Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Let an organization admin to add new users to it's tower organization #11655

Merged
merged 1 commit into from Feb 13, 2022
Merged

Let an organization admin to add new users to it's tower organization #11655

merged 1 commit into from Feb 13, 2022

Conversation

ivarmu
Copy link
Contributor

@ivarmu ivarmu commented Feb 1, 2022

SUMMARY

Let an organization admin to add new users to it's tower organization. An organization admin must be able to create new users to it's organization (and Tower)

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME
  • API
AWX VERSION
Ansible Automation Platform Controller 4.1.0
ADDITIONAL INFORMATION

BEFORE:

    - name: Configure Tower local users
      ansible.controller.tower_user:
        tower_username: "{{ configure_tower_username }}"
        tower_password: "{{ configure_tower_password }}"
        tower_host: "{{ configure_tower_server_url }}"
        validate_certs: "{{ configure_tower_validate_certs }}"
        username: "userorg2"
        password: "passorg2"

 👒 ivan@iamlabp1 -  ✝  iam/Orgs/organization2   dev±  ansible-playbook  test.yml --vault-password-file .vault_pass.txt
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [localhost] *****************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [Configure Tower local users] ***********************************************************************************************************************************************************************************************************
[WARNING]: You are using the controller version of this collection but connecting to Red Hat Ansible Tower
fatal: [localhost]: FAILED! => {"changed": false, "msg": "You don't have permission to POST to /api/v2/users/ (HTTP 403)."}

PLAY RECAP ***********************************************************************************************************************************************************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

AFTER:

    - name: Configure Tower local users
      ansible.controller.tower_user:
        tower_username: "{{ configure_tower_username }}"
        tower_password: "{{ configure_tower_password }}"
        tower_host: "{{ configure_tower_server_url }}"
        validate_certs: "{{ configure_tower_validate_certs }}"
        username: "BBB"
        password: "BBB"
        organization: "organization1"

 👒 ivan@iamlabp1 -  ✘  ✝  iam/Orgs/organization2   dev±  cd ../organization1 
 👒 ivan@iamlabp1 -  ✝  iam/Orgs/organization1   dev±  ansible-playbook  test.yml --vault-password-file .vault_pass.txt
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [localhost] *****************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [Configure Tower local users] ***********************************************************************************************************************************************************************************************************
[WARNING]: You are using the controller version of this collection but connecting to Red Hat Ansible Tower
[WARNING]: The field password of user 77 has encrypted data and may inaccurately report task is changed.
changed: [localhost]

PLAY RECAP ***********************************************************************************************************************************************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

@sean-m-sullivan
Copy link
Contributor

Addresses issue #8982

sean-m-sullivan
sean-m-sullivan approved these changes Feb 1, 2022
View reviewed changes
Copy link
Contributor

@sean-m-sullivan sean-m-sullivan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this looks good, addresses the issue, and give some flexibility for user creation.

@john-westcott-iv
Copy link
Member

I'm pretty sure this PR is going to fail the completness test (awx_collection/test/awx/test_completeness.py) because organization is not part of the UI api options page. You will need to modify the field no_api_parameter_ok for users to add in organization. i.e. change

    # user parameters to rename a user.
    'user': ['new_username'],

to:

    # new_username parameters to rename a user and organization allows for org admin user creation
    'user': ['new_username', 'organization'],

@ivarmu
Copy link
Contributor Author

ivarmu commented Feb 3, 2022

Hi!

is there anything pending I can do to improve the PR?

@john-westcott-iv
Copy link
Member

One thing I just thought of is that I'm pretty sure the tests run as admin. Because of this, in your additional test you have effectively tested that an admin user can run the module using the org field but we haven't tested that these changes will work for an org admin trying to create a user as intended. It will be some work but it would be nice if you created a new org admin, get a token for it and then use the token to do an assertion that they can't create a user (w/o org param) and then do an assertion that they can create a user (w/ the org param). Let me know if you need any help with this.

@ivarmu
Copy link
Contributor Author

ivarmu commented Feb 3, 2022

be some work but it would be nice if you created a new org admin, get a token for it and then use the token to do an assertion that they can't create a user (w/o org param) and then do an assertion that they can create a user (w/ the org param). Let me know if you need any help with this.

Done, instead of creating a token, I've used directly a username and password for the newly created user.

@john-westcott-iv
Copy link
Member

@ivarmu One last linting error and then we can merge this.

@ivarmu
Copy link
Contributor Author

ivarmu commented Feb 4, 2022

Fixed! 😅

@ivarmu ivarmu closed this Feb 9, 2022
@ivarmu ivarmu reopened this Feb 9, 2022
@shanemcd shanemcd merged commit 60b6faf into ansible:devel Feb 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kdelee kdelee kdelee approved these changes

@sean-m-sullivan sean-m-sullivan sean-m-sullivan approved these changes

Assignees
No one assigned
Labels
component:collection type:enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@ivarmu @sean-m-sullivan @john-westcott-iv @kdelee @shanemcd @awxbot