Hi,
I am new to AWX. I am trying to figure out how to indicate allocations of servers to users and then use that to limit the systems a user can run his jobs on.
Assume that I have a magical allocator that gives Joe 6 systems and sets them up as a test cell. I want Joe to be able to burn down and rebuild his test cell with a set of playbooks.
How would I indicate in the inventory that the 6 systems can only be acted on by Joe or the admins? How would I then check the permission when the job runs?
thanks,
jerry
Hey Jerry,
Set up a smart inventory with the 6 hosts (http://docs.ansible.com/ansible-tower/latest/html/userguide/inventories.html#smart-inventories), then create a JT using that as the inventory. Set the permissions on that JT so that the user has the execute role.
You can check permissions for a particular user on the user’s detail page, under the permissions tab.
Hope that helps,
John
John,
Thanks for the quick reply.
So I would have an overall inventory of the systems and then a smart inventory that just grabbed the ones that Joe owns and tie that to the job template. Is there a way to have a generic smart inventory module that gets the user passed to it?
jerry
Not quite in the way you ask the question, but yes.
You can think of the implementation of inventories as a “smart filter” that allows you to either select based on specific hosts, or dynamicly (“all hosts whose name begin with foo”, or something like that).
You can also set up permissions at the inventory/project/credential level, instead of the JT level. If the user has ability to use all the pieces that make up the job template, they will have implicit permission to execute the job template. Note that it can be more difficult to audit who can see what when using this implicit permission model.
implementation of smart inventories* as a filter*