8a46bc01e068adb5eebb81466f114 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Sat, 1 May 2021 16:02:57 +0200
Subject: [PATCH 19/21] Revert "Enable rbac just for the smoketests"

This reverts commit faaf5fa5fde0b05082046541d408a47250261a40.
---
 .../tasks/st2rbac_verification.yml            | 46 -------------------
 1 file changed, 46 deletions(-)

diff --git a/roles/StackStorm.st2smoketests/tasks/st2rbac_verification.yml b/roles/StackStorm.st2smoketests/tasks/st2rbac_verification.yml
index 343a1669..95444e78 100644
--- a/roles/StackStorm.st2smoketests/tasks/st2rbac_verification.yml
+++ b/roles/StackStorm.st2smoketests/tasks/st2rbac_verification.yml
@@ -1,15 +1,6 @@
 ---
 
 # Small suite of smoke tests to ensure that RBAC works as expected
-- name: Create directory to store roles and assignments
-  become: yes
-  file:
-    path: "/opt/stackstorm/rbac/{{ item }}"
-    recurse: yes
-    state: directory
-  loop:
-    - roles
-    - assignments
 
 - name: auth | Add a new smoke_tests_rbac_user in st2 htpasswd file
   become: true
@@ -46,31 +37,6 @@
   notify:
     - reload rbac
 
-- name: Enable RBAC in st2 configuration
-  become: yes
-  ini_file:
-    dest: /etc/st2/st2.conf
-    section: rbac
-    option: enable
-    value: True
-    backup: yes
-  notify:
-    - restart st2api
-    - restart st2auth
-    - reload rbac
-
-- name: Set RBAC backend to default in st2 configuration
-  become: yes
-  ini_file:
-    dest: /etc/st2/st2.conf
-    section: rbac
-    option: backend
-    value: default
-    backup: yes
-  notify:
-    - restart st2api
-    - restart st2auth
-
 - meta: flush_handlers
 
 - name: Get authentication token for rbac_smoke_tests  # Note this will not use LDAP.
@@ -128,15 +94,3 @@
   changed_when: no
   notify:
     - reload rbac
-
-- name: Disable RBAC in st2 configuration
-  become: yes
-  ini_file:
-    dest: /etc/st2/st2.conf
-    section: rbac
-    option: enable
-    value: False
-    backup: yes
-  notify:
-    - restart st2api
-    - restart st2auth
\ No newline at end of file

From 4ef952bd8a321a0d0dffda172984a94dab5f9852 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Sat, 1 May 2021 16:03:06 +0200
Subject: [PATCH 20/21] Revert "Remove when conditional for rbac smoketests"

This reverts commit 7dc92445d8cba52749838c784e726cef5d6c63c6.
---
 roles/StackStorm.st2smoketests/tasks/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/StackStorm.st2smoketests/tasks/main.yml b/roles/StackStorm.st2smoketests/tasks/main.yml
index cad263fd..0824b6a2 100644
--- a/roles/StackStorm.st2smoketests/tasks/main.yml
+++ b/roles/StackStorm.st2smoketests/tasks/main.yml
@@ -69,6 +69,7 @@
 
 - name: Run RBAC tests to verify the setup
   import_tasks: st2rbac_verification.yml
+  when: st2_rbac_enable|bool
   tags:
     - smoke-tests
     - rbac-tests

From 032090cfc4704a305b30eee257ea4af0da7715b3 Mon Sep 17 00:00:00 2001
From: Marcel Weinberg <mweinberg-os@email.de>
Date: Sat, 1 May 2021 16:57:17 +0200
Subject: [PATCH 21/21] Enable st2rbac for the kitchen tests (expect the smoke
 tests w/o rbac to fail)

---
 .kitchen.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.kitchen.yml b/.kitchen.yml
index 5e0ba68f..71d748a2 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -19,6 +19,7 @@ provisioner:
     st2chatops_hubot_adapter: slack
     st2chatops_config:
       HUBOT_SLACK_TOKEN: <%= ENV['HUBOT_SLACK_TOKEN'] %>
+    st2_rbac_enable: yes
 
 platforms:
   # Ubuntu Xenial with Systemd