Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ansible Installer: Remove EWC & Update regarding LDAP, RBAC & FlowUI #1061

Merged
merged 9 commits into from
May 6, 2021
Merged

Ansible Installer: Remove EWC & Update regarding LDAP, RBAC & FlowUI #1061

Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a613e4a
Remove ewc from the ansible chapter and add a note regarding RBAC, LD…
winem Mar 21, 2021
499868a
Use pre-formatted style for st2web
winem Mar 21, 2021
5c57137
Merge branch 'master' into update-ansible-docs-remove-ewc
winem Mar 28, 2021
08ce6ad
Remove ewc from the ansible chapter and add a note regarding RBAC, LD…
winem Mar 21, 2021
a93ed07
Use pre-formatted style for st2web
winem Mar 21, 2021
23f7e1f
Merge branch 'update-ansible-docs-remove-ewc' of pgithub.com:winem/st…
winem Apr 2, 2021
dbf055b
Merge branch 'master' into update-ansible-docs-remove-ewc
winem Apr 24, 2021
d65367d
Add example to configure LDAP & RBAC
winem Apr 24, 2021
cbb8f16
Merge branch 'update-ansible-docs-remove-ewc' of pgithub.com:winem/st…
winem Apr 24, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 60 additions & 6 deletions docs/source/install/ansible.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,9 @@ complete installation:
- ``nodejs`` - Dependency for ``st2chatops``.
- ``st2chatops`` - Install and configure st2chatops for hubot adapter integration with |st2|.
- ``st2smoketests`` - Simple checks to see if |st2| is working.
- ``ewc`` - Install and configure |ewc|, including ``LDAP`` and ``RBAC``. StackStorm < 3.3 only.
- ``ewc_smoketests`` - Simple checks to see if |ewc| is working. StackStorm < 3.3 only.

For StackStorm versions earlier than 3.3, Extreme Networks provided a commercial version of the StackStorm automation platform (EWC). EWC contained advanced features like RBAC, LDAP and the Workflow Designer. Since StackStorm 3.4 RBAC and LDAP are core-features of StackStorm itself and the FlowUI as part of ``st2web`` replaces the Workflow Designer. Therefore, the ``ewc`` role is no longer supported and the LDAP and RBAC backends are now configured and deployed via the ``st2`` role. The FlowUI does not require any configuration.


Example Play
---------------------------
Expand Down Expand Up @@ -126,7 +127,6 @@ By default we generate a self-signed certificate for ``nginx`` in ``st2web`` rol
st2web_ssl_certificate: "{{ lookup('file', 'local/path/to/domain-name.crt') }}"
st2web_ssl_certificate_key: "{{ lookup('file', 'local/path/to/domain-name.key') }}"


Installing Behind a Proxy
-------------------------

Expand All @@ -145,11 +145,65 @@ If you are installing from behind a proxy, you can use the environment variables
roles:
- st2

Enabling LDAP authentication and add RBAC configuration
-------------------------------------------------------

|ewc|
-----
.. include:: common/ewc_intro.rst
By default :doc:`LDAP authentication </authentication>` & :doc:`RBAC </rbac>` are disabled. You can enable and configure these features via the Stackstorm.st2 role to allow/restrict/limit |st2| functionality to specific users:

.. sourcecode:: yaml

- name: Install and configure st2 with enabled LDAP authentication and RBAC
role: st2
vars:
st2_version: latest
st2_auth_enable: yes
st2_auth_username: testu
st2_auth_password: testp
st2_save_credentials: yes
st2_system_user: stanley
st2_system_user_in_sudoers: yes
# Dict to edit https://github.com/StackStorm/st2/blob/master/conf/st2.conf.sample
st2_config: {}
st2_ldap_enable: yes
st2_ldap:
# Configure the LDAP connection and query attributes
# https://docs.stackstorm.com/authentication.html#ldap
backend_kwargs:
bind_dn: "cn=Administrator,cn=users,dc=change-you-org,dc=net"
bind_password: "foobar123"
base_ou: "dc=example,dc=net"
group_dns:
- "CN=stormers,OU=groups,DC=example,DC=net"
host: identity.example.net
port: 389
id_attr: "samAccountName"
st2_rbac_enable: yes
st2_rbac:
# Define roles and permissions
# https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants
roles:
- name: core_local_only
description: "This role has access only to action core.local in pack 'core'"
enabled: true
permission_grants:
- resource_uid: "action:core:local"
permission_types:
- action_execute
- action_view
- permission_types:
- runner_type_list
# Assign roles to specific users
# https://docs.stackstorm.com/rbac.html#defining-user-role-assignments
assignments:
- name: test_user
roles:
- core_local_only
- name: stanley
roles:
- admin
- name: chuck_norris
roles:
- system_admin

.. note::

Expand Down