From ab143a0ed46dc2abc28847549b13375d073f093b Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Tue, 7 Mar 2017 13:50:41 -0800 Subject: [PATCH 01/38] Initial commit --- roles/bwc/defaults/main.yml | 6 +++ roles/bwc/meta/main.yml | 27 +++++++++++ roles/bwc/tasks/main.yml | 21 +++++++++ roles/bwc_rbac/defaults/main.yml | 3 ++ .../files/rbac_assigments/stanley.yml | 5 ++ .../files/rbac_assigments/system_admin.yml.j2 | 5 ++ roles/bwc_rbac/handlers/main.yml | 5 ++ roles/bwc_rbac/meta/main.yml | 24 ++++++++++ roles/bwc_rbac/tasks/main.yml | 47 +++++++++++++++++++ roles/bwc_repos/defaults/main.yml | 20 ++++++++ roles/bwc_repos/meta/main.yml | 22 +++++++++ roles/bwc_repos/tasks/bwc_repos_apt.yml | 39 +++++++++++++++ roles/bwc_repos/tasks/bwc_repos_yum.yml | 39 +++++++++++++++ roles/bwc_repos/tasks/main.yml | 6 +++ 14 files changed, 269 insertions(+) create mode 100644 roles/bwc/defaults/main.yml create mode 100644 roles/bwc/meta/main.yml create mode 100644 roles/bwc/tasks/main.yml create mode 100644 roles/bwc_rbac/defaults/main.yml create mode 100644 roles/bwc_rbac/files/rbac_assigments/stanley.yml create mode 100644 roles/bwc_rbac/files/rbac_assigments/system_admin.yml.j2 create mode 100644 roles/bwc_rbac/handlers/main.yml create mode 100644 roles/bwc_rbac/meta/main.yml create mode 100644 roles/bwc_rbac/tasks/main.yml create mode 100644 roles/bwc_repos/defaults/main.yml create mode 100644 roles/bwc_repos/meta/main.yml create mode 100644 roles/bwc_repos/tasks/bwc_repos_apt.yml create mode 100644 roles/bwc_repos/tasks/bwc_repos_yum.yml create mode 100644 roles/bwc_repos/tasks/main.yml diff --git a/roles/bwc/defaults/main.yml b/roles/bwc/defaults/main.yml new file mode 100644 index 00000000..d7464c87 --- /dev/null +++ b/roles/bwc/defaults/main.yml @@ -0,0 +1,6 @@ +--- +bwc_pkg_repo: "enterprise" +# 'latest' to get latest version or numeric like '2.1.1' +bwc_version: latest +# used only if 'bwc_version' is numeric +bwc_revision: 1 diff --git a/roles/bwc/meta/main.yml b/roles/bwc/meta/main.yml new file mode 100644 index 00000000..5ce11f14 --- /dev/null +++ b/roles/bwc/meta/main.yml @@ -0,0 +1,27 @@ +--- +galaxy_info: + description: Install BWC Entperprise components + author: lakshmi-kannan + company: StackStorm + license: Apache 2.0 + min_ansible_version: 2.2 + platforms: + - name: Ubuntu + versions: + - trusty + - xenial + - name: EL + versions: + - 6 + - 7 + categories: + - stackstorm + - BWC + - Brocade Workflow Composer + - repositories + - packagecloud + dependencies: + - role: st2repos + - role: st2 + - role: st2web + - role: bwc_repos diff --git a/roles/bwc/tasks/main.yml b/roles/bwc/tasks/main.yml new file mode 100644 index 00000000..737b11e5 --- /dev/null +++ b/roles/bwc/tasks/main.yml @@ -0,0 +1,21 @@ +--- + +- name: Install latest bwc-enterprise package + become: yes + package: + name: bwc-enterprise + state: latest + when: bwc_version == "latest" + tags: + - bwc + - st2 enterprise + +- name: Install pinned bwc-enterprise package + become: yes + package: + name: bwc-enterprise={{ bwc_version }}-{{ bwc_revision }} + state: present + when: bwc_version != "latest" + tags: + - bwc + - st2 enterprise diff --git a/roles/bwc_rbac/defaults/main.yml b/roles/bwc_rbac/defaults/main.yml new file mode 100644 index 00000000..96f7ddba --- /dev/null +++ b/roles/bwc_rbac/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +st2_config_file_path: /etc/st2/st2.conf diff --git a/roles/bwc_rbac/files/rbac_assigments/stanley.yml b/roles/bwc_rbac/files/rbac_assigments/stanley.yml new file mode 100644 index 00000000..4fc506cd --- /dev/null +++ b/roles/bwc_rbac/files/rbac_assigments/stanley.yml @@ -0,0 +1,5 @@ +--- + + username: "stanley" + roles: + - "admin" diff --git a/roles/bwc_rbac/files/rbac_assigments/system_admin.yml.j2 b/roles/bwc_rbac/files/rbac_assigments/system_admin.yml.j2 new file mode 100644 index 00000000..3abc86d3 --- /dev/null +++ b/roles/bwc_rbac/files/rbac_assigments/system_admin.yml.j2 @@ -0,0 +1,5 @@ +--- + + username: {{ bwc_superuser }} + roles: + - "system_admin" diff --git a/roles/bwc_rbac/handlers/main.yml b/roles/bwc_rbac/handlers/main.yml new file mode 100644 index 00000000..9d49755f --- /dev/null +++ b/roles/bwc_rbac/handlers/main.yml @@ -0,0 +1,5 @@ +--- + +- name: reload bwc_rbac + become: yes + command: st2-apply-rbac-definitions --config-file {{ st2_config_file_path }} diff --git a/roles/bwc_rbac/meta/main.yml b/roles/bwc_rbac/meta/main.yml new file mode 100644 index 00000000..0a86940a --- /dev/null +++ b/roles/bwc_rbac/meta/main.yml @@ -0,0 +1,24 @@ +--- +galaxy_info: + description: Setup BWC RBAC + author: lakshmi-kannan + company: StackStorm + license: Apache 2.0 + min_ansible_version: 2.2 + platforms: + - name: Ubuntu + versions: + - trusty + - xenial + - name: EL + versions: + - 6 + - 7 + categories: + - stackstorm + - BWC + - Brocade Workflow Composer + - RBAC + dependencies: + - role: st2 + - role: bwc diff --git a/roles/bwc_rbac/tasks/main.yml b/roles/bwc_rbac/tasks/main.yml new file mode 100644 index 00000000..5b489542 --- /dev/null +++ b/roles/bwc_rbac/tasks/main.yml @@ -0,0 +1,47 @@ +--- + + - name: Create BWC RBAC directories + become: yes + file: + path: "{{ item }}" + mode: "u+rw,g-wx,o-rwx" + with_items: + - /opt/stackstorm/rbac/assignments + - /opt/stackstorm/rbac/roles + + - name: Copy default assignments to RBAC directory + template: + src: "{{ item }}" + dest: "/opt/stackstorm/rbac/assignments/{{ item | basename | regex_replace('\.j2','') }}" + with_fileglob: + - ../files/rbac_assignments/*.j2 + when: rbac_setup_default_assignments is defined and bwc_superuser is defined + + - name: Copy user supplied RBAC roles to the box + template: + src: "{{ item }}" + dest: "/opt/stackstorm/rbac/roles/{{ item | basename | regex_replace('\.j2','') }}" + with_fileglob: + - "{{ rbac_roles_src_path }}"/*.j2 + when: rbac_roles_src_path is defined + + - name: Copy user supplied RBAC assignments to the box + template: + src: "{{ item }}" + dest: "/opt/stackstorm/rbac/assignments/{{ item | basename | regex_replace('\.j2','') }}" + with_fileglob: + - "{{ rbac_assigments_src_path }}"/*.j2 + when: rbac_assigments_src_path is defined + + - name: Enable RBAC in st2 configuration + become: yes + ini_file: + dest: /etc/st2/st2.conf + section: auth + option: enable + value: True + backup: yes + notify: + - restart st2 + - reload bwc_rbac + - restart st2api diff --git a/roles/bwc_repos/defaults/main.yml b/roles/bwc_repos/defaults/main.yml new file mode 100644 index 00000000..9ad52417 --- /dev/null +++ b/roles/bwc_repos/defaults/main.yml @@ -0,0 +1,20 @@ +--- +# BWC PackageCloud repository to install: enterprise, enterprise-unstable, staging-enterprise, staging-enterprise-unstable. +bwc_pkg_repo: enterprise + +deb_os: "{{ ansible_distribution|lower }}" +deb_os_version: "{{ ansible_distribution_release|lower }}" + +rpm_os: "el" +rpm_os_version: "{{ ansible_distribution_major_version }}" + +license: "" +master_token: "{{ license }}" + +deb_gpg_key_url: "https://{{ master_token }}:@packagecloud.io/install/repositories/StackStorm/enterprise/gpg_key_url.list?os={{ deb_os }}&dist={{ deb_os_version }}&name=${UNIQUE_ID}" + +deb_config_file_url: "https://{{ master_token }}:@packagecloud.io/install/repositories/StackStorm/{{ bwc_pkg_repo }}/config_file.list?os={{ deb_os }}&dist={{ deb_os_version }}&name={{ ansible_nodename }}" +deb_config_file_location: "/etc/apt/sources.list.d/packagecloud_io_StackStorm_{{ bwc_pkg_repo }}.list" + +rpm_config_file_url: "https://{{ master_token }}:@packagecloud.io/install/repositories/StackStorm/{{ bwc_pkg_repo }}/config_file.repo?os={{ rpm_os }}&dist={{ rpm_os_version }}&name={{ ansible_nodename }}" +rpm_config_file_location: "/etc/yum.repos.d/packagecloud_io_StackStorm_{{ bwc_pkg_repo }}.repo" diff --git a/roles/bwc_repos/meta/main.yml b/roles/bwc_repos/meta/main.yml new file mode 100644 index 00000000..ccf22a17 --- /dev/null +++ b/roles/bwc_repos/meta/main.yml @@ -0,0 +1,22 @@ +--- +galaxy_info: + description: Install BWC PackageCloud repository + author: lakshmi-kannan + company: StackStorm + license: Apache 2.0 + min_ansible_version: 2.2 + platforms: + - name: Ubuntu + versions: + - trusty + - xenial + - name: EL + versions: + - 6 + - 7 + categories: + - stackstorm + - BWC + - Brocade Workflow Composer + - repositories + - packagecloud diff --git a/roles/bwc_repos/tasks/bwc_repos_apt.yml b/roles/bwc_repos/tasks/bwc_repos_apt.yml new file mode 100644 index 00000000..814ff1d0 --- /dev/null +++ b/roles/bwc_repos/tasks/bwc_repos_apt.yml @@ -0,0 +1,39 @@ +--- + +- name: Assert that master_token is specified + fail: msg="License key must be supplied for BWC enterprise installation." + when: license is not defined + +- name: Install prereqs (Debian) + become: yes + apt: + name: "{{ item }}" + state: present + with_items: + - debian-archive-keyring + - apt-transport-https + +- name: Get GPG key URL for private repo + become: yes + shell: 'curl "{{ deb_gpg_key_url }}"' + register: deb_gpg_key + +# This is the exact key as the open source repo but this behavior might change. So just +# following what's in packagecloud docs for private repos. +- name: Add GPG key to keyring + become: yes + shell: 'curl -L "{{ deb_gpg_key.stdout_lines }}" | apt-key add -' + +- name: "Adding packagecloud.io repository: StackStorm/{{ bwc_pkg_repo }} with generated read token" + become: yes + shell: 'curl "{{ deb_config_file_url }}" > {{ deb_config_file_location }}' + args: + creates: "{{ deb_config_file_location }}" + register: added_bwc_deb_repository + when: ansible_os_family == "Debian" and license is defined + +- name: Update APT package cache + become: yes + apt: + update_cache: true + when: ansible_os_family == "Debian" and added_bwc_deb_repository|success diff --git a/roles/bwc_repos/tasks/bwc_repos_yum.yml b/roles/bwc_repos/tasks/bwc_repos_yum.yml new file mode 100644 index 00000000..5895cdd1 --- /dev/null +++ b/roles/bwc_repos/tasks/bwc_repos_yum.yml @@ -0,0 +1,39 @@ +--- + +- name: Assert that master_token is specified + fail: msg="License key must be supplied for BWC enterprise installation." + when: license is not defined + +# Fixes "Failure talking to yum: Cannot retrieve repository metadata (repomd.xml) for repository: StackStorm_stable. Please verify its path and try again" when installing st2 +- name: Update ca-certificates package + become: yes + yum: + name: ca-certificates + state: latest + tags: skip_ansible_lint + +# See: https://github.com/docker-library/docs/tree/master/centos#package-documentation +# We ship `nginx.conf` via `st2` package doc files, for example +- name: Enable shipping package documentation files for EL + become: yes + ini_file: + dest: /etc/yum.conf + section: main + option: tsflags + value: nodocs + state: absent + when: ansible_os_family == "RedHat" + +- name: Add BWC enterprise repo + become: yes + shell: 'curl "{{ rpm_config_file_url }}" > {{ rpm_config_file_location }}' + args: + creates: "{{ rpm_config_file_location }}" + register: added_bwc_rpm_repository + when: ansible_os_family == "RedHat" and license is defined + +- name: Update yum package cache + become: yes + yum: + update_cache: true + when: ansible_os_family == "RedHat" and added_rpm_repository|success diff --git a/roles/bwc_repos/tasks/main.yml b/roles/bwc_repos/tasks/main.yml new file mode 100644 index 00000000..9ec1dcc9 --- /dev/null +++ b/roles/bwc_repos/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: Add BWC enterprise repos on {{ ansible_distribution }} + include: bwc_repos_{{ ansible_pkg_mgr }}.yml + tags: + - BWC repos + - StackStorm enterprise From 6d05514dd7d27a05c29c44ca57c5e622b43791e0 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Tue, 7 Mar 2017 16:49:34 -0800 Subject: [PATCH 02/38] First round of fixes after U16 testing --- .../stanley.yml | 0 .../system_admin.yml.j2 | 0 roles/bwc_rbac/tasks/main.yml | 22 ++++++++++++++----- roles/bwc_repos/defaults/main.yml | 3 +-- roles/bwc_repos/tasks/bwc_repos_apt.yml | 9 +++++++- 5 files changed, 25 insertions(+), 9 deletions(-) rename roles/bwc_rbac/files/{rbac_assigments => rbac_assignments}/stanley.yml (100%) rename roles/bwc_rbac/files/{rbac_assigments => rbac_assignments}/system_admin.yml.j2 (100%) diff --git a/roles/bwc_rbac/files/rbac_assigments/stanley.yml b/roles/bwc_rbac/files/rbac_assignments/stanley.yml similarity index 100% rename from roles/bwc_rbac/files/rbac_assigments/stanley.yml rename to roles/bwc_rbac/files/rbac_assignments/stanley.yml diff --git a/roles/bwc_rbac/files/rbac_assigments/system_admin.yml.j2 b/roles/bwc_rbac/files/rbac_assignments/system_admin.yml.j2 similarity index 100% rename from roles/bwc_rbac/files/rbac_assigments/system_admin.yml.j2 rename to roles/bwc_rbac/files/rbac_assignments/system_admin.yml.j2 diff --git a/roles/bwc_rbac/tasks/main.yml b/roles/bwc_rbac/tasks/main.yml index 5b489542..75e7ca09 100644 --- a/roles/bwc_rbac/tasks/main.yml +++ b/roles/bwc_rbac/tasks/main.yml @@ -5,32 +5,42 @@ file: path: "{{ item }}" mode: "u+rw,g-wx,o-rwx" + owner: st2 + group: st2 + state: directory with_items: - /opt/stackstorm/rbac/assignments - /opt/stackstorm/rbac/roles - name: Copy default assignments to RBAC directory + become: yes template: src: "{{ item }}" - dest: "/opt/stackstorm/rbac/assignments/{{ item | basename | regex_replace('\.j2','') }}" + dest: /opt/stackstorm/rbac/assignments/{{ item | basename | regex_replace('\.j2','') }} + owner: st2 + group: st2 with_fileglob: - - ../files/rbac_assignments/*.j2 + - rbac_assignments/* when: rbac_setup_default_assignments is defined and bwc_superuser is defined - name: Copy user supplied RBAC roles to the box template: src: "{{ item }}" - dest: "/opt/stackstorm/rbac/roles/{{ item | basename | regex_replace('\.j2','') }}" + dest: /opt/stackstorm/rbac/roles/"{{ item | basename | regex_replace('\.j2','') }}" + owner: st2 + group: st2 with_fileglob: - - "{{ rbac_roles_src_path }}"/*.j2 + - '"{{ rbac_roles_src_path }}"/*.j2' when: rbac_roles_src_path is defined - name: Copy user supplied RBAC assignments to the box template: src: "{{ item }}" - dest: "/opt/stackstorm/rbac/assignments/{{ item | basename | regex_replace('\.j2','') }}" + dest: /opt/stackstorm/rbac/assignments/"{{ item | basename | regex_replace('\.j2','') }}" + owner: st2 + group: st2 with_fileglob: - - "{{ rbac_assigments_src_path }}"/*.j2 + - '"{{ rbac_assigments_src_path }}"/*.j2' when: rbac_assigments_src_path is defined - name: Enable RBAC in st2 configuration diff --git a/roles/bwc_repos/defaults/main.yml b/roles/bwc_repos/defaults/main.yml index 9ad52417..9028d94e 100644 --- a/roles/bwc_repos/defaults/main.yml +++ b/roles/bwc_repos/defaults/main.yml @@ -8,10 +8,9 @@ deb_os_version: "{{ ansible_distribution_release|lower }}" rpm_os: "el" rpm_os_version: "{{ ansible_distribution_major_version }}" -license: "" master_token: "{{ license }}" -deb_gpg_key_url: "https://{{ master_token }}:@packagecloud.io/install/repositories/StackStorm/enterprise/gpg_key_url.list?os={{ deb_os }}&dist={{ deb_os_version }}&name=${UNIQUE_ID}" +deb_gpg_key_url: "https://{{ master_token }}:@packagecloud.io/install/repositories/StackStorm/enterprise/gpg_key_url.list?os={{ deb_os }}&dist={{ deb_os_version }}&name={{ ansible_nodename }}" deb_config_file_url: "https://{{ master_token }}:@packagecloud.io/install/repositories/StackStorm/{{ bwc_pkg_repo }}/config_file.list?os={{ deb_os }}&dist={{ deb_os_version }}&name={{ ansible_nodename }}" deb_config_file_location: "/etc/apt/sources.list.d/packagecloud_io_StackStorm_{{ bwc_pkg_repo }}.list" diff --git a/roles/bwc_repos/tasks/bwc_repos_apt.yml b/roles/bwc_repos/tasks/bwc_repos_apt.yml index 814ff1d0..746fa400 100644 --- a/roles/bwc_repos/tasks/bwc_repos_apt.yml +++ b/roles/bwc_repos/tasks/bwc_repos_apt.yml @@ -18,11 +18,18 @@ shell: 'curl "{{ deb_gpg_key_url }}"' register: deb_gpg_key +- name: Debug GPG URL + debug: + msg: "GPG URL query {{ deb_gpg_key_url }}. Output: {{ deb_gpg_key }}" +- name: Echo the gpg key URL + shell: echo GPG key URL is "{{ deb_gpg_key }}" + # This is the exact key as the open source repo but this behavior might change. So just # following what's in packagecloud docs for private repos. - name: Add GPG key to keyring become: yes - shell: 'curl -L "{{ deb_gpg_key.stdout_lines }}" | apt-key add -' + shell: 'curl -L "{{ deb_gpg_key.stdout }}" | apt-key add -' + when: ansible_os_family == "Debian" and license is defined - name: "Adding packagecloud.io repository: StackStorm/{{ bwc_pkg_repo }} with generated read token" become: yes From dca13a3975f7c2b6010c70719c27d4611c33bda0 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Tue, 7 Mar 2017 16:52:50 -0800 Subject: [PATCH 03/38] Remove Debug for GPG_URL --- roles/bwc_repos/tasks/bwc_repos_apt.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/roles/bwc_repos/tasks/bwc_repos_apt.yml b/roles/bwc_repos/tasks/bwc_repos_apt.yml index 746fa400..c908fc77 100644 --- a/roles/bwc_repos/tasks/bwc_repos_apt.yml +++ b/roles/bwc_repos/tasks/bwc_repos_apt.yml @@ -18,12 +18,6 @@ shell: 'curl "{{ deb_gpg_key_url }}"' register: deb_gpg_key -- name: Debug GPG URL - debug: - msg: "GPG URL query {{ deb_gpg_key_url }}. Output: {{ deb_gpg_key }}" -- name: Echo the gpg key URL - shell: echo GPG key URL is "{{ deb_gpg_key }}" - # This is the exact key as the open source repo but this behavior might change. So just # following what's in packagecloud docs for private repos. - name: Add GPG key to keyring From 309887117d0dc2cc80426f8a07b4917856aa816d Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Wed, 8 Mar 2017 12:07:57 -0800 Subject: [PATCH 04/38] Fixes based on centos7 testing --- roles/bwc_repos/tasks/bwc_repos_yum.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/roles/bwc_repos/tasks/bwc_repos_yum.yml b/roles/bwc_repos/tasks/bwc_repos_yum.yml index 5895cdd1..8e70265b 100644 --- a/roles/bwc_repos/tasks/bwc_repos_yum.yml +++ b/roles/bwc_repos/tasks/bwc_repos_yum.yml @@ -34,6 +34,10 @@ - name: Update yum package cache become: yes - yum: - update_cache: true - when: ansible_os_family == "RedHat" and added_rpm_repository|success + shell: yum -q makecache -y --disablerepo='*' --enablerepo='StackStorm_{{ bwc_pkg_repo|replace("/", "_") }}' + when: ansible_os_family == "RedHat" and added_bwc_rpm_repository|success + +- name: Update yum package cache BWC enterprise source repo + become: yes + shell: yum -q makecache -y --disablerepo='*' --enablerepo='StackStorm_{{ bwc_pkg_repo|replace("/", "_") }}-source' + when: ansible_os_family == "RedHat" and added_bwc_rpm_repository|success From b850d5804611c9c7aff914c060e94f6493960fa4 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Wed, 8 Mar 2017 16:53:49 -0800 Subject: [PATCH 05/38] Fix typo in variable name --- roles/bwc_rbac/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/bwc_rbac/tasks/main.yml b/roles/bwc_rbac/tasks/main.yml index 75e7ca09..395bd02e 100644 --- a/roles/bwc_rbac/tasks/main.yml +++ b/roles/bwc_rbac/tasks/main.yml @@ -40,8 +40,8 @@ owner: st2 group: st2 with_fileglob: - - '"{{ rbac_assigments_src_path }}"/*.j2' - when: rbac_assigments_src_path is defined + - '"{{ rbac_assignments_src_path }}"/*.j2' + when: rbac_assignments_src_path is defined - name: Enable RBAC in st2 configuration become: yes From c287cc39c899674995ebdae27db7a72f1cdd253d Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Wed, 8 Mar 2017 17:12:24 -0800 Subject: [PATCH 06/38] Remove support for user supplied RBAC roles&assignments --- roles/bwc_rbac/tasks/main.yml | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/roles/bwc_rbac/tasks/main.yml b/roles/bwc_rbac/tasks/main.yml index 395bd02e..4a33e532 100644 --- a/roles/bwc_rbac/tasks/main.yml +++ b/roles/bwc_rbac/tasks/main.yml @@ -23,26 +23,6 @@ - rbac_assignments/* when: rbac_setup_default_assignments is defined and bwc_superuser is defined - - name: Copy user supplied RBAC roles to the box - template: - src: "{{ item }}" - dest: /opt/stackstorm/rbac/roles/"{{ item | basename | regex_replace('\.j2','') }}" - owner: st2 - group: st2 - with_fileglob: - - '"{{ rbac_roles_src_path }}"/*.j2' - when: rbac_roles_src_path is defined - - - name: Copy user supplied RBAC assignments to the box - template: - src: "{{ item }}" - dest: /opt/stackstorm/rbac/assignments/"{{ item | basename | regex_replace('\.j2','') }}" - owner: st2 - group: st2 - with_fileglob: - - '"{{ rbac_assignments_src_path }}"/*.j2' - when: rbac_assignments_src_path is defined - - name: Enable RBAC in st2 configuration become: yes ini_file: From b3772fc26b35b819f953ff506a475d4f2fda9a26 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Thu, 9 Mar 2017 15:09:37 -0800 Subject: [PATCH 07/38] Let's support roles and assignments via dicts --- .../files/rbac_assignments/assignments.yml.j2 | 5 +++++ .../files/rbac_assignments/stanley.yml | 5 ----- .../rbac_assignments/system_admin.yml.j2 | 5 ----- roles/bwc_rbac/files/rbac_roles/role.yml.j2 | 5 +++++ roles/bwc_rbac/tasks/main.yml | 21 +++++++++++++------ 5 files changed, 25 insertions(+), 16 deletions(-) create mode 100644 roles/bwc_rbac/files/rbac_assignments/assignments.yml.j2 delete mode 100644 roles/bwc_rbac/files/rbac_assignments/stanley.yml delete mode 100644 roles/bwc_rbac/files/rbac_assignments/system_admin.yml.j2 create mode 100644 roles/bwc_rbac/files/rbac_roles/role.yml.j2 diff --git a/roles/bwc_rbac/files/rbac_assignments/assignments.yml.j2 b/roles/bwc_rbac/files/rbac_assignments/assignments.yml.j2 new file mode 100644 index 00000000..e1c7a755 --- /dev/null +++ b/roles/bwc_rbac/files/rbac_assignments/assignments.yml.j2 @@ -0,0 +1,5 @@ +--- + + username: {{ item.name }} + roles: + - {{ item.roles }} diff --git a/roles/bwc_rbac/files/rbac_assignments/stanley.yml b/roles/bwc_rbac/files/rbac_assignments/stanley.yml deleted file mode 100644 index 4fc506cd..00000000 --- a/roles/bwc_rbac/files/rbac_assignments/stanley.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - - username: "stanley" - roles: - - "admin" diff --git a/roles/bwc_rbac/files/rbac_assignments/system_admin.yml.j2 b/roles/bwc_rbac/files/rbac_assignments/system_admin.yml.j2 deleted file mode 100644 index 3abc86d3..00000000 --- a/roles/bwc_rbac/files/rbac_assignments/system_admin.yml.j2 +++ /dev/null @@ -1,5 +0,0 @@ ---- - - username: {{ bwc_superuser }} - roles: - - "system_admin" diff --git a/roles/bwc_rbac/files/rbac_roles/role.yml.j2 b/roles/bwc_rbac/files/rbac_roles/role.yml.j2 new file mode 100644 index 00000000..21f21bf6 --- /dev/null +++ b/roles/bwc_rbac/files/rbac_roles/role.yml.j2 @@ -0,0 +1,5 @@ +--- + +name: {{ item.name }} +description: {{ item.description }} +permission_grants: {{ item.permission_grants }} diff --git a/roles/bwc_rbac/tasks/main.yml b/roles/bwc_rbac/tasks/main.yml index 4a33e532..bcd6a2a5 100644 --- a/roles/bwc_rbac/tasks/main.yml +++ b/roles/bwc_rbac/tasks/main.yml @@ -12,16 +12,25 @@ - /opt/stackstorm/rbac/assignments - /opt/stackstorm/rbac/roles - - name: Copy default assignments to RBAC directory + - name: Copy RBAC roles to /opt/stackstorm/rbac/roles directory become: yes template: - src: "{{ item }}" - dest: /opt/stackstorm/rbac/assignments/{{ item | basename | regex_replace('\.j2','') }} + src: files/rbac_assignments/role.yml.j2 + dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yml owner: st2 group: st2 - with_fileglob: - - rbac_assignments/* - when: rbac_setup_default_assignments is defined and bwc_superuser is defined + with_items: "{{ rbac_roles }}" + when: rbac_roles is defined + + - name: Copy RBAC assignments to /opt/stackstorm/rbac/assignments directory + become: yes + template: + src: files/rbac_assignments/assignments.yml.j2 + dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yml + owner: st2 + group: st2 + with_items: "{{ rbac_assignments }}" + when: rbac_assignments is defined - name: Enable RBAC in st2 configuration become: yes From 8548accb9b41354cfc88949936c39d09ec15ee1b Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Thu, 9 Mar 2017 15:25:13 -0800 Subject: [PATCH 08/38] Rename files -> templates --- roles/bwc_rbac/tasks/main.yml | 4 ++-- .../{files => templates}/rbac_assignments/assignments.yml.j2 | 0 .../role.yml.j2 => templates/rbac_roles/roles.yml.j2} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename roles/bwc_rbac/{files => templates}/rbac_assignments/assignments.yml.j2 (100%) rename roles/bwc_rbac/{files/rbac_roles/role.yml.j2 => templates/rbac_roles/roles.yml.j2} (100%) diff --git a/roles/bwc_rbac/tasks/main.yml b/roles/bwc_rbac/tasks/main.yml index bcd6a2a5..eb215da0 100644 --- a/roles/bwc_rbac/tasks/main.yml +++ b/roles/bwc_rbac/tasks/main.yml @@ -15,7 +15,7 @@ - name: Copy RBAC roles to /opt/stackstorm/rbac/roles directory become: yes template: - src: files/rbac_assignments/role.yml.j2 + src: rbac_roles/roles.yml.j2 dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yml owner: st2 group: st2 @@ -25,7 +25,7 @@ - name: Copy RBAC assignments to /opt/stackstorm/rbac/assignments directory become: yes template: - src: files/rbac_assignments/assignments.yml.j2 + src: rbac_assignments/assignments.yml.j2 dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yml owner: st2 group: st2 diff --git a/roles/bwc_rbac/files/rbac_assignments/assignments.yml.j2 b/roles/bwc_rbac/templates/rbac_assignments/assignments.yml.j2 similarity index 100% rename from roles/bwc_rbac/files/rbac_assignments/assignments.yml.j2 rename to roles/bwc_rbac/templates/rbac_assignments/assignments.yml.j2 diff --git a/roles/bwc_rbac/files/rbac_roles/role.yml.j2 b/roles/bwc_rbac/templates/rbac_roles/roles.yml.j2 similarity index 100% rename from roles/bwc_rbac/files/rbac_roles/role.yml.j2 rename to roles/bwc_rbac/templates/rbac_roles/roles.yml.j2 From a09cb88187863ff9c888463f8af20d90a6a4d635 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Thu, 9 Mar 2017 15:33:52 -0800 Subject: [PATCH 09/38] use to_nice_yaml --- roles/bwc_rbac/templates/rbac_assignments/assignments.yml.j2 | 3 +-- roles/bwc_rbac/templates/rbac_roles/roles.yml.j2 | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/bwc_rbac/templates/rbac_assignments/assignments.yml.j2 b/roles/bwc_rbac/templates/rbac_assignments/assignments.yml.j2 index e1c7a755..eadc3894 100644 --- a/roles/bwc_rbac/templates/rbac_assignments/assignments.yml.j2 +++ b/roles/bwc_rbac/templates/rbac_assignments/assignments.yml.j2 @@ -1,5 +1,4 @@ --- username: {{ item.name }} - roles: - - {{ item.roles }} + roles: {{ item.roles | to_nice_yaml }} diff --git a/roles/bwc_rbac/templates/rbac_roles/roles.yml.j2 b/roles/bwc_rbac/templates/rbac_roles/roles.yml.j2 index 21f21bf6..303333c4 100644 --- a/roles/bwc_rbac/templates/rbac_roles/roles.yml.j2 +++ b/roles/bwc_rbac/templates/rbac_roles/roles.yml.j2 @@ -2,4 +2,4 @@ name: {{ item.name }} description: {{ item.description }} -permission_grants: {{ item.permission_grants }} +permission_grants: {{ item.permission_grants | to_nice_yaml }} From ac4cd06478bc9aa98488ba895ec160effb0e2509 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Thu, 9 Mar 2017 15:34:22 -0800 Subject: [PATCH 10/38] use yaml as file ext and not yml --- roles/bwc_rbac/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/bwc_rbac/tasks/main.yml b/roles/bwc_rbac/tasks/main.yml index eb215da0..7e0c56cc 100644 --- a/roles/bwc_rbac/tasks/main.yml +++ b/roles/bwc_rbac/tasks/main.yml @@ -16,7 +16,7 @@ become: yes template: src: rbac_roles/roles.yml.j2 - dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yml + dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml owner: st2 group: st2 with_items: "{{ rbac_roles }}" @@ -26,7 +26,7 @@ become: yes template: src: rbac_assignments/assignments.yml.j2 - dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yml + dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml owner: st2 group: st2 with_items: "{{ rbac_assignments }}" From 69fd5508d64803539c0adf660b77c22279f6ff92 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Thu, 9 Mar 2017 16:27:48 -0800 Subject: [PATCH 11/38] Move back RBAC to same role as BWC --- roles/bwc/defaults/main.yml | 2 + roles/bwc/handlers/main.yml | 5 ++ roles/bwc/meta/main.yml | 2 +- roles/bwc/tasks/ldap.yml | 22 +++++++++ roles/bwc/tasks/main.yml | 8 ++++ roles/bwc/tasks/rbac.yml | 47 +++++++++++++++++++ .../rbac_assignments/assignments.yml.j2 | 0 .../templates/rbac_roles/roles.yml.j2 | 0 8 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 roles/bwc/handlers/main.yml create mode 100644 roles/bwc/tasks/ldap.yml create mode 100644 roles/bwc/tasks/rbac.yml rename roles/{bwc_rbac => bwc}/templates/rbac_assignments/assignments.yml.j2 (100%) rename roles/{bwc_rbac => bwc}/templates/rbac_roles/roles.yml.j2 (100%) diff --git a/roles/bwc/defaults/main.yml b/roles/bwc/defaults/main.yml index d7464c87..7fe931f7 100644 --- a/roles/bwc/defaults/main.yml +++ b/roles/bwc/defaults/main.yml @@ -4,3 +4,5 @@ bwc_pkg_repo: "enterprise" bwc_version: latest # used only if 'bwc_version' is numeric bwc_revision: 1 + +st2_config_file_path: /etc/st2/st2.conf diff --git a/roles/bwc/handlers/main.yml b/roles/bwc/handlers/main.yml new file mode 100644 index 00000000..9d49755f --- /dev/null +++ b/roles/bwc/handlers/main.yml @@ -0,0 +1,5 @@ +--- + +- name: reload bwc_rbac + become: yes + command: st2-apply-rbac-definitions --config-file {{ st2_config_file_path }} diff --git a/roles/bwc/meta/main.yml b/roles/bwc/meta/main.yml index 5ce11f14..63e5e3cb 100644 --- a/roles/bwc/meta/main.yml +++ b/roles/bwc/meta/main.yml @@ -1,6 +1,6 @@ --- galaxy_info: - description: Install BWC Entperprise components + description: Install BWC Entperprise components, setup RBAC and LDAP author: lakshmi-kannan company: StackStorm license: Apache 2.0 diff --git a/roles/bwc/tasks/ldap.yml b/roles/bwc/tasks/ldap.yml new file mode 100644 index 00000000..dc1f7f7f --- /dev/null +++ b/roles/bwc/tasks/ldap.yml @@ -0,0 +1,22 @@ +--- + +- name: Setup st2.conf auth backend to LDAP + become: yes + ini_file: + dest: "{{ st2_config_file_path }}" + section: auth + option: backend + value: ldap + backup: yes + +- name: Setup st2.conf auth backend_kwargs for LDAP + become: yes + ini_file: + dest: "{{ st2_config_file_path }}" + section: auth + option: backend_kwargs + value: "{{ ldap.config | to_nice_json }}" + backup: yes + notify: + - restart st2api + - restart st2stream diff --git a/roles/bwc/tasks/main.yml b/roles/bwc/tasks/main.yml index 737b11e5..6aeb1ad4 100644 --- a/roles/bwc/tasks/main.yml +++ b/roles/bwc/tasks/main.yml @@ -19,3 +19,11 @@ tags: - bwc - st2 enterprise + +- name: Setup RBAC and setup roles and assignments if enable_rbac is defined + include: "rbac.yml" + when: rbac is defined + +- name: Setup LDAP and set up LDAP configuration + include: "ldap.yml" + when: ldap is defined diff --git a/roles/bwc/tasks/rbac.yml b/roles/bwc/tasks/rbac.yml new file mode 100644 index 00000000..e75d4a1c --- /dev/null +++ b/roles/bwc/tasks/rbac.yml @@ -0,0 +1,47 @@ +--- + + - name: Create BWC RBAC directories + become: yes + file: + path: "{{ item }}" + mode: "u+rw,g-wx,o-rwx" + owner: st2 + group: st2 + state: directory + with_items: + - /opt/stackstorm/rbac/assignments + - /opt/stackstorm/rbac/roles + + - name: Copy RBAC roles to /opt/stackstorm/rbac/roles directory + become: yes + template: + src: rbac_roles/roles.yml.j2 + dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml + owner: st2 + group: st2 + with_items: "{{ rbac.roles }}" + when: rbac_roles is defined + + - name: Copy RBAC assignments to /opt/stackstorm/rbac/assignments directory + become: yes + template: + src: rbac_assignments/assignments.yml.j2 + dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml + owner: st2 + group: st2 + with_items: "{{ rbac.assignments }}" + when: rbac_assignments is defined + + - name: Enable RBAC in st2 configuration + become: yes + ini_file: + dest: /etc/st2/st2.conf + section: auth + option: enable + value: True + backup: yes + notify: + - restart st2 + - reload bwc_rbac + - restart st2api + diff --git a/roles/bwc_rbac/templates/rbac_assignments/assignments.yml.j2 b/roles/bwc/templates/rbac_assignments/assignments.yml.j2 similarity index 100% rename from roles/bwc_rbac/templates/rbac_assignments/assignments.yml.j2 rename to roles/bwc/templates/rbac_assignments/assignments.yml.j2 diff --git a/roles/bwc_rbac/templates/rbac_roles/roles.yml.j2 b/roles/bwc/templates/rbac_roles/roles.yml.j2 similarity index 100% rename from roles/bwc_rbac/templates/rbac_roles/roles.yml.j2 rename to roles/bwc/templates/rbac_roles/roles.yml.j2 From 1aa9d35ce023c28a42fe5661c699e1eafa876bcd Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Thu, 9 Mar 2017 18:12:54 -0800 Subject: [PATCH 12/38] Remove separate RBAC role --- roles/bwc_rbac/defaults/main.yml | 3 --- roles/bwc_rbac/handlers/main.yml | 5 ---- roles/bwc_rbac/meta/main.yml | 24 ----------------- roles/bwc_rbac/tasks/main.yml | 46 -------------------------------- 4 files changed, 78 deletions(-) delete mode 100644 roles/bwc_rbac/defaults/main.yml delete mode 100644 roles/bwc_rbac/handlers/main.yml delete mode 100644 roles/bwc_rbac/meta/main.yml delete mode 100644 roles/bwc_rbac/tasks/main.yml diff --git a/roles/bwc_rbac/defaults/main.yml b/roles/bwc_rbac/defaults/main.yml deleted file mode 100644 index 96f7ddba..00000000 --- a/roles/bwc_rbac/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- - -st2_config_file_path: /etc/st2/st2.conf diff --git a/roles/bwc_rbac/handlers/main.yml b/roles/bwc_rbac/handlers/main.yml deleted file mode 100644 index 9d49755f..00000000 --- a/roles/bwc_rbac/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- - -- name: reload bwc_rbac - become: yes - command: st2-apply-rbac-definitions --config-file {{ st2_config_file_path }} diff --git a/roles/bwc_rbac/meta/main.yml b/roles/bwc_rbac/meta/main.yml deleted file mode 100644 index 0a86940a..00000000 --- a/roles/bwc_rbac/meta/main.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -galaxy_info: - description: Setup BWC RBAC - author: lakshmi-kannan - company: StackStorm - license: Apache 2.0 - min_ansible_version: 2.2 - platforms: - - name: Ubuntu - versions: - - trusty - - xenial - - name: EL - versions: - - 6 - - 7 - categories: - - stackstorm - - BWC - - Brocade Workflow Composer - - RBAC - dependencies: - - role: st2 - - role: bwc diff --git a/roles/bwc_rbac/tasks/main.yml b/roles/bwc_rbac/tasks/main.yml deleted file mode 100644 index 7e0c56cc..00000000 --- a/roles/bwc_rbac/tasks/main.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- - - - name: Create BWC RBAC directories - become: yes - file: - path: "{{ item }}" - mode: "u+rw,g-wx,o-rwx" - owner: st2 - group: st2 - state: directory - with_items: - - /opt/stackstorm/rbac/assignments - - /opt/stackstorm/rbac/roles - - - name: Copy RBAC roles to /opt/stackstorm/rbac/roles directory - become: yes - template: - src: rbac_roles/roles.yml.j2 - dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml - owner: st2 - group: st2 - with_items: "{{ rbac_roles }}" - when: rbac_roles is defined - - - name: Copy RBAC assignments to /opt/stackstorm/rbac/assignments directory - become: yes - template: - src: rbac_assignments/assignments.yml.j2 - dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml - owner: st2 - group: st2 - with_items: "{{ rbac_assignments }}" - when: rbac_assignments is defined - - - name: Enable RBAC in st2 configuration - become: yes - ini_file: - dest: /etc/st2/st2.conf - section: auth - option: enable - value: True - backup: yes - notify: - - restart st2 - - reload bwc_rbac - - restart st2api From ea34e3cb53f5981559c04b9cca70b52473650890 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Fri, 10 Mar 2017 10:46:51 -0800 Subject: [PATCH 13/38] Coalesce bwc_repos into bwc --- roles/bwc/defaults/main.yml | 3 +- roles/bwc/tasks/bwc_repos_apt.yml | 31 ++++++++++++++++++ roles/bwc/tasks/bwc_repos_setup.yml | 28 ++++++++++++++++ roles/bwc/tasks/bwc_repos_yum.yml | 37 +++++++++++++++++++++ roles/bwc/tasks/ldap.yml | 2 +- roles/bwc/tasks/main.yml | 18 ++++++++--- roles/bwc/tasks/rbac.yml | 6 ++-- roles/bwc_repos/defaults/main.yml | 19 ----------- roles/bwc_repos/meta/main.yml | 22 ------------- roles/bwc_repos/tasks/bwc_repos_apt.yml | 40 ----------------------- roles/bwc_repos/tasks/bwc_repos_yum.yml | 43 ------------------------- roles/bwc_repos/tasks/main.yml | 6 ---- 12 files changed, 115 insertions(+), 140 deletions(-) create mode 100644 roles/bwc/tasks/bwc_repos_apt.yml create mode 100644 roles/bwc/tasks/bwc_repos_setup.yml create mode 100644 roles/bwc/tasks/bwc_repos_yum.yml delete mode 100644 roles/bwc_repos/defaults/main.yml delete mode 100644 roles/bwc_repos/meta/main.yml delete mode 100644 roles/bwc_repos/tasks/bwc_repos_apt.yml delete mode 100644 roles/bwc_repos/tasks/bwc_repos_yum.yml delete mode 100644 roles/bwc_repos/tasks/main.yml diff --git a/roles/bwc/defaults/main.yml b/roles/bwc/defaults/main.yml index 7fe931f7..82f3a86d 100644 --- a/roles/bwc/defaults/main.yml +++ b/roles/bwc/defaults/main.yml @@ -1,8 +1,9 @@ --- +# BWC PackageCloud repository to install: enterprise, enterprise-unstable, staging-enterprise, staging-enterprise-unstable. bwc_pkg_repo: "enterprise" # 'latest' to get latest version or numeric like '2.1.1' bwc_version: latest # used only if 'bwc_version' is numeric bwc_revision: 1 -st2_config_file_path: /etc/st2/st2.conf +master_token: "{{ bwc_license }}" diff --git a/roles/bwc/tasks/bwc_repos_apt.yml b/roles/bwc/tasks/bwc_repos_apt.yml new file mode 100644 index 00000000..5859f5cb --- /dev/null +++ b/roles/bwc/tasks/bwc_repos_apt.yml @@ -0,0 +1,31 @@ +--- + +- name: Assert that master_token is specified + fail: msg="License key must be supplied for BWC enterprise installation." + when: bwc_license is not defined + +- name: Install prereqs (Debian) + become: yes + apt: + name: "{{ item }}" + state: present + with_items: + - debian-archive-keyring + - apt-transport-https + +# This is the exact key as the open source repo but this behavior might change. +- name: Add keys to keyring + become: yes + apt_key: + id: 418A7F2FB0E1E6E7EABF6FE8C2E73424D59097AB + url: https://packagecloud.io/StackStorm/{{ bwc_pkg_repo }}/gpgkey + state: present + +- name: "Add packagecloud.io repository: StackStorm/{{ bwc_pkg_repo }} with generated read token {{ bwc_read_token }}" + become: yes + apt_repository: + repo: 'deb https://{{ bwc_read_token }}:packagecloud.io/StackStorm/{{ st2_pkg_repo }}/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release|lower }} main' + state: present + update_cache: yes + register: added_bwc_deb_repository + diff --git a/roles/bwc/tasks/bwc_repos_setup.yml b/roles/bwc/tasks/bwc_repos_setup.yml new file mode 100644 index 00000000..61c384a7 --- /dev/null +++ b/roles/bwc/tasks/bwc_repos_setup.yml @@ -0,0 +1,28 @@ +--- + +- name: Assert that master_token is specified + fail: msg="License key must be supplied for BWC enterprise installation." + when: bwc_license is not defined + +- name: Get read token for repo from packagecloud + become: yes + uri: + url: https://packagecloud.io/install/repositories/StackStorm/{{ bwc_pkg_repo }}/tokens.text + user: "{{ bwc_license }}" + creates: "/etc/packagecloud/read_token.txt" # Don't download if file already exists + force_basic_auth: yes + headers: + Content-Type: "application/x-www-form-urlencoded" + body: "name={{ ansible_nodename }}" + +- name: Set bwc_read_token variable + set_fact: + bwc_read_token: "{{ lookup('file', '/etc/packagecloud/read_token.txt') }}" + +- name: Add BWC enterprise repos on {{ ansible_distribution }} + include: bwc_repos_{{ ansible_pkg_mgr }}.yml + tags: + - BWC repos + - StackStorm enterprise + register: bwc_repo_added + when: bwc_read_token != '' diff --git a/roles/bwc/tasks/bwc_repos_yum.yml b/roles/bwc/tasks/bwc_repos_yum.yml new file mode 100644 index 00000000..4defb85f --- /dev/null +++ b/roles/bwc/tasks/bwc_repos_yum.yml @@ -0,0 +1,37 @@ +--- + +# Fixes "Failure talking to yum: Cannot retrieve repository metadata (repomd.xml) for repository: StackStorm_stable. Please verify its path and try again" when installing st2 +- name: Update ca-certificates package + become: yes + yum: + name: ca-certificates + state: latest + tags: skip_ansible_lint + +# See: https://github.com/docker-library/docs/tree/master/centos#package-documentation +# We ship `nginx.conf` via `st2` package doc files, for example +- name: Enable shipping package documentation files for EL + become: yes + ini_file: + dest: /etc/yum.conf + section: main + option: tsflags + value: nodocs + state: absent + when: ansible_os_family == "RedHat" + +- name: "Add packagecloud.io repository: StackStorm/{{ bwc_pkg_repo }} with generated read token {{ bwc_read_token }}" + become: yes + yum_repository: + name: "StackStorm_{{ bwc_pkg_repo }}" + description: "StackStorm_{{ bwc_pkg_repo }}" + file: "StackStorm_{{ bwc_pkg_repo }}" + baseurl: https://packagecloud.io/StackStorm/{{ bwc_pkg_repo }}/el/{{ ansible_distribution_major_version }}/$basearch + repo_gpgcheck: yes + gpgkey: "https://{{ bwc_read_token }}:packagecloud.io/StackStorm/{{ bwc_pkg_repo }}/gpgkey" + sslcacert: /etc/pki/tls/certs/ca-bundle.crt + metadata_expire: 300 + gpgcheck: no + enabled: yes + sslverify: yes + register: added_bwc_rpm_repository diff --git a/roles/bwc/tasks/ldap.yml b/roles/bwc/tasks/ldap.yml index dc1f7f7f..b7a115d8 100644 --- a/roles/bwc/tasks/ldap.yml +++ b/roles/bwc/tasks/ldap.yml @@ -12,7 +12,7 @@ - name: Setup st2.conf auth backend_kwargs for LDAP become: yes ini_file: - dest: "{{ st2_config_file_path }}" + dest: /etc/st2/st2.conf section: auth option: backend_kwargs value: "{{ ldap.config | to_nice_json }}" diff --git a/roles/bwc/tasks/main.yml b/roles/bwc/tasks/main.yml index 6aeb1ad4..ae0868c8 100644 --- a/roles/bwc/tasks/main.yml +++ b/roles/bwc/tasks/main.yml @@ -1,11 +1,18 @@ --- +- name: Add BWC enterprise repos + include: bwc_repos_setup.yml + tags: + - BWC repos + - StackStorm enterprise + - name: Install latest bwc-enterprise package become: yes package: name: bwc-enterprise state: latest - when: bwc_version == "latest" + register: bwc_installed + when: bwc_repo_added|success and bwc_version == "latest" tags: - bwc - st2 enterprise @@ -15,15 +22,16 @@ package: name: bwc-enterprise={{ bwc_version }}-{{ bwc_revision }} state: present - when: bwc_version != "latest" + register: bwc_installed + when: bwc_repo_added|success and bwc_version != "latest" tags: - bwc - st2 enterprise -- name: Setup RBAC and setup roles and assignments if enable_rbac is defined +- name: Setup RBAC and setup roles and assignments if bwc_rbac is defined include: "rbac.yml" - when: rbac is defined + when: bwc_installed|success and bwc_rbac is defined - name: Setup LDAP and set up LDAP configuration include: "ldap.yml" - when: ldap is defined + when: bwc_installed|success and bwc_ldap is defined diff --git a/roles/bwc/tasks/rbac.yml b/roles/bwc/tasks/rbac.yml index e75d4a1c..8e3547a7 100644 --- a/roles/bwc/tasks/rbac.yml +++ b/roles/bwc/tasks/rbac.yml @@ -20,7 +20,7 @@ owner: st2 group: st2 with_items: "{{ rbac.roles }}" - when: rbac_roles is defined + when: bwc_rbac_roles is defined - name: Copy RBAC assignments to /opt/stackstorm/rbac/assignments directory become: yes @@ -30,13 +30,13 @@ owner: st2 group: st2 with_items: "{{ rbac.assignments }}" - when: rbac_assignments is defined + when: bwc_rbac_assignments is defined - name: Enable RBAC in st2 configuration become: yes ini_file: dest: /etc/st2/st2.conf - section: auth + section: rbac option: enable value: True backup: yes diff --git a/roles/bwc_repos/defaults/main.yml b/roles/bwc_repos/defaults/main.yml deleted file mode 100644 index 9028d94e..00000000 --- a/roles/bwc_repos/defaults/main.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# BWC PackageCloud repository to install: enterprise, enterprise-unstable, staging-enterprise, staging-enterprise-unstable. -bwc_pkg_repo: enterprise - -deb_os: "{{ ansible_distribution|lower }}" -deb_os_version: "{{ ansible_distribution_release|lower }}" - -rpm_os: "el" -rpm_os_version: "{{ ansible_distribution_major_version }}" - -master_token: "{{ license }}" - -deb_gpg_key_url: "https://{{ master_token }}:@packagecloud.io/install/repositories/StackStorm/enterprise/gpg_key_url.list?os={{ deb_os }}&dist={{ deb_os_version }}&name={{ ansible_nodename }}" - -deb_config_file_url: "https://{{ master_token }}:@packagecloud.io/install/repositories/StackStorm/{{ bwc_pkg_repo }}/config_file.list?os={{ deb_os }}&dist={{ deb_os_version }}&name={{ ansible_nodename }}" -deb_config_file_location: "/etc/apt/sources.list.d/packagecloud_io_StackStorm_{{ bwc_pkg_repo }}.list" - -rpm_config_file_url: "https://{{ master_token }}:@packagecloud.io/install/repositories/StackStorm/{{ bwc_pkg_repo }}/config_file.repo?os={{ rpm_os }}&dist={{ rpm_os_version }}&name={{ ansible_nodename }}" -rpm_config_file_location: "/etc/yum.repos.d/packagecloud_io_StackStorm_{{ bwc_pkg_repo }}.repo" diff --git a/roles/bwc_repos/meta/main.yml b/roles/bwc_repos/meta/main.yml deleted file mode 100644 index ccf22a17..00000000 --- a/roles/bwc_repos/meta/main.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -galaxy_info: - description: Install BWC PackageCloud repository - author: lakshmi-kannan - company: StackStorm - license: Apache 2.0 - min_ansible_version: 2.2 - platforms: - - name: Ubuntu - versions: - - trusty - - xenial - - name: EL - versions: - - 6 - - 7 - categories: - - stackstorm - - BWC - - Brocade Workflow Composer - - repositories - - packagecloud diff --git a/roles/bwc_repos/tasks/bwc_repos_apt.yml b/roles/bwc_repos/tasks/bwc_repos_apt.yml deleted file mode 100644 index c908fc77..00000000 --- a/roles/bwc_repos/tasks/bwc_repos_apt.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- - -- name: Assert that master_token is specified - fail: msg="License key must be supplied for BWC enterprise installation." - when: license is not defined - -- name: Install prereqs (Debian) - become: yes - apt: - name: "{{ item }}" - state: present - with_items: - - debian-archive-keyring - - apt-transport-https - -- name: Get GPG key URL for private repo - become: yes - shell: 'curl "{{ deb_gpg_key_url }}"' - register: deb_gpg_key - -# This is the exact key as the open source repo but this behavior might change. So just -# following what's in packagecloud docs for private repos. -- name: Add GPG key to keyring - become: yes - shell: 'curl -L "{{ deb_gpg_key.stdout }}" | apt-key add -' - when: ansible_os_family == "Debian" and license is defined - -- name: "Adding packagecloud.io repository: StackStorm/{{ bwc_pkg_repo }} with generated read token" - become: yes - shell: 'curl "{{ deb_config_file_url }}" > {{ deb_config_file_location }}' - args: - creates: "{{ deb_config_file_location }}" - register: added_bwc_deb_repository - when: ansible_os_family == "Debian" and license is defined - -- name: Update APT package cache - become: yes - apt: - update_cache: true - when: ansible_os_family == "Debian" and added_bwc_deb_repository|success diff --git a/roles/bwc_repos/tasks/bwc_repos_yum.yml b/roles/bwc_repos/tasks/bwc_repos_yum.yml deleted file mode 100644 index 8e70265b..00000000 --- a/roles/bwc_repos/tasks/bwc_repos_yum.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- - -- name: Assert that master_token is specified - fail: msg="License key must be supplied for BWC enterprise installation." - when: license is not defined - -# Fixes "Failure talking to yum: Cannot retrieve repository metadata (repomd.xml) for repository: StackStorm_stable. Please verify its path and try again" when installing st2 -- name: Update ca-certificates package - become: yes - yum: - name: ca-certificates - state: latest - tags: skip_ansible_lint - -# See: https://github.com/docker-library/docs/tree/master/centos#package-documentation -# We ship `nginx.conf` via `st2` package doc files, for example -- name: Enable shipping package documentation files for EL - become: yes - ini_file: - dest: /etc/yum.conf - section: main - option: tsflags - value: nodocs - state: absent - when: ansible_os_family == "RedHat" - -- name: Add BWC enterprise repo - become: yes - shell: 'curl "{{ rpm_config_file_url }}" > {{ rpm_config_file_location }}' - args: - creates: "{{ rpm_config_file_location }}" - register: added_bwc_rpm_repository - when: ansible_os_family == "RedHat" and license is defined - -- name: Update yum package cache - become: yes - shell: yum -q makecache -y --disablerepo='*' --enablerepo='StackStorm_{{ bwc_pkg_repo|replace("/", "_") }}' - when: ansible_os_family == "RedHat" and added_bwc_rpm_repository|success - -- name: Update yum package cache BWC enterprise source repo - become: yes - shell: yum -q makecache -y --disablerepo='*' --enablerepo='StackStorm_{{ bwc_pkg_repo|replace("/", "_") }}-source' - when: ansible_os_family == "RedHat" and added_bwc_rpm_repository|success diff --git a/roles/bwc_repos/tasks/main.yml b/roles/bwc_repos/tasks/main.yml deleted file mode 100644 index 9ec1dcc9..00000000 --- a/roles/bwc_repos/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Add BWC enterprise repos on {{ ansible_distribution }} - include: bwc_repos_{{ ansible_pkg_mgr }}.yml - tags: - - BWC repos - - StackStorm enterprise From 22f86a10d6b4e148ae3080d9c4105d6d078568d9 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Fri, 10 Mar 2017 14:33:13 -0800 Subject: [PATCH 14/38] Fixes after testing --- roles/bwc/tasks/bwc_repos_apt.yml | 5 +++-- roles/bwc/tasks/bwc_repos_setup.yml | 20 ++++++++++++++++---- roles/bwc/tasks/bwc_repos_yum.yml | 4 ++-- roles/bwc/tasks/ldap.yml | 3 +++ roles/bwc/tasks/rbac.yml | 2 +- 5 files changed, 25 insertions(+), 9 deletions(-) diff --git a/roles/bwc/tasks/bwc_repos_apt.yml b/roles/bwc/tasks/bwc_repos_apt.yml index 5859f5cb..174905aa 100644 --- a/roles/bwc/tasks/bwc_repos_apt.yml +++ b/roles/bwc/tasks/bwc_repos_apt.yml @@ -21,10 +21,11 @@ url: https://packagecloud.io/StackStorm/{{ bwc_pkg_repo }}/gpgkey state: present -- name: "Add packagecloud.io repository: StackStorm/{{ bwc_pkg_repo }} with generated read token {{ bwc_read_token }}" +- name: "Add packagecloud.io repository: StackStorm/{{ bwc_pkg_repo }}" become: yes apt_repository: - repo: 'deb https://{{ bwc_read_token }}:packagecloud.io/StackStorm/{{ st2_pkg_repo }}/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release|lower }} main' + filename: "StackStorm_{{ bwc_pkg_repo }}" + repo: 'deb https://{{ bwc_read_token }}:@packagecloud.io/StackStorm/{{ bwc_pkg_repo }}/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release|lower }} main' state: present update_cache: yes register: added_bwc_deb_repository diff --git a/roles/bwc/tasks/bwc_repos_setup.yml b/roles/bwc/tasks/bwc_repos_setup.yml index 61c384a7..cb54e8bf 100644 --- a/roles/bwc/tasks/bwc_repos_setup.yml +++ b/roles/bwc/tasks/bwc_repos_setup.yml @@ -4,20 +4,32 @@ fail: msg="License key must be supplied for BWC enterprise installation." when: bwc_license is not defined +- name: Create packagecloud dir + become: yes + file: + path: "/etc/packagecloud" + mode: "u=rwx,g=rx,o=rx" + owner: st2 + group: st2 + state: directory + - name: Get read token for repo from packagecloud become: yes uri: - url: https://packagecloud.io/install/repositories/StackStorm/{{ bwc_pkg_repo }}/tokens.text - user: "{{ bwc_license }}" - creates: "/etc/packagecloud/read_token.txt" # Don't download if file already exists + url: https://{{ bwc_license }}:@packagecloud.io/install/repositories/StackStorm/{{ bwc_pkg_repo }}/tokens.text + creates: "/etc/packagecloud/StackStorm_{{ bwc_pkg_repo }}_read_token.txt" # Don't download if file already exists + dest: "/etc/packagecloud/StackStorm_{{ bwc_pkg_repo }}_read_token.txt" force_basic_auth: yes + method: POST + status_code: 201,200 headers: Content-Type: "application/x-www-form-urlencoded" body: "name={{ ansible_nodename }}" - name: Set bwc_read_token variable + become: yes set_fact: - bwc_read_token: "{{ lookup('file', '/etc/packagecloud/read_token.txt') }}" + bwc_read_token: "{{ lookup('file', '/etc/packagecloud/StackStorm_{{ bwc_pkg_repo }}_read_token.txt') }}" - name: Add BWC enterprise repos on {{ ansible_distribution }} include: bwc_repos_{{ ansible_pkg_mgr }}.yml diff --git a/roles/bwc/tasks/bwc_repos_yum.yml b/roles/bwc/tasks/bwc_repos_yum.yml index 4defb85f..75b24141 100644 --- a/roles/bwc/tasks/bwc_repos_yum.yml +++ b/roles/bwc/tasks/bwc_repos_yum.yml @@ -20,13 +20,13 @@ state: absent when: ansible_os_family == "RedHat" -- name: "Add packagecloud.io repository: StackStorm/{{ bwc_pkg_repo }} with generated read token {{ bwc_read_token }}" +- name: "Add packagecloud.io repository: StackStorm/{{ bwc_pkg_repo }}" become: yes yum_repository: name: "StackStorm_{{ bwc_pkg_repo }}" description: "StackStorm_{{ bwc_pkg_repo }}" file: "StackStorm_{{ bwc_pkg_repo }}" - baseurl: https://packagecloud.io/StackStorm/{{ bwc_pkg_repo }}/el/{{ ansible_distribution_major_version }}/$basearch + baseurl: https://{{ bwc_read_token }}:@packagecloud.io/StackStorm/{{ bwc_pkg_repo }}/el/{{ ansible_distribution_major_version }}/$basearch repo_gpgcheck: yes gpgkey: "https://{{ bwc_read_token }}:packagecloud.io/StackStorm/{{ bwc_pkg_repo }}/gpgkey" sslcacert: /etc/pki/tls/certs/ca-bundle.crt diff --git a/roles/bwc/tasks/ldap.yml b/roles/bwc/tasks/ldap.yml index b7a115d8..1f2c8881 100644 --- a/roles/bwc/tasks/ldap.yml +++ b/roles/bwc/tasks/ldap.yml @@ -8,6 +8,9 @@ option: backend value: ldap backup: yes + notify: + - restart st2api + - restart st2stream - name: Setup st2.conf auth backend_kwargs for LDAP become: yes diff --git a/roles/bwc/tasks/rbac.yml b/roles/bwc/tasks/rbac.yml index 8e3547a7..e962d968 100644 --- a/roles/bwc/tasks/rbac.yml +++ b/roles/bwc/tasks/rbac.yml @@ -4,7 +4,7 @@ become: yes file: path: "{{ item }}" - mode: "u+rw,g-wx,o-rwx" + mode: "u=rwx,g=r,o=r" owner: st2 group: st2 state: directory From 1c1ebd08f147161b0af7e29637cc5452f4fbce9d Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Fri, 10 Mar 2017 14:40:30 -0800 Subject: [PATCH 15/38] Fix variable names --- roles/bwc/tasks/ldap.yml | 4 ++-- roles/bwc/tasks/rbac.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/bwc/tasks/ldap.yml b/roles/bwc/tasks/ldap.yml index 1f2c8881..0fe7a2e9 100644 --- a/roles/bwc/tasks/ldap.yml +++ b/roles/bwc/tasks/ldap.yml @@ -3,7 +3,7 @@ - name: Setup st2.conf auth backend to LDAP become: yes ini_file: - dest: "{{ st2_config_file_path }}" + dest: /etc/st2/st2.conf section: auth option: backend value: ldap @@ -18,7 +18,7 @@ dest: /etc/st2/st2.conf section: auth option: backend_kwargs - value: "{{ ldap.config | to_nice_json }}" + value: "{{ bwc_ldap.config | to_nice_json }}" backup: yes notify: - restart st2api diff --git a/roles/bwc/tasks/rbac.yml b/roles/bwc/tasks/rbac.yml index e962d968..01ccecbf 100644 --- a/roles/bwc/tasks/rbac.yml +++ b/roles/bwc/tasks/rbac.yml @@ -19,7 +19,7 @@ dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml owner: st2 group: st2 - with_items: "{{ rbac.roles }}" + with_items: "{{ bwc_rbac.roles }}" when: bwc_rbac_roles is defined - name: Copy RBAC assignments to /opt/stackstorm/rbac/assignments directory @@ -29,7 +29,7 @@ dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml owner: st2 group: st2 - with_items: "{{ rbac.assignments }}" + with_items: "{{ bwc_rbac.assignments }}" when: bwc_rbac_assignments is defined - name: Enable RBAC in st2 configuration From bd198f21802ea3013c4803fa7a017bfff5fe88b9 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Fri, 10 Mar 2017 15:00:52 -0800 Subject: [PATCH 16/38] Fix st2.conf file path --- roles/bwc/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bwc/handlers/main.yml b/roles/bwc/handlers/main.yml index 9d49755f..c31ee83d 100644 --- a/roles/bwc/handlers/main.yml +++ b/roles/bwc/handlers/main.yml @@ -2,4 +2,4 @@ - name: reload bwc_rbac become: yes - command: st2-apply-rbac-definitions --config-file {{ st2_config_file_path }} + command: st2-apply-rbac-definitions --config-file /etc/st2/st2.conf From 17d7045e1092349ebe91bab88febaaabbb97ea1a Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Fri, 10 Mar 2017 17:17:35 -0800 Subject: [PATCH 17/38] @ me baby one more time --- roles/bwc/tasks/bwc_repos_yum.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bwc/tasks/bwc_repos_yum.yml b/roles/bwc/tasks/bwc_repos_yum.yml index 75b24141..a48bb916 100644 --- a/roles/bwc/tasks/bwc_repos_yum.yml +++ b/roles/bwc/tasks/bwc_repos_yum.yml @@ -28,7 +28,7 @@ file: "StackStorm_{{ bwc_pkg_repo }}" baseurl: https://{{ bwc_read_token }}:@packagecloud.io/StackStorm/{{ bwc_pkg_repo }}/el/{{ ansible_distribution_major_version }}/$basearch repo_gpgcheck: yes - gpgkey: "https://{{ bwc_read_token }}:packagecloud.io/StackStorm/{{ bwc_pkg_repo }}/gpgkey" + gpgkey: "https://{{ bwc_read_token }}:@packagecloud.io/StackStorm/{{ bwc_pkg_repo }}/gpgkey" sslcacert: /etc/pki/tls/certs/ca-bundle.crt metadata_expire: 300 gpgcheck: no From aaccdab546bdb433af19555eb1ead2a659e89cfb Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Fri, 10 Mar 2017 17:53:06 -0800 Subject: [PATCH 18/38] Setup CI --- .kitchen.yml | 2 ++ .travis.yml | 16 ++++++++-------- stackstorm.yml | 1 + 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index 4354d5d3..ff859f96 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -16,6 +16,8 @@ provisioner: idempotency_test: true extra_vars: st2_pkg_repo: <%= ENV['ST2_REPO'] || 'stable' %> + bwc_pkg_repo: <%= ENV['BWC_REPO'] || 'enterprise' %> + bwc_license: <%= ENV[ENV['LICENSE']] || ENV['BWC_ENTERPRISE_LICENSE'] %> platforms: # Ubuntu Trusty with Upstart diff --git a/.travis.yml b/.travis.yml index 257df504..fc933dcb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,16 +9,16 @@ branches: env: # default is stable repo - - DISTRO=ubuntu-14 - - DISTRO=ubuntu-16 - - DISTRO=centos-6 - - DISTRO=centos-7 + - DISTRO=ubuntu-14 LICENSE='BWC_ENTERPRISE_LICENSE' + - DISTRO=ubuntu-16 LICENSE='BWC_ENTERPRISE_LICENSE' + - DISTRO=centos-6 LICENSE='BWC_ENTERPRISE_LICENSE' + - DISTRO=centos-7 LICENSE='BWC_ENTERPRISE_LICENSE' # StackStorm 'unstable' repo check - - DISTRO=ubuntu-14 ST2_REPO=unstable - - DISTRO=ubuntu-16 ST2_REPO=unstable - - DISTRO=centos-6 ST2_REPO=unstable - - DISTRO=centos-7 ST2_REPO=unstable + - DISTRO=ubuntu-14 ST2_REPO=unstable BWC_REPO=enterprise-unstable LICENSE='BWC_ENTERPRISE_LICENSE_UNSTABLE' + - DISTRO=ubuntu-16 ST2_REPO=unstable BWC_REPO=enterprise-unstable LICENSE='BWC_ENTERPRISE_LICENSE_UNSTABLE' + - DISTRO=centos-6 ST2_REPO=unstable BWC_REPO=enterprise-unstable LICENSE='BWC_ENTERPRISE_LICENSE_UNSTABLE' + - DISTRO=centos-7 ST2_REPO=unstable BWC_REPO=enterprise-unstable LICENSE='BWC_ENTERPRISE_LICENSE_UNSTABLE' script: # run kitchen tests (destroy, create, converge, setup, verify and destroy) diff --git a/stackstorm.yml b/stackstorm.yml index d2fea996..1cb92274 100644 --- a/stackstorm.yml +++ b/stackstorm.yml @@ -12,3 +12,4 @@ - st2web - nodejs - st2smoketests + - bwc From 18da1159005cb3387e269f2544afe39bb6842fad Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Fri, 10 Mar 2017 18:00:21 -0800 Subject: [PATCH 19/38] Lint fix --- roles/bwc/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/bwc/tasks/main.yml b/roles/bwc/tasks/main.yml index ae0868c8..68abdc6b 100644 --- a/roles/bwc/tasks/main.yml +++ b/roles/bwc/tasks/main.yml @@ -16,6 +16,7 @@ tags: - bwc - st2 enterprise + - skip_ansible_lint - name: Install pinned bwc-enterprise package become: yes From a5f2478f3d561de3b7fcfa604bbfdfe0685a574c Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Mon, 13 Mar 2017 12:59:00 -0700 Subject: [PATCH 20/38] Variable name goofups (fix) --- .kitchen.yml | 3 ++- .travis.yml | 16 ++++++++-------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index ff859f96..24bcbce7 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -17,7 +17,8 @@ provisioner: extra_vars: st2_pkg_repo: <%= ENV['ST2_REPO'] || 'stable' %> bwc_pkg_repo: <%= ENV['BWC_REPO'] || 'enterprise' %> - bwc_license: <%= ENV[ENV['LICENSE']] || ENV['BWC_ENTERPRISE_LICENSE'] %> + license_var: <%= ENV['LICENSE'] %> + bwc_license: <%= ENV[ENV['LICENSE']] || ENV['BWC_LICENSE_ENTERPRISE'] %> platforms: # Ubuntu Trusty with Upstart diff --git a/.travis.yml b/.travis.yml index fc933dcb..96f859fe 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,16 +9,16 @@ branches: env: # default is stable repo - - DISTRO=ubuntu-14 LICENSE='BWC_ENTERPRISE_LICENSE' - - DISTRO=ubuntu-16 LICENSE='BWC_ENTERPRISE_LICENSE' - - DISTRO=centos-6 LICENSE='BWC_ENTERPRISE_LICENSE' - - DISTRO=centos-7 LICENSE='BWC_ENTERPRISE_LICENSE' + - DISTRO=ubuntu-14 LICENSE='BWC_LICENSE_ENTERPRISE' + - DISTRO=ubuntu-16 LICENSE='BWC_LICENSE_ENTERPRISE' + - DISTRO=centos-6 LICENSE='BWC_LICENSE_ENTERPRISE' + - DISTRO=centos-7 LICENSE='BWC_LICENSE_ENTERPRISE' # StackStorm 'unstable' repo check - - DISTRO=ubuntu-14 ST2_REPO=unstable BWC_REPO=enterprise-unstable LICENSE='BWC_ENTERPRISE_LICENSE_UNSTABLE' - - DISTRO=ubuntu-16 ST2_REPO=unstable BWC_REPO=enterprise-unstable LICENSE='BWC_ENTERPRISE_LICENSE_UNSTABLE' - - DISTRO=centos-6 ST2_REPO=unstable BWC_REPO=enterprise-unstable LICENSE='BWC_ENTERPRISE_LICENSE_UNSTABLE' - - DISTRO=centos-7 ST2_REPO=unstable BWC_REPO=enterprise-unstable LICENSE='BWC_ENTERPRISE_LICENSE_UNSTABLE' + - DISTRO=ubuntu-14 ST2_REPO=unstable BWC_REPO=enterprise-unstable LICENSE='BWC_LICENSE_ENTERPRISE_UNSTABLE' + - DISTRO=ubuntu-16 ST2_REPO=unstable BWC_REPO=enterprise-unstable LICENSE='BWC_LICENSE_ENTERPRISE_UNSTABLE' + - DISTRO=centos-6 ST2_REPO=unstable BWC_REPO=enterprise-unstable LICENSE='BWC_LICENSE_ENTERPRISE_UNSTABLE' + - DISTRO=centos-7 ST2_REPO=unstable BWC_REPO=enterprise-unstable LICENSE='BWC_LICENSE_ENTERPRISE_UNSTABLE' script: # run kitchen tests (destroy, create, converge, setup, verify and destroy) From a343cd6b52e6c354d4c1875620bc842ff3d61867 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Mon, 13 Mar 2017 14:11:16 -0700 Subject: [PATCH 21/38] Address review comments --- roles/bwc/defaults/main.yml | 19 +++++++++++++++++++ roles/bwc/tasks/bwc_repos_yum.yml | 12 ------------ roles/bwc/tasks/ldap.yml | 3 ++- 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/roles/bwc/defaults/main.yml b/roles/bwc/defaults/main.yml index 82f3a86d..b32680e8 100644 --- a/roles/bwc/defaults/main.yml +++ b/roles/bwc/defaults/main.yml @@ -6,4 +6,23 @@ bwc_version: latest # used only if 'bwc_version' is numeric bwc_revision: 1 +# BWC license to install BWC enterprise bits master_token: "{{ bwc_license }}" + +# Specify roles and assignments for BWC RBAC. +# Roles are pushed as YML files to /opt/stackstorm/rbac/roles +# Assignments are pushed as YML files to /opt/stackstorm/rbac/assignments/ +# The schema for roles and assignments follow the exact schema definition +# define in https://bwc-docs.brocade.com/rbac.html#defining-roles-and-permission-grants +# and https://bwc-docs.brocade.com/rbac.html#defining-user-role-assignments. +bwc_rbac: + roles: [] + assignments: [] + +# By specifying a valid configuration for LDAP, +# (See https://bwc-docs.brocade.com/authentication.html#ldap ) +# LDAP auth backend is setup for st2 and BWC. +# Note that you just need to provide the backend_kwargs. +bwc_ldap: + config: + backend_kwargs: {} diff --git a/roles/bwc/tasks/bwc_repos_yum.yml b/roles/bwc/tasks/bwc_repos_yum.yml index a48bb916..a4af9ef3 100644 --- a/roles/bwc/tasks/bwc_repos_yum.yml +++ b/roles/bwc/tasks/bwc_repos_yum.yml @@ -8,18 +8,6 @@ state: latest tags: skip_ansible_lint -# See: https://github.com/docker-library/docs/tree/master/centos#package-documentation -# We ship `nginx.conf` via `st2` package doc files, for example -- name: Enable shipping package documentation files for EL - become: yes - ini_file: - dest: /etc/yum.conf - section: main - option: tsflags - value: nodocs - state: absent - when: ansible_os_family == "RedHat" - - name: "Add packagecloud.io repository: StackStorm/{{ bwc_pkg_repo }}" become: yes yum_repository: diff --git a/roles/bwc/tasks/ldap.yml b/roles/bwc/tasks/ldap.yml index 0fe7a2e9..839c9e1c 100644 --- a/roles/bwc/tasks/ldap.yml +++ b/roles/bwc/tasks/ldap.yml @@ -18,8 +18,9 @@ dest: /etc/st2/st2.conf section: auth option: backend_kwargs - value: "{{ bwc_ldap.config | to_nice_json }}" + value: "{{ bwc_ldap.config.backend_kwargs | to_nice_json }}" backup: yes + when: bwc_ldap.config is defined and bwc_ldap.config.backend_kwargs is defined notify: - restart st2api - restart st2stream From 6ff9e0bd91fd43811271658c6fca700797345ddc Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Tue, 14 Mar 2017 13:18:58 -0700 Subject: [PATCH 22/38] Address code review comments --- README.md | 15 +++++++++++++++ roles/bwc/defaults/main.yml | 13 ++++++++++--- roles/bwc/tasks/bwc_repos_apt.yml | 1 + roles/bwc/tasks/bwc_repos_yum.yml | 1 + roles/bwc/tasks/ldap.yml | 6 ++++-- roles/bwc/tasks/rbac.yml | 6 +++--- .../templates/rbac_assignments/assignments.yml.j2 | 3 ++- roles/bwc/templates/rbac_roles/roles.yml.j2 | 3 ++- 8 files changed, 38 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index d55712c9..b5dfa8ea 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,21 @@ Below is the list of variables you can redefine in your playbook to customize st | `st2mistral_db` | `mistral` | PostgreSQL DB name for Mistral. | `st2mistral_db_username` | `mistral` | PostgreSQL DB user for Mistral. | `st2mistral_db_password` | `StackStorm` | PostgreSQL DB password for Mistral. +| **bwc** +| `bwc_license` | `null` | BWC license key is required for +installing BWC enteprise bits via this ansible role. +| `bwc_pkg_repo` | `enterprise` | BWC PackageCloud +repository to install. [`enterprise`](https://packagecloud.io/StackStorm/enterprise/), [`enterprise-unstable`](https://packagecloud.io/StackStorm/enterprise-unstable/), [`staging-enterprise`](https://packagecloud.io/StackStorm/staging-enteprise/), [`staging-enterprise-unstable`](https://packagecloud.io/StackStorm/staging-enterprise-unstable/) +| `bwc_version` | `latest` | BWC enterprise version to install. Use latest `latest` to get automatic updates or pin it to numeric version like `2.1.1`. The version used here should match `st2_version`. +| `bwc_revision` | `1` | BWC enterprise revision to install. Used only with pinned `bwc_version`. +| `bwc_rbac` | | BWC RBAC roles and assignments. +This is a dictionary with two keys `roles` and `assignments`. `roles` and +`assignments` are in turn both arrays. Each element in the array follows +the exact YAML schema for [roles](https://bwc-docs.brocade.com/rbac.html#user-permissions) and [assignments](https://bwc-docs.brocade.com/rbac.html#defining-user-role-assignments) defined in BWC documentation. +| `bwc_ldap` | | Settings for BWC +LDAP authentication backend. `bwc_ldap` is a dictionary and has one item +`backend_kwargs`. `backend_kwargs` should be provided as exactly listed +in BWC documentation for [LDAP configuration](https://bwc-docs.brocade.com/authentication.html#auth-backends). ## Examples Install latest `stable` StackStorm with all its components on local machine: diff --git a/roles/bwc/defaults/main.yml b/roles/bwc/defaults/main.yml index b32680e8..b5c4e306 100644 --- a/roles/bwc/defaults/main.yml +++ b/roles/bwc/defaults/main.yml @@ -17,12 +17,19 @@ master_token: "{{ bwc_license }}" # and https://bwc-docs.brocade.com/rbac.html#defining-user-role-assignments. bwc_rbac: roles: [] - assignments: [] + + assignments: + - name: "{{ st2_system_user }}" + roles: + - admin + + - name: "{{ st2_auth_username }}" + roles: + - system_admin # By specifying a valid configuration for LDAP, # (See https://bwc-docs.brocade.com/authentication.html#ldap ) # LDAP auth backend is setup for st2 and BWC. # Note that you just need to provide the backend_kwargs. bwc_ldap: - config: - backend_kwargs: {} + backend_kwargs: {} diff --git a/roles/bwc/tasks/bwc_repos_apt.yml b/roles/bwc/tasks/bwc_repos_apt.yml index 174905aa..97335a66 100644 --- a/roles/bwc/tasks/bwc_repos_apt.yml +++ b/roles/bwc/tasks/bwc_repos_apt.yml @@ -23,6 +23,7 @@ - name: "Add packagecloud.io repository: StackStorm/{{ bwc_pkg_repo }}" become: yes + no_log: yes apt_repository: filename: "StackStorm_{{ bwc_pkg_repo }}" repo: 'deb https://{{ bwc_read_token }}:@packagecloud.io/StackStorm/{{ bwc_pkg_repo }}/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release|lower }} main' diff --git a/roles/bwc/tasks/bwc_repos_yum.yml b/roles/bwc/tasks/bwc_repos_yum.yml index a4af9ef3..95e8c920 100644 --- a/roles/bwc/tasks/bwc_repos_yum.yml +++ b/roles/bwc/tasks/bwc_repos_yum.yml @@ -10,6 +10,7 @@ - name: "Add packagecloud.io repository: StackStorm/{{ bwc_pkg_repo }}" become: yes + no_log: yes yum_repository: name: "StackStorm_{{ bwc_pkg_repo }}" description: "StackStorm_{{ bwc_pkg_repo }}" diff --git a/roles/bwc/tasks/ldap.yml b/roles/bwc/tasks/ldap.yml index 839c9e1c..a94e2475 100644 --- a/roles/bwc/tasks/ldap.yml +++ b/roles/bwc/tasks/ldap.yml @@ -8,6 +8,8 @@ option: backend value: ldap backup: yes + # Don't even setup LDAP if backend_kwargs is not defined + with_dict: "{{ bwc_ldap.backend_kwargs | default({}) }}" notify: - restart st2api - restart st2stream @@ -18,9 +20,9 @@ dest: /etc/st2/st2.conf section: auth option: backend_kwargs - value: "{{ bwc_ldap.config.backend_kwargs | to_nice_json }}" + value: "{{ bwc_ldap.backend_kwargs | to_json | string }}" backup: yes - when: bwc_ldap.config is defined and bwc_ldap.config.backend_kwargs is defined + with_dict: "{{ bwc_ldap.backend_kwargs | default({}) }}" notify: - restart st2api - restart st2stream diff --git a/roles/bwc/tasks/rbac.yml b/roles/bwc/tasks/rbac.yml index 01ccecbf..f66b3d60 100644 --- a/roles/bwc/tasks/rbac.yml +++ b/roles/bwc/tasks/rbac.yml @@ -4,7 +4,7 @@ become: yes file: path: "{{ item }}" - mode: "u=rwx,g=r,o=r" + mode: "u=rwx,g=rx,o=rx" owner: st2 group: st2 state: directory @@ -20,7 +20,7 @@ owner: st2 group: st2 with_items: "{{ bwc_rbac.roles }}" - when: bwc_rbac_roles is defined + when: bwc_rbac.roles is defined - name: Copy RBAC assignments to /opt/stackstorm/rbac/assignments directory become: yes @@ -30,7 +30,7 @@ owner: st2 group: st2 with_items: "{{ bwc_rbac.assignments }}" - when: bwc_rbac_assignments is defined + when: bwc_rbac.assignments is defined - name: Enable RBAC in st2 configuration become: yes diff --git a/roles/bwc/templates/rbac_assignments/assignments.yml.j2 b/roles/bwc/templates/rbac_assignments/assignments.yml.j2 index eadc3894..d05fc705 100644 --- a/roles/bwc/templates/rbac_assignments/assignments.yml.j2 +++ b/roles/bwc/templates/rbac_assignments/assignments.yml.j2 @@ -1,4 +1,5 @@ --- username: {{ item.name }} - roles: {{ item.roles | to_nice_yaml }} + roles: + {{ item.roles | to_nice_yaml }} diff --git a/roles/bwc/templates/rbac_roles/roles.yml.j2 b/roles/bwc/templates/rbac_roles/roles.yml.j2 index 303333c4..978f34a4 100644 --- a/roles/bwc/templates/rbac_roles/roles.yml.j2 +++ b/roles/bwc/templates/rbac_roles/roles.yml.j2 @@ -2,4 +2,5 @@ name: {{ item.name }} description: {{ item.description }} -permission_grants: {{ item.permission_grants | to_nice_yaml }} +permission_grants: + {{ item.permission_grants | to_nice_yaml }} From e1977f00c148e4531cd4cecc258bc101ccbc3f9e Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Tue, 14 Mar 2017 13:29:42 -0700 Subject: [PATCH 23/38] Fix README --- README.md | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index b5dfa8ea..55d4a310 100644 --- a/README.md +++ b/README.md @@ -48,20 +48,12 @@ Below is the list of variables you can redefine in your playbook to customize st | `st2mistral_db_username` | `mistral` | PostgreSQL DB user for Mistral. | `st2mistral_db_password` | `StackStorm` | PostgreSQL DB password for Mistral. | **bwc** -| `bwc_license` | `null` | BWC license key is required for -installing BWC enteprise bits via this ansible role. -| `bwc_pkg_repo` | `enterprise` | BWC PackageCloud -repository to install. [`enterprise`](https://packagecloud.io/StackStorm/enterprise/), [`enterprise-unstable`](https://packagecloud.io/StackStorm/enterprise-unstable/), [`staging-enterprise`](https://packagecloud.io/StackStorm/staging-enteprise/), [`staging-enterprise-unstable`](https://packagecloud.io/StackStorm/staging-enterprise-unstable/) +| `bwc_license` | `null` | BWC license key is required for installing BWC enteprise bits via this ansible role. +| `bwc_pkg_repo` | `enterprise` | BWC PackageCloud repository to install. [`enterprise`](https://packagecloud.io/StackStorm/enterprise/), [`enterprise-unstable`](https://packagecloud.io/StackStorm/enterprise-unstable/), [`staging-enterprise`](https://packagecloud.io/StackStorm/staging-enteprise/), [`staging-enterprise-unstable`](https://packagecloud.io/StackStorm/staging-enterprise-unstable/) | `bwc_version` | `latest` | BWC enterprise version to install. Use latest `latest` to get automatic updates or pin it to numeric version like `2.1.1`. The version used here should match `st2_version`. | `bwc_revision` | `1` | BWC enterprise revision to install. Used only with pinned `bwc_version`. -| `bwc_rbac` | | BWC RBAC roles and assignments. -This is a dictionary with two keys `roles` and `assignments`. `roles` and -`assignments` are in turn both arrays. Each element in the array follows -the exact YAML schema for [roles](https://bwc-docs.brocade.com/rbac.html#user-permissions) and [assignments](https://bwc-docs.brocade.com/rbac.html#defining-user-role-assignments) defined in BWC documentation. -| `bwc_ldap` | | Settings for BWC -LDAP authentication backend. `bwc_ldap` is a dictionary and has one item -`backend_kwargs`. `backend_kwargs` should be provided as exactly listed -in BWC documentation for [LDAP configuration](https://bwc-docs.brocade.com/authentication.html#auth-backends). +| `bwc_rbac` | [See `bwc_rbac` variable in role defaults](roles/bwc/defaults/main.yml) | BWC RBAC roles and assignments. This is a dictionary with two keys `roles` and `assignments`. `roles` and `assignments` are in turn both arrays. Each element in the array follows the exact YAML schema for [roles](https://bwc-docs.brocade.com/rbac.html#user-permissions) and [assignments](https://bwc-docs.brocade.com/rbac.html#defining-user-role-assignments) defined in BWC documentation. +| `bwc_ldap` | [See `bwc_ldap` variable in role defaults](roles/bwc/defaults/main.yml) | Settings for BWC LDAP authentication backend. `bwc_ldap` is a dictionary and has one item `backend_kwargs`. `backend_kwargs` should be provided as exactly listed in BWC documentation for [LDAP configuration](https://bwc-docs.brocade.com/authentication.html#auth-backends). ## Examples Install latest `stable` StackStorm with all its components on local machine: From 531818243d6b2efbbb2f80b21dcb77d9a7efac0a Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Tue, 14 Mar 2017 13:59:57 -0700 Subject: [PATCH 24/38] Use no_log to hide tokens --- roles/bwc/tasks/bwc_repos_setup.yml | 2 ++ roles/bwc/tasks/rbac.yml | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/bwc/tasks/bwc_repos_setup.yml b/roles/bwc/tasks/bwc_repos_setup.yml index cb54e8bf..45e354ed 100644 --- a/roles/bwc/tasks/bwc_repos_setup.yml +++ b/roles/bwc/tasks/bwc_repos_setup.yml @@ -15,6 +15,7 @@ - name: Get read token for repo from packagecloud become: yes + no_log: yes uri: url: https://{{ bwc_license }}:@packagecloud.io/install/repositories/StackStorm/{{ bwc_pkg_repo }}/tokens.text creates: "/etc/packagecloud/StackStorm_{{ bwc_pkg_repo }}_read_token.txt" # Don't download if file already exists @@ -28,6 +29,7 @@ - name: Set bwc_read_token variable become: yes + no_log: yes set_fact: bwc_read_token: "{{ lookup('file', '/etc/packagecloud/StackStorm_{{ bwc_pkg_repo }}_read_token.txt') }}" diff --git a/roles/bwc/tasks/rbac.yml b/roles/bwc/tasks/rbac.yml index f66b3d60..4f04a8b3 100644 --- a/roles/bwc/tasks/rbac.yml +++ b/roles/bwc/tasks/rbac.yml @@ -44,4 +44,3 @@ - restart st2 - reload bwc_rbac - restart st2api - From 9a5dee639c3d8c8c9f9ecd64a5b47cca45dadee5 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Tue, 14 Mar 2017 14:32:20 -0700 Subject: [PATCH 25/38] Use to_nice_json as opposed to to_nice_yaml See https://gist.github.com/lakshmi-kannan/0f5f073311a40d209d3e19c7cab3e864 --- roles/bwc/templates/rbac_roles/roles.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bwc/templates/rbac_roles/roles.yml.j2 b/roles/bwc/templates/rbac_roles/roles.yml.j2 index 978f34a4..99961584 100644 --- a/roles/bwc/templates/rbac_roles/roles.yml.j2 +++ b/roles/bwc/templates/rbac_roles/roles.yml.j2 @@ -3,4 +3,4 @@ name: {{ item.name }} description: {{ item.description }} permission_grants: - {{ item.permission_grants | to_nice_yaml }} + {{ item.permission_grants | to_nice_json }} From df65ee2f3818b6a44a0251700348fecb4b4de566 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Tue, 14 Mar 2017 15:20:55 -0700 Subject: [PATCH 26/38] Setup default RBAC roles and assignments always --- roles/bwc/defaults/main.yml | 22 ++++++++++++++-------- roles/bwc/tasks/bwc_repos_apt.yml | 1 - roles/bwc/tasks/ldap.yml | 4 ++++ roles/bwc/tasks/rbac.yml | 23 +++++++++++++++++++++-- 4 files changed, 39 insertions(+), 11 deletions(-) diff --git a/roles/bwc/defaults/main.yml b/roles/bwc/defaults/main.yml index b5c4e306..f196174f 100644 --- a/roles/bwc/defaults/main.yml +++ b/roles/bwc/defaults/main.yml @@ -15,17 +15,23 @@ master_token: "{{ bwc_license }}" # The schema for roles and assignments follow the exact schema definition # define in https://bwc-docs.brocade.com/rbac.html#defining-roles-and-permission-grants # and https://bwc-docs.brocade.com/rbac.html#defining-user-role-assignments. + +bwc_rbac_default_roles: [] + +bwc_rbac_default_assignments: + - name: "{{ st2_system_user }}" + roles: + - admin + + - name: "{{ st2_auth_username }}" + roles: + - system_admin + bwc_rbac: - roles: [] + roles: "{{ bwc_rbac_default_roles }}" - assignments: - - name: "{{ st2_system_user }}" - roles: - - admin + assignments: "{{ bwc_rbac_default_assignments }}" - - name: "{{ st2_auth_username }}" - roles: - - system_admin # By specifying a valid configuration for LDAP, # (See https://bwc-docs.brocade.com/authentication.html#ldap ) diff --git a/roles/bwc/tasks/bwc_repos_apt.yml b/roles/bwc/tasks/bwc_repos_apt.yml index 97335a66..632e2ef1 100644 --- a/roles/bwc/tasks/bwc_repos_apt.yml +++ b/roles/bwc/tasks/bwc_repos_apt.yml @@ -30,4 +30,3 @@ state: present update_cache: yes register: added_bwc_deb_repository - diff --git a/roles/bwc/tasks/ldap.yml b/roles/bwc/tasks/ldap.yml index a94e2475..dde42b02 100644 --- a/roles/bwc/tasks/ldap.yml +++ b/roles/bwc/tasks/ldap.yml @@ -2,6 +2,8 @@ - name: Setup st2.conf auth backend to LDAP become: yes + # Unfortunately, ``with_dict`` also logs the dict which could leak passwords. + no_logs: yes ini_file: dest: /etc/st2/st2.conf section: auth @@ -16,6 +18,8 @@ - name: Setup st2.conf auth backend_kwargs for LDAP become: yes + # Unfortunately, ``with_dict`` also logs the dict which could leak passwords. + no_log: yes ini_file: dest: /etc/st2/st2.conf section: auth diff --git a/roles/bwc/tasks/rbac.yml b/roles/bwc/tasks/rbac.yml index 4f04a8b3..ba33bcae 100644 --- a/roles/bwc/tasks/rbac.yml +++ b/roles/bwc/tasks/rbac.yml @@ -12,7 +12,16 @@ - /opt/stackstorm/rbac/assignments - /opt/stackstorm/rbac/roles - - name: Copy RBAC roles to /opt/stackstorm/rbac/roles directory + - name: Copy default RBAC roles to /opt/stackstorm/rbac/roles directory + become: yes + template: + src: rbac_roles/roles.yml.j2 + dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml + owner: st2 + group: st2 + with_items: "{{ bwc_rbac_default_roles }}" + + - name: Copy user defined RBAC roles to /opt/stackstorm/rbac/roles directory become: yes template: src: rbac_roles/roles.yml.j2 @@ -22,7 +31,17 @@ with_items: "{{ bwc_rbac.roles }}" when: bwc_rbac.roles is defined - - name: Copy RBAC assignments to /opt/stackstorm/rbac/assignments directory + - name: Copy default RBAC assignments to /opt/stackstorm/rbac/assignments directory + become: yes + template: + src: rbac_assignments/assignments.yml.j2 + dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml + owner: st2 + group: st2 + with_items: + - "{{ bwc_rbac_default_assignments }}" + + - name: Copy user defined RBAC assignments to /opt/stackstorm/rbac/assignments directory become: yes template: src: rbac_assignments/assignments.yml.j2 From 2fd65e8ca15347a02ebf526fed93512e40656a1a Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Tue, 14 Mar 2017 15:44:04 -0700 Subject: [PATCH 27/38] YAML cleanup --- roles/bwc/tasks/rbac.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/bwc/tasks/rbac.yml b/roles/bwc/tasks/rbac.yml index ba33bcae..3900ef04 100644 --- a/roles/bwc/tasks/rbac.yml +++ b/roles/bwc/tasks/rbac.yml @@ -38,8 +38,7 @@ dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml owner: st2 group: st2 - with_items: - - "{{ bwc_rbac_default_assignments }}" + with_items: "{{ bwc_rbac_default_assignments }}" - name: Copy user defined RBAC assignments to /opt/stackstorm/rbac/assignments directory become: yes From 56d0587f07fcb9e9485ed9cd2fee3c815592f55b Mon Sep 17 00:00:00 2001 From: armab Date: Wed, 15 Mar 2017 21:00:30 +0200 Subject: [PATCH 28/38] Fix 'no_logs' -> 'no_log' blocking the Ansible run --- roles/bwc/tasks/ldap.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bwc/tasks/ldap.yml b/roles/bwc/tasks/ldap.yml index dde42b02..013b8f91 100644 --- a/roles/bwc/tasks/ldap.yml +++ b/roles/bwc/tasks/ldap.yml @@ -3,7 +3,7 @@ - name: Setup st2.conf auth backend to LDAP become: yes # Unfortunately, ``with_dict`` also logs the dict which could leak passwords. - no_logs: yes + no_log: yes ini_file: dest: /etc/st2/st2.conf section: auth From c1d98a93331a959da09786a3115c5a5010b58f9e Mon Sep 17 00:00:00 2001 From: armab Date: Thu, 16 Mar 2017 00:28:12 +0200 Subject: [PATCH 29/38] Fix 'st2web' vs 'bwc-ui' conflict when enterprise is installed --- roles/st2web/tasks/main.yml | 20 ++++++++++++++++---- roles/st2web/vars/main.yml | 5 +++++ 2 files changed, 21 insertions(+), 4 deletions(-) create mode 100644 roles/st2web/vars/main.yml diff --git a/roles/st2web/tasks/main.yml b/roles/st2web/tasks/main.yml index 5e0b3dd5..bbaae045 100644 --- a/roles/st2web/tasks/main.yml +++ b/roles/st2web/tasks/main.yml @@ -1,16 +1,28 @@ --- -- name: Install latest st2web package on {{ ansible_os_family }} +- name: Check if enterprise is installed + become: yes + stat: + path: /opt/stackstorm/static/webui/flow/ + register: bwc_installed + +# For enterprise 'bwc-ui' replaces 'st2web' package +- name: Decide which package to use: 'st2web' vs 'bwc-ui' + set_fact: + st2web_package_name: bwc-ui + when: bwc_installed.stat.exists + +- name: Install latest {{ st2web_package_name }} package on {{ ansible_os_family }} become: yes package: - name: st2web + name: "{{ st2web_package_name }}" state: latest when: st2_version == "latest" tags: st2web, skip_ansible_lint -- name: Install exact st2web package on {{ ansible_os_family }} +- name: Install exact {{ st2web_package_name }} package on {{ ansible_os_family }} become: yes package: - name: st2web={{ st2_version }}-{{ st2web_revision }} + name: "{{ st2web_package_name }}={{ st2_version }}-{{ st2web_revision }}" state: present when: st2_version != "latest" tags: st2web diff --git a/roles/st2web/vars/main.yml b/roles/st2web/vars/main.yml new file mode 100644 index 00000000..e125b116 --- /dev/null +++ b/roles/st2web/vars/main.yml @@ -0,0 +1,5 @@ +# Default st2web immutable vars +--- +# Default StackStorm WebUI package name to install +# For enterprise 'bwc-ui' replaces 'st2web' package +st2web_package_name: st2web From 8837fffe7e52ae450d4c3c753756e894aad605d9 Mon Sep 17 00:00:00 2001 From: armab Date: Thu, 16 Mar 2017 00:35:03 +0200 Subject: [PATCH 30/38] Fix st2web yaml --- roles/st2web/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/st2web/tasks/main.yml b/roles/st2web/tasks/main.yml index bbaae045..d3955247 100644 --- a/roles/st2web/tasks/main.yml +++ b/roles/st2web/tasks/main.yml @@ -6,7 +6,7 @@ register: bwc_installed # For enterprise 'bwc-ui' replaces 'st2web' package -- name: Decide which package to use: 'st2web' vs 'bwc-ui' +- name: "Decide which package to use: 'st2web' vs 'bwc-ui'" set_fact: st2web_package_name: bwc-ui when: bwc_installed.stat.exists From 48dcd6be782c88330d3ea89448392ae0b8fe4a8d Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Thu, 16 Mar 2017 13:31:24 -0700 Subject: [PATCH 31/38] Remove all safety checks because arma says so --- roles/bwc/tasks/bwc_repos_apt.yml | 4 ---- roles/bwc/tasks/ldap.yml | 5 +++-- roles/bwc/tasks/main.yml | 8 ++++---- roles/bwc/tasks/rbac.yml | 8 ++++++++ roles/bwc/templates/rbac_assignments/assignments.yml.j2 | 2 +- 5 files changed, 16 insertions(+), 11 deletions(-) diff --git a/roles/bwc/tasks/bwc_repos_apt.yml b/roles/bwc/tasks/bwc_repos_apt.yml index 632e2ef1..7df47f03 100644 --- a/roles/bwc/tasks/bwc_repos_apt.yml +++ b/roles/bwc/tasks/bwc_repos_apt.yml @@ -1,9 +1,5 @@ --- -- name: Assert that master_token is specified - fail: msg="License key must be supplied for BWC enterprise installation." - when: bwc_license is not defined - - name: Install prereqs (Debian) become: yes apt: diff --git a/roles/bwc/tasks/ldap.yml b/roles/bwc/tasks/ldap.yml index 013b8f91..acb0fb29 100644 --- a/roles/bwc/tasks/ldap.yml +++ b/roles/bwc/tasks/ldap.yml @@ -11,7 +11,7 @@ value: ldap backup: yes # Don't even setup LDAP if backend_kwargs is not defined - with_dict: "{{ bwc_ldap.backend_kwargs | default({}) }}" + when: bwc_ldap.backend_kwargs is defined and bwc_ldap.backend_kwargs|length > 0 notify: - restart st2api - restart st2stream @@ -26,7 +26,8 @@ option: backend_kwargs value: "{{ bwc_ldap.backend_kwargs | to_json | string }}" backup: yes - with_dict: "{{ bwc_ldap.backend_kwargs | default({}) }}" + # Don't even setup LDAP if backend_kwargs is not defined + when: bwc_ldap.backend_kwargs is defined and bwc_ldap.backend_kwargs|length > 0 notify: - restart st2api - restart st2stream diff --git a/roles/bwc/tasks/main.yml b/roles/bwc/tasks/main.yml index 68abdc6b..a77e34dd 100644 --- a/roles/bwc/tasks/main.yml +++ b/roles/bwc/tasks/main.yml @@ -12,7 +12,7 @@ name: bwc-enterprise state: latest register: bwc_installed - when: bwc_repo_added|success and bwc_version == "latest" + when: bwc_version == "latest" tags: - bwc - st2 enterprise @@ -24,15 +24,15 @@ name: bwc-enterprise={{ bwc_version }}-{{ bwc_revision }} state: present register: bwc_installed - when: bwc_repo_added|success and bwc_version != "latest" + when: bwc_version != "latest" tags: - bwc - st2 enterprise - name: Setup RBAC and setup roles and assignments if bwc_rbac is defined include: "rbac.yml" - when: bwc_installed|success and bwc_rbac is defined + when: bwc_rbac is defined - name: Setup LDAP and set up LDAP configuration include: "ldap.yml" - when: bwc_installed|success and bwc_ldap is defined + when: bwc_ldap is defined diff --git a/roles/bwc/tasks/rbac.yml b/roles/bwc/tasks/rbac.yml index 3900ef04..39ef3490 100644 --- a/roles/bwc/tasks/rbac.yml +++ b/roles/bwc/tasks/rbac.yml @@ -20,6 +20,8 @@ owner: st2 group: st2 with_items: "{{ bwc_rbac_default_roles }}" + notify: + - reload bwc_rbac - name: Copy user defined RBAC roles to /opt/stackstorm/rbac/roles directory become: yes @@ -30,6 +32,8 @@ group: st2 with_items: "{{ bwc_rbac.roles }}" when: bwc_rbac.roles is defined + notify: + - reload bwc_rbac - name: Copy default RBAC assignments to /opt/stackstorm/rbac/assignments directory become: yes @@ -39,6 +43,8 @@ owner: st2 group: st2 with_items: "{{ bwc_rbac_default_assignments }}" + notify: + - reload bwc_rbac - name: Copy user defined RBAC assignments to /opt/stackstorm/rbac/assignments directory become: yes @@ -49,6 +55,8 @@ group: st2 with_items: "{{ bwc_rbac.assignments }}" when: bwc_rbac.assignments is defined + notify: + - reload bwc_rbac - name: Enable RBAC in st2 configuration become: yes diff --git a/roles/bwc/templates/rbac_assignments/assignments.yml.j2 b/roles/bwc/templates/rbac_assignments/assignments.yml.j2 index d05fc705..fe215e44 100644 --- a/roles/bwc/templates/rbac_assignments/assignments.yml.j2 +++ b/roles/bwc/templates/rbac_assignments/assignments.yml.j2 @@ -2,4 +2,4 @@ username: {{ item.name }} roles: - {{ item.roles | to_nice_yaml }} + {{ item.roles | to_nice_yaml(2) | indent(2) }} From b4843f3f182dc230b75142e583938313a4eb806a Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Thu, 16 Mar 2017 13:38:54 -0700 Subject: [PATCH 32/38] Use to_nice_yaml --- roles/bwc/templates/rbac_roles/roles.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bwc/templates/rbac_roles/roles.yml.j2 b/roles/bwc/templates/rbac_roles/roles.yml.j2 index 99961584..2073016e 100644 --- a/roles/bwc/templates/rbac_roles/roles.yml.j2 +++ b/roles/bwc/templates/rbac_roles/roles.yml.j2 @@ -3,4 +3,4 @@ name: {{ item.name }} description: {{ item.description }} permission_grants: - {{ item.permission_grants | to_nice_json }} + {{ item.permission_grants | to_nice_yaml(2) | indent(2) }} From 76084dd33369eff47db776929e91f93ef5777532 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Thu, 16 Mar 2017 16:08:58 -0700 Subject: [PATCH 33/38] Add smoke tests for BWC RBAC --- roles/bwc/meta/main.yml | 1 - roles/bwc/tasks/bwc_repos_setup.yml | 6 +- roles/bwc/templates/rbac_roles/roles.yml.j2 | 2 +- roles/bwc_smoketests/defaults/main.yml | 23 +++++ roles/bwc_smoketests/meta/main.yml | 27 ++++++ roles/bwc_smoketests/tasks/main.yml | 83 +++++++++++++++++++ roles/bwc_smoketests/tasks/teardown.yml | 35 ++++++++ .../rbac_assignments/assignments.yml.j2 | 5 ++ .../templates/rbac_roles/roles.yml.j2 | 6 ++ 9 files changed, 184 insertions(+), 4 deletions(-) create mode 100644 roles/bwc_smoketests/defaults/main.yml create mode 100644 roles/bwc_smoketests/meta/main.yml create mode 100644 roles/bwc_smoketests/tasks/main.yml create mode 100644 roles/bwc_smoketests/tasks/teardown.yml create mode 100644 roles/bwc_smoketests/templates/rbac_assignments/assignments.yml.j2 create mode 100644 roles/bwc_smoketests/templates/rbac_roles/roles.yml.j2 diff --git a/roles/bwc/meta/main.yml b/roles/bwc/meta/main.yml index 63e5e3cb..b42d258c 100644 --- a/roles/bwc/meta/main.yml +++ b/roles/bwc/meta/main.yml @@ -24,4 +24,3 @@ galaxy_info: - role: st2repos - role: st2 - role: st2web - - role: bwc_repos diff --git a/roles/bwc/tasks/bwc_repos_setup.yml b/roles/bwc/tasks/bwc_repos_setup.yml index 45e354ed..603103d2 100644 --- a/roles/bwc/tasks/bwc_repos_setup.yml +++ b/roles/bwc/tasks/bwc_repos_setup.yml @@ -1,7 +1,8 @@ --- - name: Assert that master_token is specified - fail: msg="License key must be supplied for BWC enterprise installation." + fail: + msg: "License key must be supplied for BWC enterprise installation." when: bwc_license is not defined - name: Create packagecloud dir @@ -16,9 +17,10 @@ - name: Get read token for repo from packagecloud become: yes no_log: yes + changed_when: no uri: url: https://{{ bwc_license }}:@packagecloud.io/install/repositories/StackStorm/{{ bwc_pkg_repo }}/tokens.text - creates: "/etc/packagecloud/StackStorm_{{ bwc_pkg_repo }}_read_token.txt" # Don't download if file already exists + # creates: "/etc/packagecloud/StackStorm_{{ bwc_pkg_repo }}_read_token.txt" # Don't download if file already exists dest: "/etc/packagecloud/StackStorm_{{ bwc_pkg_repo }}_read_token.txt" force_basic_auth: yes method: POST diff --git a/roles/bwc/templates/rbac_roles/roles.yml.j2 b/roles/bwc/templates/rbac_roles/roles.yml.j2 index 2073016e..13d512a9 100644 --- a/roles/bwc/templates/rbac_roles/roles.yml.j2 +++ b/roles/bwc/templates/rbac_roles/roles.yml.j2 @@ -3,4 +3,4 @@ name: {{ item.name }} description: {{ item.description }} permission_grants: - {{ item.permission_grants | to_nice_yaml(2) | indent(2) }} + {{ item.permission_grants | to_nice_yaml(2) | indent(2) }} diff --git a/roles/bwc_smoketests/defaults/main.yml b/roles/bwc_smoketests/defaults/main.yml new file mode 100644 index 00000000..c983b4eb --- /dev/null +++ b/roles/bwc_smoketests/defaults/main.yml @@ -0,0 +1,23 @@ +--- + +bwc_smoke_tests_user: bwc_smoke_tests_user +bwc_smoke_tests_password: holyjolly + +bwc_smoke_tests_rbac: + roles: + - name: bwc_smoke_tests_basic + description: "This role has access only to action core.local in pack 'core'" + permission_grants: + + - resource_uid: "action:core:local" + permission_types: + - "action_execute" + - "action_view" + + - permission_types: + - "runner_type_list" + + assignments: + - name: "{{ bwc_smoke_tests_user }}" + roles: + - bwc_smoke_tests_basic diff --git a/roles/bwc_smoketests/meta/main.yml b/roles/bwc_smoketests/meta/main.yml new file mode 100644 index 00000000..9f622282 --- /dev/null +++ b/roles/bwc_smoketests/meta/main.yml @@ -0,0 +1,27 @@ +--- +galaxy_info: + description: Test BWC enteprise components were installed correctly. + author: lakshmi-kannan + company: StackStorm + license: Apache 2.0 + min_ansible_version: 2.2 + platforms: + - name: Ubuntu + versions: + - trusty + - xenial + - name: EL + versions: + - 6 + - 7 + categories: + - stackstorm + - BWC + - Brocade Workflow Composer + - repositories + - packagecloud + dependencies: + - role: st2repos + - role: st2 + - role: st2web + - role: bwc diff --git a/roles/bwc_smoketests/tasks/main.yml b/roles/bwc_smoketests/tasks/main.yml new file mode 100644 index 00000000..26e42a3f --- /dev/null +++ b/roles/bwc_smoketests/tasks/main.yml @@ -0,0 +1,83 @@ +--- + +# Small suite of smoke tests to ensure that BWC role has deployed as expected + +- name: auth | Add a new bwc_smoke_tests_user in st2 htpasswd file + become: true + htpasswd: + path: /etc/st2/htpasswd + name: "{{ bwc_smoke_tests_user }}" + password: "{{ bwc_smoke_tests_password }}" + notify: + - restart st2api + - restart st2stream + tags: + - bwc-smoke-tests + +- name: Copy smoke tests RBAC roles to /opt/stackstorm/rbac/roles directory + become: yes + template: + src: rbac_roles/roles.yml.j2 + dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml + owner: st2 + group: st2 + with_items: "{{ bwc_smoke_tests_rbac.roles }}" + when: bwc_smoke_tests_rbac.roles is defined + notify: + - reload bwc_rbac + tags: + - bwc-smoke-tests + +- name: Copy smoke tests RBAC assignments to /opt/stackstorm/rbac/assignments directory + become: yes + template: + src: rbac_assignments/assignments.yml.j2 + dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml + owner: st2 + group: st2 + with_items: "{{ bwc_smoke_tests_rbac.assignments }}" + when: bwc_smoke_tests_rbac.assignments is defined + notify: + - reload bwc_rbac + tags: + - bwc-smoke-tests + +- meta: flush_handlers + tags: + - bwc-smoke-tests + +- name: Get authentication token for bwc_smoke_tests # Note this will not use LDAP. + command: st2 auth "{{ bwc_smoke_tests_user }}" -p "{{ bwc_smoke_tests_password }}" -t + register: st2_token_smoke_tests_user + changed_when: no + tags: + - bwc-smoke-tests + +- name: Test a simple core.local action as user ``bwc_smoke_tests_user`` + command: st2 run core.local -- date -R + environment: + ST2_AUTH_TOKEN: "{{ st2_token_smoke_tests_user.stdout }}" + changed_when: no + tags: + - bwc-smoke-tests + +- name: Test some other action that ``bwc_smoke_tests_user`` cannot run + command: st2 run core.http url="https://google.com" + environment: + ST2_AUTH_TOKEN: "{{ st2_token_smoke_tests_user.stdout }}" + ignore_errors: yes + register: bwc_smoke_tests_forbidden_action + tags: + - bwc-smoke-tests + +- name: Assert forbidden error was indeed thrown + fail: + msg: "St2 action was forbidden to run because of RBAC permissions but action still ran." + when: "bwc_smoke_tests_forbidden_action.stdout.find('Forbidden') == -1" + tags: + - bwc-smoke-tests + +- name: Teardown test artifacts + include: "teardown.yml" + tags: + - bwc-smoke-tests diff --git a/roles/bwc_smoketests/tasks/teardown.yml b/roles/bwc_smoketests/tasks/teardown.yml new file mode 100644 index 00000000..5f8d837c --- /dev/null +++ b/roles/bwc_smoketests/tasks/teardown.yml @@ -0,0 +1,35 @@ +--- + +- name: Remove BWC smoke tests user from htpasswd file + become: yes + htpasswd: + path: /etc/st2/htpasswd + name: "{{ bwc_smoke_tests_user }}" + state: absent + notify: + - reload bwc_rbac + tags: + - bwc-smoke-tests + +- name: Remove RBAC smoke tests roles # This doesn't cleanup role from DB. + become: yes + file: + state: absent + path: /opt/stackstorm/rbac/roles/{{ item.name }}.yml + with_items: "{{ bwc_smoke_tests_rbac.roles }}" + when: bwc_smoke_tests_rbac.roles is defined + notify: + - reload bwc_rbac + tags: + - bwc-smoke-tests + +- name: Remove RBAC smoke tests assignments # This doesn't cleanup assignment from DB. + become: yes + file: + state: absent + path: /opt/stackstorm/rbac/assignments/{{ bwc_smoke_tests_user }}.yml + when: bwc_smoke_tests_rbac.assignments is defined + notify: + - reload bwc_rbac + tags: + - bwc-smoke-tests diff --git a/roles/bwc_smoketests/templates/rbac_assignments/assignments.yml.j2 b/roles/bwc_smoketests/templates/rbac_assignments/assignments.yml.j2 new file mode 100644 index 00000000..fe215e44 --- /dev/null +++ b/roles/bwc_smoketests/templates/rbac_assignments/assignments.yml.j2 @@ -0,0 +1,5 @@ +--- + + username: {{ item.name }} + roles: + {{ item.roles | to_nice_yaml(2) | indent(2) }} diff --git a/roles/bwc_smoketests/templates/rbac_roles/roles.yml.j2 b/roles/bwc_smoketests/templates/rbac_roles/roles.yml.j2 new file mode 100644 index 00000000..13d512a9 --- /dev/null +++ b/roles/bwc_smoketests/templates/rbac_roles/roles.yml.j2 @@ -0,0 +1,6 @@ +--- + +name: {{ item.name }} +description: {{ item.description }} +permission_grants: + {{ item.permission_grants | to_nice_yaml(2) | indent(2) }} From 15ac7e6649cd8fd91594bb85b9f3c789c0a4f068 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Thu, 16 Mar 2017 16:09:44 -0700 Subject: [PATCH 34/38] Add bwc_smoketests to stackstorm.yml --- stackstorm.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/stackstorm.yml b/stackstorm.yml index 1cb92274..83159c1d 100644 --- a/stackstorm.yml +++ b/stackstorm.yml @@ -13,3 +13,4 @@ - nodejs - st2smoketests - bwc + - bwc_smoketests From 9891ed218595c69bc1b27216c1f131a7ea7ebc2c Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Thu, 16 Mar 2017 16:21:47 -0700 Subject: [PATCH 35/38] lets see if this makes ansible-lint happy --- roles/bwc_smoketests/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bwc_smoketests/tasks/main.yml b/roles/bwc_smoketests/tasks/main.yml index 26e42a3f..9d87a5f4 100644 --- a/roles/bwc_smoketests/tasks/main.yml +++ b/roles/bwc_smoketests/tasks/main.yml @@ -61,7 +61,7 @@ tags: - bwc-smoke-tests -- name: Test some other action that ``bwc_smoke_tests_user`` cannot run +- name: Test some other action that "{{ bwc_smoke_tests_user }}" cannot run command: st2 run core.http url="https://google.com" environment: ST2_AUTH_TOKEN: "{{ st2_token_smoke_tests_user.stdout }}" From 9b5ff7376a4e09ea25a5d9efadc3c51d368884f7 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Mon, 20 Mar 2017 12:08:57 -0700 Subject: [PATCH 36/38] Smoke tests need not be idempotent --- roles/bwc_smoketests/tasks/main.yml | 6 ++++++ roles/bwc_smoketests/tasks/teardown.yml | 3 +++ 2 files changed, 9 insertions(+) diff --git a/roles/bwc_smoketests/tasks/main.yml b/roles/bwc_smoketests/tasks/main.yml index 9d87a5f4..0b0af1a0 100644 --- a/roles/bwc_smoketests/tasks/main.yml +++ b/roles/bwc_smoketests/tasks/main.yml @@ -8,6 +8,7 @@ path: /etc/st2/htpasswd name: "{{ bwc_smoke_tests_user }}" password: "{{ bwc_smoke_tests_password }}" + changed_when: no notify: - restart st2api - restart st2stream @@ -22,6 +23,7 @@ owner: st2 group: st2 with_items: "{{ bwc_smoke_tests_rbac.roles }}" + changed_when: no when: bwc_smoke_tests_rbac.roles is defined notify: - reload bwc_rbac @@ -36,6 +38,7 @@ owner: st2 group: st2 with_items: "{{ bwc_smoke_tests_rbac.assignments }}" + changed_when: no when: bwc_smoke_tests_rbac.assignments is defined notify: - reload bwc_rbac @@ -66,6 +69,7 @@ environment: ST2_AUTH_TOKEN: "{{ st2_token_smoke_tests_user.stdout }}" ignore_errors: yes + changed_when: no register: bwc_smoke_tests_forbidden_action tags: - bwc-smoke-tests @@ -73,11 +77,13 @@ - name: Assert forbidden error was indeed thrown fail: msg: "St2 action was forbidden to run because of RBAC permissions but action still ran." + changed_when: no when: "bwc_smoke_tests_forbidden_action.stdout.find('Forbidden') == -1" tags: - bwc-smoke-tests - name: Teardown test artifacts include: "teardown.yml" + changed_when: no tags: - bwc-smoke-tests diff --git a/roles/bwc_smoketests/tasks/teardown.yml b/roles/bwc_smoketests/tasks/teardown.yml index 5f8d837c..4074c098 100644 --- a/roles/bwc_smoketests/tasks/teardown.yml +++ b/roles/bwc_smoketests/tasks/teardown.yml @@ -6,6 +6,7 @@ path: /etc/st2/htpasswd name: "{{ bwc_smoke_tests_user }}" state: absent + changed_when: no notify: - reload bwc_rbac tags: @@ -18,6 +19,7 @@ path: /opt/stackstorm/rbac/roles/{{ item.name }}.yml with_items: "{{ bwc_smoke_tests_rbac.roles }}" when: bwc_smoke_tests_rbac.roles is defined + changed_when: no notify: - reload bwc_rbac tags: @@ -29,6 +31,7 @@ state: absent path: /opt/stackstorm/rbac/assignments/{{ bwc_smoke_tests_user }}.yml when: bwc_smoke_tests_rbac.assignments is defined + changed_when: no notify: - reload bwc_rbac tags: From a7291798522f3d55432d9591c2590f3bca8e0325 Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Mon, 20 Mar 2017 18:01:52 -0700 Subject: [PATCH 37/38] Use hash to save license info and handle when license changed --- roles/bwc/tasks/bwc_repos_cleanup_apt.yml | 8 ++++ roles/bwc/tasks/bwc_repos_cleanup_yum.yml | 7 ++++ roles/bwc/tasks/bwc_repos_setup.yml | 3 ++ roles/bwc/tasks/license.yml | 47 +++++++++++++++++++++++ 4 files changed, 65 insertions(+) create mode 100644 roles/bwc/tasks/bwc_repos_cleanup_apt.yml create mode 100644 roles/bwc/tasks/bwc_repos_cleanup_yum.yml create mode 100644 roles/bwc/tasks/license.yml diff --git a/roles/bwc/tasks/bwc_repos_cleanup_apt.yml b/roles/bwc/tasks/bwc_repos_cleanup_apt.yml new file mode 100644 index 00000000..b634b6dd --- /dev/null +++ b/roles/bwc/tasks/bwc_repos_cleanup_apt.yml @@ -0,0 +1,8 @@ +--- + +- name: Cleanup repo list file from disk + become: yes + file: + path: /etc/apt/sources.list.d/StackStorm_{{ bwc_pkg_repo }} + state: absent + diff --git a/roles/bwc/tasks/bwc_repos_cleanup_yum.yml b/roles/bwc/tasks/bwc_repos_cleanup_yum.yml new file mode 100644 index 00000000..769c4bf8 --- /dev/null +++ b/roles/bwc/tasks/bwc_repos_cleanup_yum.yml @@ -0,0 +1,7 @@ +--- + +- name: Cleanup repo list file from disk + become: yes + yum_resository: + name: "StackStorm_{{ bwc_pkg_repo }}" + state: absent diff --git a/roles/bwc/tasks/bwc_repos_setup.yml b/roles/bwc/tasks/bwc_repos_setup.yml index 603103d2..eb9c79ad 100644 --- a/roles/bwc/tasks/bwc_repos_setup.yml +++ b/roles/bwc/tasks/bwc_repos_setup.yml @@ -14,6 +14,9 @@ group: st2 state: directory +- name: Handle bwc_license change + include: license.yml + - name: Get read token for repo from packagecloud become: yes no_log: yes diff --git a/roles/bwc/tasks/license.yml b/roles/bwc/tasks/license.yml new file mode 100644 index 00000000..a68e583a --- /dev/null +++ b/roles/bwc/tasks/license.yml @@ -0,0 +1,47 @@ +--- + +- name: Check if BWC license hash file is present + stat: + path: /etc/packagecloud/bwc_license_hash.txt + register: bwc_license_hash_file + +- name: Read bwc_license_hash from file if it exits + set_fact: + bwc_license_hash: "{{ lookup('file', '/etc/packagecloud/bwc_license_hash.txt') }}" + no_log: yes + when: bwc_license_hash_file.stat.exists + +- name: Set bwc_license_hash to incoming hash if not defined + no_log: yes + set_fact: + bwc_license_hash: '{{ bwc_license | password_hash("sha512", "7nA5RbWEJpzQS6FM") }}' + when: not bwc_license_hash_file.stat.exists + +- name: Write bwc_license_hash to file if file not found on disk + copy: + content: "{{ bwc_license | password_hash('sha512', '7nA5RbWEJpzQS6FM') }}" + dest: "/etc/packagecloud/bwc_license_hash.txt" + force: yes + become: yes + when: not bwc_license_hash_file.stat.exists + +- name: "Cleanup read token cached file from disk" + become: yes + file: + path: "/etc/packagecloud/StackStorm_{{ bwc_pkg_repo }}_read_token.txt" + state: absent + when: '"{{ bwc_license | password_hash("sha512", "7nA5RbWEJpzQS6FM") }}" != "{{ bwc_license_hash }}"' + +- name: "Cleanup repo list file from disk" + become: yes + include: "bwc_repos_cleanup_{{ ansible_pkg_mgr }}.yml" + when: '"{{ bwc_license | password_hash("sha512", "7nA5RbWEJpzQS6FM") }}" != "{{ bwc_license_hash }}"' + +- name: Write new bwc_license_hash to file + copy: + content: "{{ bwc_license | password_hash('sha512', '7nA5RbWEJpzQS6FM') }}" + dest: "/etc/packagecloud/bwc_license_hash.txt" + force: yes + become: yes + no_log: yes + when: '"{{ bwc_license | password_hash("sha512", "7nA5RbWEJpzQS6FM") }}" != "{{ bwc_license_hash }}"' From 51ff5175ae134635197e0aee5170f3f9e595c2ce Mon Sep 17 00:00:00 2001 From: Lakshmi Kannan Date: Tue, 21 Mar 2017 12:52:33 -0700 Subject: [PATCH 38/38] Use hash as opposed to password_hash --- roles/bwc/tasks/bwc_repos_cleanup_apt.yml | 1 - roles/bwc/tasks/license.yml | 12 ++++++------ .../templates/rbac_assignments/assignments.yml.j2 | 6 +++--- .../templates/rbac_assignments/assignments.yml.j2 | 6 +++--- 4 files changed, 12 insertions(+), 13 deletions(-) diff --git a/roles/bwc/tasks/bwc_repos_cleanup_apt.yml b/roles/bwc/tasks/bwc_repos_cleanup_apt.yml index b634b6dd..073d143b 100644 --- a/roles/bwc/tasks/bwc_repos_cleanup_apt.yml +++ b/roles/bwc/tasks/bwc_repos_cleanup_apt.yml @@ -5,4 +5,3 @@ file: path: /etc/apt/sources.list.d/StackStorm_{{ bwc_pkg_repo }} state: absent - diff --git a/roles/bwc/tasks/license.yml b/roles/bwc/tasks/license.yml index a68e583a..171d13dd 100644 --- a/roles/bwc/tasks/license.yml +++ b/roles/bwc/tasks/license.yml @@ -14,12 +14,12 @@ - name: Set bwc_license_hash to incoming hash if not defined no_log: yes set_fact: - bwc_license_hash: '{{ bwc_license | password_hash("sha512", "7nA5RbWEJpzQS6FM") }}' + bwc_license_hash: '{{ bwc_license | hash("sha512") }}' when: not bwc_license_hash_file.stat.exists - name: Write bwc_license_hash to file if file not found on disk copy: - content: "{{ bwc_license | password_hash('sha512', '7nA5RbWEJpzQS6FM') }}" + content: "{{ bwc_license | hash('sha512') }}" dest: "/etc/packagecloud/bwc_license_hash.txt" force: yes become: yes @@ -30,18 +30,18 @@ file: path: "/etc/packagecloud/StackStorm_{{ bwc_pkg_repo }}_read_token.txt" state: absent - when: '"{{ bwc_license | password_hash("sha512", "7nA5RbWEJpzQS6FM") }}" != "{{ bwc_license_hash }}"' + when: '"{{ bwc_license | hash("sha512") }}" != "{{ bwc_license_hash }}"' - name: "Cleanup repo list file from disk" become: yes include: "bwc_repos_cleanup_{{ ansible_pkg_mgr }}.yml" - when: '"{{ bwc_license | password_hash("sha512", "7nA5RbWEJpzQS6FM") }}" != "{{ bwc_license_hash }}"' + when: '"{{ bwc_license | hash("sha512") }}" != "{{ bwc_license_hash }}"' - name: Write new bwc_license_hash to file copy: - content: "{{ bwc_license | password_hash('sha512', '7nA5RbWEJpzQS6FM') }}" + content: "{{ bwc_license | hash('sha512') }}" dest: "/etc/packagecloud/bwc_license_hash.txt" force: yes become: yes no_log: yes - when: '"{{ bwc_license | password_hash("sha512", "7nA5RbWEJpzQS6FM") }}" != "{{ bwc_license_hash }}"' + when: '"{{ bwc_license | hash("sha512") }}" != "{{ bwc_license_hash }}"' diff --git a/roles/bwc/templates/rbac_assignments/assignments.yml.j2 b/roles/bwc/templates/rbac_assignments/assignments.yml.j2 index fe215e44..67a90ec1 100644 --- a/roles/bwc/templates/rbac_assignments/assignments.yml.j2 +++ b/roles/bwc/templates/rbac_assignments/assignments.yml.j2 @@ -1,5 +1,5 @@ --- - username: {{ item.name }} - roles: - {{ item.roles | to_nice_yaml(2) | indent(2) }} +username: {{ item.name }} +roles: + {{ item.roles | to_nice_yaml(2) | indent(2) }} diff --git a/roles/bwc_smoketests/templates/rbac_assignments/assignments.yml.j2 b/roles/bwc_smoketests/templates/rbac_assignments/assignments.yml.j2 index fe215e44..67a90ec1 100644 --- a/roles/bwc_smoketests/templates/rbac_assignments/assignments.yml.j2 +++ b/roles/bwc_smoketests/templates/rbac_assignments/assignments.yml.j2 @@ -1,5 +1,5 @@ --- - username: {{ item.name }} - roles: - {{ item.roles | to_nice_yaml(2) | indent(2) }} +username: {{ item.name }} +roles: + {{ item.roles | to_nice_yaml(2) | indent(2) }}