Allowing "Run all Ansible roles" to only a subset of Host Groups

Support
1

Problem:
Hi!
I would like some assistance or clarification for the below actions please.
Thanks in advance.

I am creating a Role which would allow certain User Groups to manage their Hosts and Host Groups. The User Groups are LDAP groups.

These are the filters I applied (Related to Host Groups):
For all Host Groups:

  • Resource Host Group
    • Permissions: view_hostgroups

Host Groups which have a structure of Parent/TeamName/Service:

  • Resource Host Group
    • Permissions: view_hostgroups, edit_hostgroups, play_roles_on_hostgroup
  • Search
    • title ~ TeamName

The members of the User Groups which have this Role assigned can view all the Host Groups in the Host Groups list. They can only manage the Host Groups which have TeamName in the title.
The problem is that they can execute “Run all Ansible roles” in any group that has hosts in it.

If I remove the play_roles_on_hostgroup permission, all of the Host Groups have the option greyed out.

Expected outcome:
The outcome I am expecting is:-

  • only the Host Groups that match the search criteria would have the “Run all Ansilbe roles” button enabled
  • The option would be greyed out on the rest.

Foreman and Proxy versions:
3.12.1

Foreman and Proxy plugin versions:
foreman-tasks - 9.2.3
foreman_ansible - 14.2.1
foreman_default_hostgroup - 7.0.0
foreman_puppet - 7.0.0
foreman_remote_execution - 13.2.4

Distribution and version:
Ubuntu 22.04.4 LTS
Other relevant data:

2

This is going to be much more involved than that. There are all sort of objects that need to be viewed and created in order to run a job and there’s no blanket permission that would give you all of them.

What is needed:

  • resource: Host Group
    • permissions: play_roles_on_hostgroup, edit_hostgroups, view_hostgroups
    • search: title ~ TeamName
  • resource: Job Invocation
    • permissions: create_job_invocations, view_job_invocations
  • resource: Host
    • permissions: view_hosts
    • search: hostgroup_title ~ TeamName
  • resource: Ansible role
    • permissions: view_ansible_roles
  • resource: Job template
    • permissions: view_job_templates
    • search: name = "Ansible Roles - Ansible Default"
  • resource: Smart Proxy
    • permissions: view_smart_proxies
  • resource: Template invocation
    • permissions: view_template_invocations, create_template_invocations
    • search (null? host.name) or host_group.name ~ TeamName

The null? host.name part for Template invocation is a hack to work around Bug #31330 - Filtering of user permissions for remote execution does not allow filtering hosts .

This seems to be the right set to make it work on my box, but ymmv since you’re on a slightly older version that I have.

3

Hi,
Thanks for checking and getting back to me.
You are right there are other permissions that need to be applied and I have more than the ones provided since they need to be able to perform additional tasks.
I tried to limit the scope of the question to what I thought was the relevant permission.

The problem I encountered when limiting the Host Group view to only the ones with TeamName is as follows.
If you make a change to the Host Group settings, since it will not have visibility to the Parent Host Group, it will remove the parent setting and the Host Group would become itself a parent.

Another thing I noticed is that setting a filter on the Hosts breaks the ability for the users to be able to manage the Host certificates. For example in case of decommissioning or redeployment of a host.

I had a look at the release logs and there does not seem to be a change related to roles/permissions so I didn’t bother upgrading for now since it is not too far behind.