I am running RHEL 7.5, Satellite 6.3, Ansible 2.7.0, and Ansible AWX 2.0.1.
I am in the process of developing playbooks to handle our server provisioning. As part of the provisioning process, we are using sssd and realmd, to join the servers to our Active Directory tree. The next step in the process is to issue ‘realm permit -g [ad group name]’ to restrict access to specific groups.
In Satellite we have host group hierarchies similar to the following:
Business-Unit
→ Database-Servers
→ Application-Servers
→ Web-Servers
I need a method of managing access authorization from global, all the way down the tree. Such as, corporate level linux admins will have permissions to all systems, but select groups can be given access to business unit server or functional servers.
My initial thought was to create two parameters, permit-users and permit-groups, at each layer in the hierarchy and loop through starting that the host and moving up the tree and each level permitting the configured access. However, the parameters in Satellite get overwritten at each level, so only the lowest on the hierarchy is presented as facts on the host and it doesn’t appear the host groups’ parameters are presented to Ansible.
How are others solving this type of issue?
Thank you in advance,
Jeremy