Use surveys and the revamped access rights to give your users self-service access

Surveys allow us to build input dialogs and wizards to guide users through the process of providing the required data to run a job. There are different survey fields including drop down lists, password fields, or simple input boxes.

The Scenario

The App and Ops teams are quite happy with how you setup the workflow to combine both teams' Ansible content into one automation job. But something else came up, as the app team has a new Night Shift member. They would like to allow this new member to:

  • Change the content of the web site NodeJS is serving

  • Run the webapp deployment job.

However, the new team member should not be allowed to change anything else in AAP for now. Sounds like a job for Automation Execution Surveys and Ansible Automation Platform Role Based Access Control!

Add the survey

Surveys allow to define the content of variables before running a job. The "Hello World!" our NodeJS application prints out, is actually defined in the install_node_app playbook in the variable content.

If the AAP UI is not open anymore, refer to the Lab Access page for the access details.

So we just need to add a survey to our Deploy Webapplication Workflow template. In the AAP UI, open Automation Execution ⇒ Templates ⇒ Deploy Webapplication, then:

  1. Go to the Survey tab

  2. Click Create survey question and fill in:

    • Question: Web Content

    • Answer variable name: content

    • Answer type: Text

  3. Click Create survey question

  4. To enable the survey, while still on the Survey tab, switch the slider button from Survey disabled to Survey enabled (it turns from grey to blue).

Test the survey

Launch the Deploy Webapplication Workflow Template by clicking on the Launch template button.

You may also click the rocket icon on the Automation Execution ⇒ Templates page.

Before the actual launch the survey will ask for Web Content. Fill in some text of your invention and click Next. The Review window shows the launch details and at the bottom the text you have entered using the survey. If all is good, run the Job by clicking Finish.

Note how the survey content is shown on the Details tab of the Job view in the Extra variables field. From an Ansible perspective they are actually nothing else than extra variables.

After the job has completed, check the result. In your VS Code terminal, run again:

curl http://node1.example.com/nodejs

The string returned should match what you entered in the survey.

Create a restricted user

The second part of your task is to add the new Night Shift user who is only allowed to execute the Deploy Webapplication Workflow, but nothing else. For this you have to leverage the RBAC (Role Base Access Control) features of AAP.

Create Role

Since AAP 2.5, access management is handled in one central place across all services offered by AAP. Automation Execution (aka controller) is only one of those services. For this reason, we need to navigate down to the Access Management section of AAP. There you click on the Roles entry, and make sure you are in the Automation Execution tab.

First filter on "Workflow". You can verify that no built-in role allows to execute and approve a workflow, without being able to modify or delete them. To do so, click on the small arrow head next to the tick box on the left of each role to drop down the actual permissions.

Filter Workflow roles
Figure 1. Filter Workflow roles

The Night Shift personal though is alone at night and they need to be able to circumvent approval steps or they might not be able to do their job.

For sake of simplicity and time, our workflow doesn’t have an approval step. Feel free to add one between the two steps if you happen to have time left at the end of the session. This said, think about the fact that adding an approval step is adding a manual step in what should be an end-to-end automated workflow.

So we decide to create our own role for them:

  • Click on the blue Create role button (potentially hidden behind a 3 dots menu), and enter:

    • Name: WorkflowNightShifter

    • Content type: Workflow job template

    • Permissions: (select the following ones)

      • Approve workflow job template

      • Execute workflow job template

      • View workflow job template

  • Press the blue Create role button

Back to Automation Execution Roles and again filtering on "Workflow", you can easily see that our new role is "Editable" and not "Built-in".

Create User

Create now the user as follows:

  1. In the AAP web UI menu under Access Management ⇒ Users

  2. Click the Create user button

  3. Fill in the values for the new user:

    • Username: nightshift

    • Password: MYPASSWORD

    • Confirm Password: MYPASSWORD

    • First Name: Night

    • Last Name: Shift

    • Email: nightshift@example.com

    • User Type: (make sure everything is unchecked for a normal user)

    • Organization: Default

  4. Click Create user

Create Team

A Team is a subdivision of an organization with associated users, projects, credentials, and permissions. Teams provide a means to implement role based access control schemes and delegate responsibilities across organizations. For instance, permissions may be granted to a whole Team rather than each user on the Team.

Create a Team:

  1. Go to Access Management ⇒ Teams.

  2. Click the blue Create team button

  3. Fill the values for the new team:

    • Name: NightShifters

    • Organization: Default

  4. Click Create team

Now you can add the new user to the team:

  1. Switch to the Users tab (staying in the NightShifters team view)

  2. Click the Add users button

  3. Select the nightshift user

  4. Click Add users

User nightshift is now a member of the NightShifters Team.

You could have reached the same objective by using the Teams tab of the user’s view instead of the Users tab of the team’s view.

Grant Permissions

To allow users or teams to actually do anything, you have to set permissions. The members of the Team NightShifters should only be allowed to modify the NodeJS content.

Add the permission to use the template:

  1. Open the Team NightShifters under Access Management ⇒ Teams

  2. Go to the Roles tab

  3. Click the blue Add roles button

  4. A new dialog opens. You can choose to set permissions for a number of resources:

    • Select a resource type: Workflow job templates

    • Click Next

    • Choose the Deploy Webapplication Template by checking the box next to it.

    • Click Next

    • Choose the role WorkflowNightShifter

  5. Click Next, review and Finish

  6. A short progress dialog appears, click Close

If you go to Automation Execution ⇒ Templates, open the Deploy Webapplication workflow, and go to the Team Access tab, you’ll see an overview of all RBAC entries.

Test the restricted user

You’ve now setup the required user and permissions. To test everything, log out of AAP’s web UI and in again as the nightshift user with password MYPASSWORD.

  1. Go to the Automation Execution ⇒ Templates view, you should notice that for nightshift only the Deploy Webapplication template is visible. The user is allowed to view and launch, and approve, but not to edit the Template. Just open the template and try to change it, there is not even an Edit button.

  2. Launch the Template by clicking the rocket icon. Enter the survey content to your liking and launch the job.

  3. Once the job is finished, check the result by executing once again in the terminal:

    curl http://node1.example.com/nodejs

  4. In the web UI, log out user nightshift and in again as MYUSER.

Conclusion

Recall what you have just done:

  • You provided the permission to execute an automation workflow to another user without handing out your credentials or giving the user the ability to change the automation code.

  • And yet, at the same time the user can still modify details based on the survey you created.