AnsibleIL October 19, 2023

Jim Johnson, Illinois State University, Lead Configuration Management Engineer

Attendees represented Illinois State University (ISU), University of Illinois Urbana-Champaign, Southern Illinois University Edwardsville, Red Hat, AHEAD, and independent contractors.

Jim Johnson presented on their campus approach to managing Role-Based Access Control (RBAC) in the Ansible Automation Platform (AAP).

Their goal is to enable teams to join their Ansible Platform:

Scalable

"Configuration as code is the key to provision and deploy fast."

Security up front

Security by set up (Standard operating environment), resulting in vastly improved security posture and reduced overhead for app owners.

Execute

Automate the human process of 'request and check' as much as possible.

Accuracy/timeliness

Direct integration with sources of truth. "It's cool to see tagging come together across the environment with Ansible."

Ease

Lower the barrier to entry and empower teams to write their own automation.

Resources set up in AAP for each team in the Ansible Automation Platform:

• Private Automation Hub - enable all teams to find and access Red Hat certified and supported automation content
• Private cloud credentials provisioned for their test and production systems
• Public cloud credential provisioned
• Source control credential for GitLab
• An AAP Project for Inventory Source files
• (Datacenter team is working toward having an API and dynamic inventory for physical systems)
• All Inventory sources - private cloud test/dev, public cloud, physical systems
• An "All Systems Inventory", with the caveat that smart inventories, host groups, or host limits should be used to reduce change radius/splash zone.

Their RBAC setup is based around Organizations and Teams in AAP. They use AD group mapping, so users do not need to be individually added to AAP. Users automatically gain access and privileges based on their campus AD group membership.

Objects can be shared between Organizations, but the AAP admin team needs to help share the objects across orgs.

They do need to enforce Inventory host naming conventions, since some hosts are members of multiple inventories. With consistent naming, even if a host is in multiple Inventories, it will not count more than once against the subscription quantity.

System tagging is a core part of their RBAC across the board. Tagging standards in private and public clouds are used to filter systems to only the team's resources.

In some cases, AAP is being used as an automation RBAC/deploy/audit wrapper around existing code (like Powershell). In other cases, the certified content is reducing code maintenance versus writing, running, and maintaining custom Python scripts.

Feature request for AAP:

• Group inventory variables for discovered groups (from dynamic inventory "keyed_groups") get overwritten every time a script is run. It would be good if these were retained, so additional groups did not have to be made to hold team-defined attributes for these groups of hosts.

Notes on AWX and AAP:

• AWX took longer to install, and they had multiple times in the first month they wished for support.
• They were very torn about whether to pay for the AAP product subscription.
• Since subscribing, support has been very responsive and quick to resolve/answer issues.
• Looking back, they would have told themselves to move to AAP sooner.