Read this in other languages:
English, 日本語, Portugues do Brasil, Française, Español.
In this exercise, you'll explore how Ansible Automation Controller handles user and group management through Role-Based Access Control (RBAC). This ensures proper delegation of rights while keeping automation secure.
There are three types of users in Ansible Automation Controller:
- Normal User: Has read and write access limited to assigned inventories and projects.
- Ansible Automation Platform Auditor: Read-only access to all objects within the automation controller environment.
- Ansible Automation Platform Administrator: Full admin privileges over the entire automation controller installation.
Let's create a user:
-
Navigate to Access Management -> Users.
-
Click the Create user button.
-
Fill in the following values:
Parameter Value Username wweb Password ansible Confirm Password ansible First Name Werner Last Name Web Email [email protected] Organization Default User Type Normal User -
Click Create user.
Teams are subdivisions of an organization that include users, projects, credentials, and permissions, helping to implement RBAC efficiently.
Create a Team:
- Navigate to Access Management -> Teams.
- Click the Create team button and create a team named
Web Content
within theDefault
organization. - Click Create team.
Add a User to the Team:
- Select the
Web Content
team. - Go to the Users tab and click Add users.
- In the Add users window, choose wweb, then click Add users.
To grant users the ability to execute tasks, permissions need to be set.
Grant Permission to Use a Template:
- Navigate to Automation Execution -> Templates.
- Select the template
Create index.html
. - Click the User Access tab.
- Click Add roles.
- Select the
wweb
user and click Next. - Choose the roles JobTemplate Admin and/or JobTemplate Execute, depending on the required level of access, click Next.
- Review the selections and click Finish.
Now, log out and log in again as the wweb
user.
- Navigate to Templates. You should only see the
Create index.html
template listed. - Run the job by clicking the rocket icon. Enter the required values for the survey questions and launch the job.
- After completion, check the Jobs view for the expected changes.
To verify the result, use curl
on the control host to check the webserver content on node1
:
#> curl http://node1
Just recall what you have just done: You enabled a restricted user to run an Ansible playbook
-
Without having access to the credentials
-
Without being able to change the playbook itself
-
But with the ability to change variables you predefined!
Effectively you provided the power to execute automation to another user without handing out your credentials or giving the user the ability to change the automation code. And yet, at the same time the user can still modify things based on the surveys you created.
This capability is one of the main strengths of Ansible automation controller!
Navigation
Previous Exercise - Next Exercise
Click here to return to the Ansible for Red Hat Enterprise Linux Workshop