From 0443bd309947b95995e6cf7e87a3010b98547cc9 Mon Sep 17 00:00:00 2001 From: Ilkka Tengvall Date: Mon, 2 Jul 2018 09:22:36 +0300 Subject: [PATCH 1/6] fixes selinux permissions for awx data. fixes issue #2036 and #1896 --- installer/roles/local_docker/tasks/standalone.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/installer/roles/local_docker/tasks/standalone.yml b/installer/roles/local_docker/tasks/standalone.yml index b2a4d6d645..418bba287e 100644 --- a/installer/roles/local_docker/tasks/standalone.yml +++ b/installer/roles/local_docker/tasks/standalone.yml @@ -82,7 +82,7 @@ image: "{{ awx_web_docker_actual_image }}" volumes: > {{ - [project_data_dir + ':/var/lib/awx/projects:rw'] if project_data_dir is defined else [] + [project_data_dir + ':/var/lib/awx/projects:z'] if project_data_dir is defined else [] + [ca_trust_dir + ':/etc/pki/ca-trust/source/anchors:ro'] if ca_trust_dir is defined else [] }} user: root @@ -120,7 +120,7 @@ image: "{{ awx_task_docker_actual_image }}" volumes: > {{ - [project_data_dir + ':/var/lib/awx/projects:rw'] if project_data_dir is defined else [] + [project_data_dir + ':/var/lib/awx/projects:z'] if project_data_dir is defined else [] + [ca_trust_dir + ':/etc/pki/ca-trust/source/anchors:ro'] if ca_trust_dir is defined else [] }} links: "{{ awx_task_container_links|list }}" From 53ae05094e41f2666c1a439cec80bf05f1394d1c Mon Sep 17 00:00:00 2001 From: Ryan Petrello Date: Wed, 17 Oct 2018 10:56:29 -0400 Subject: [PATCH 2/6] use the proper logger for the callback receiver --- awx/main/dispatch/worker/callback.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/awx/main/dispatch/worker/callback.py b/awx/main/dispatch/worker/callback.py index 451737f990..caa655bd9a 100644 --- a/awx/main/dispatch/worker/callback.py +++ b/awx/main/dispatch/worker/callback.py @@ -14,7 +14,7 @@ from awx.main.models import (JobEvent, AdHocCommandEvent, ProjectUpdateEvent, from .base import BaseWorker -logger = logging.getLogger('awx.main.dispatch') +logger = logging.getLogger('awx.main.commands.run_callback_receiver') class CallbackBrokerWorker(BaseWorker): From aec3244f52053977b2cb0e38176a21301a186cf4 Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Tue, 16 Oct 2018 11:48:33 -0400 Subject: [PATCH 3/6] Update to latest django subminor to pick up assorted fixes. --- requirements/requirements.in | 2 +- requirements/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements/requirements.in b/requirements/requirements.in index 79f764e6cf..084e59cb31 100644 --- a/requirements/requirements.in +++ b/requirements/requirements.in @@ -7,7 +7,7 @@ channels==1.1.8 celery==4.2.1 daphne==1.3.0 # Last before backwards-incompatible channels 2 upgrade decorator==4.2.1 -Django==1.11.11 +Django==1.11.16 django-auth-ldap==1.2.8 django-crum==0.7.2 django-extensions==2.0.0 diff --git a/requirements/requirements.txt b/requirements/requirements.txt index 24d00e4e2c..3cfac66dea 100644 --- a/requirements/requirements.txt +++ b/requirements/requirements.txt @@ -37,7 +37,7 @@ django-radius==1.1.0 django-solo==1.1.3 django-split-settings==0.3.0 django-taggit==0.22.2 -django==1.11.11 +django==1.11.16 djangorestframework-yaml==1.0.3 djangorestframework==3.7.7 enum34==1.1.6 # via cryptography From f27ec8cd89570dbf1dd2cb53686c9188347b9413 Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Tue, 16 Oct 2018 15:34:13 -0400 Subject: [PATCH 4/6] Update Django version in version check. --- awx/wsgi.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/awx/wsgi.py b/awx/wsgi.py index d351fed217..66bd331b90 100644 --- a/awx/wsgi.py +++ b/awx/wsgi.py @@ -41,10 +41,10 @@ if social_django.__version__ != '2.1.0': still works".format(social_django.__version__)) -if django.__version__ != '1.11.11': - raise RuntimeError("Django version other than 1.11.11 detected {}. \ +if django.__version__ != '1.11.16': + raise RuntimeError("Django version other than 1.11.16 detected {}. \ Inherit from WSGIHandler to support short-circuit Django Middleware. \ - This is known to work for Django 1.11.11 and may not work with other, \ + This is known to work for Django 1.11.16 and may not work with other, \ even minor, versions.".format(django.__version__)) From bf39a2a7479fcbe876027bf54ea1287c86b9ca55 Mon Sep 17 00:00:00 2001 From: Numblesix Date: Fri, 12 Oct 2018 19:57:19 +0200 Subject: [PATCH 5/6] Added some Doc for FREEipa --- docs/auth/ldap.md | 57 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 55 insertions(+), 2 deletions(-) diff --git a/docs/auth/ldap.md b/docs/auth/ldap.md index 107ee8c9ef..f8c0c3b270 100644 --- a/docs/auth/ldap.md +++ b/docs/auth/ldap.md @@ -2,11 +2,64 @@ The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. # Configure LDAP Authentication -Please see the Tower documentation as well as Ansible blog posts for basic LDAP configuration. +Please see the Tower documentation as well as Ansible blog posts for basic LDAP configuration. -LDAP Authentication provides duplicate sets of configuration fields for authentication with up to six different LDAP servers. +LDAP Authentication provides duplicate sets of configuration fields for authentication with up to six different LDAP servers. The default set of configuration fields take the form `AUTH_LDAP_`. Configuration fields for additional ldap servers are numbered `AUTH_LDAP__`. ## Test environment setup Please see README.md of this repository: https://github.com/jangsutsr/deploy_ldap.git. + + +# Basic setup for FreeIPA + +LDAP Server URI (append if you have multiple LDAPs) +`ldaps://{{serverip1}}:636` + +LDAP BIND DN (How to create a bind account in [FreeIPA](https://www.freeipa.org/page/Creating_a_binddn_for_Foreman) +`uid=awx-bind,cn=sysaccounts,cn=etc,dc=example,dc=com` + +LDAP BIND PASSWORD +`{{yourbindaccountpassword}}` + +LDAP USER DN TEMPLATE +`uid=%(user)s,cn=users,cn=accounts,dc=example,dc=com` + +LDAP GROUP TYPE +`NestedMemberDNGroupType` + +LDAP GROUP SEARCH +``` +[ +"cn=groups,cn=accounts,dc=example,dc=com", +"SCOPE_SUBTREE", +"(objectClass=groupOfNames)" +] +``` + +LDAP USER ATTRIBUTE MAP +``` +{ +"first_name": "givenName", +"last_name": "sn", +"email": "mail" +} +``` + +LDAP USER FLAGS BY GROUP +``` +{ +"is_superuser": "cn={{superusergroupname}},cn=groups,cn=accounts,dc=example,dc=com" +} +``` + +LDAP ORGANIZATION MAP +``` +{ +"{{yourorganizationname}}": { +"admins": "cn={{admingroupname}},cn=groups,cn=accounts,dc=example,dc=com", +"remove_admins": false +} +} +``` From 6117f8297e84311570bb356e20eb4da27e0de70f Mon Sep 17 00:00:00 2001 From: AlanCoding Date: Wed, 17 Oct 2018 14:27:14 -0400 Subject: [PATCH 6/6] remove changelog --- docs/CHANGELOG.md | 133 ---------------------------------------------- 1 file changed, 133 deletions(-) delete mode 100644 docs/CHANGELOG.md diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md deleted file mode 100644 index 10f8668888..0000000000 --- a/docs/CHANGELOG.md +++ /dev/null @@ -1,133 +0,0 @@ -3.3.0 -===== -* Allow relaunching jobs on a subset of hosts, by status.[[#219](https://github.com/ansible/awx/issues/219)] -* Added `ask_variables_on_launch` to workflow JTs.[[#497](https://github.com/ansible/awx/issues/497)] -* Added `diff_mode` and `verbosity` fields to WFJT nodes.[[#555](https://github.com/ansible/awx/issues/555)] -* Block creation of schedules when variables not allowed are given. - Block similar cases for WFJT nodes.[[#478](https://github.com/ansible/awx/issues/478)] -* Changed WFJT node `credential` to many-to-many `credentials`. -* Saved Launch-time configurations feature - added WFJT node promptable fields to schedules, - added `extra_data` to WFJT nodes, added "schedule this job" endpoint. - [[#169](https://github.com/ansible/awx/issues/169)] -* Switch from `credential`, `vault_credential`, and `extra_credentials` fields to - single `credentials` relationship, allow multiple vault credentials [[#352](https://github.com/ansible/awx/issues/352)]. -* Make inventory parsing errors fatal, and only enable the `script` - inventory plugin for job runs and vendored inventory - updates[[#864](https://github.com/ansible/awx/issues/864)] -* Add related `credentials` endpoint for inventory updates to be more internally - consistent with job templates, model changes for [[#277](https://github.com/ansible/awx/issues/277)] -* Removed `TOWER_HOST` as a default environment variable in job running environment - due to conflict with tower credential type. Playbook authors should replace their - use with `AWX_HOST`. [[#1727](https://github.com/ansible/awx/issues/1727)] -* Boolean fields for custom credential types will now always default extra_vars and - environment variables to `False` when a value is not provided. [[#2038](https://github.com/ansible/tower/issues/2038)] -* Add validation to prevent string "$encrypted$" from becoming a literal - survey question default [[#518](https://github.com/ansible/awx/issues/518)]. -* Enable the `--export` option for `ansible-inventory` via the environment - variable [[#1253](https://github.com/ansible/awx/pull/1253)] so that - group `variables` are imported to the group model. -* Prevent unwanted entries in activity stream due to `modified` time changes. -* API based deep copy feature via related `/api/v2/resources/N/copy/` endpoint - [[#283](https://github.com/ansible/awx/issues/283)]. -* Container Cluster-based dynamic scaling provisioning / deprovisioning instances, - allow creating / modifying instance groups from the API, introduce instance - group policies, consider both memory and CPU constraints, add the ability - to disable nodes without removing them from the cluster - [[#196](https://github.com/ansible/awx/issues/196)]. -* Add additional organization roles [[#166](https://github.com/ansible/awx/issues/166)]. -* Support fact caching for isolated instances [[#198](https://github.com/ansible/awx/issues/198)]. -* Graphical UI for network inventory [[#611](https://github.com/ansible/awx/issues/611)]. -* Restrict viewing and editing network UI canvas to users with inventory `admin_role`. -* Implement per-template, project, organization `custom_virtualenv`, a field that - allows users to select one of multiple virtual environments set up on the filesystem - [[#34](https://github.com/ansible/awx/issues/34)]. -* Use events for running inventory updates, project updates, and other unified job - types [[#200](https://github.com/ansible/awx/issues/200)]. -* Prevent deletion of jobs when event processing is still ongoing. -* Prohibit job template callback when `inventory` is null - [[#644](https://github.com/ansible/awx/issues/644)]. -* Impose stricter criteria to admin users - organization admin role now - necessary for all organizations target user is member of. -* Remove unused `admin_role` associated with users. -* Enforce max value for `SESSION_COOKIE_AGE` - [[#1651](https://github.com/ansible/awx/issues/1651)]. -* Add stricter validation to `order_by` query params - [[#776](https://github.com/ansible/awx/issues/776)]. -* Consistently log uncaught task exceptions [[#1257](https://github.com/ansible/awx/issues/1257)]. -* Do not show value of variable of `with_items` iteration when `no_log` is set. -* Change external logger to lazily create handler from settings on every log - emission, replacing server restart. Allows use in OpenShift deployments. -* Allow job templates using previously-synced git projects to run without network - access to source control [[#287](https://github.com/ansible/awx/issues/287)]. -* Automatically run a project update if sensitive fields change like `scm_url`. -* Disallow relaunching jobs with `execute_role` if another user provided prompts. -* Show all teams to organization admins if setting `ORG_ADMINS_CAN_SEE_ALL_USERS` is enabled. -* Allow creating schedules and workflow nodes from job templates that use - credentials which prompt for passwords if `ask_credential_on_launch` is set. -* Set `execution_node` in task manager and submit `waiting` jobs to only the - queue for the specific instance job is targeted to run on - [[#1873](https://github.com/ansible/awx/issues/1873)]. -* Switched authentication to Django sessions. -* Implemented OAuth2 support for token based authentication [[#21](https://github.com/ansible/awx/issues/21)]. -* Added the ability to forcibly expire sessions through `awx-manage expire_sessions`. -* Disallowed using HTTP PUT/PATCH methods to modify existing jobs in Job Details API endpoint. -* Changed the name of the session length setting from `AUTH_TOKEN_EXPIRATION` to `SESSION_COOKIE_AGE`. -* Changed the name of the session length setting from `AUTH_TOKEN_PER_USER` to `SESSIONS_PER_USER`. -* External logging now defaults to HTTPS (instead of HTTP) *unless* http:// is explicitly specified in the log aggregator hostname [[#2048](https://github.com/ansible/awx/issues/2048)] -* Added `inventory` field to inventory updates - -3.2.0 -===== -* added a new API endpoint - `/api/v1/settings/logging/test/` - for testing - external log aggregrator connectivity - [[#5164](https://github.com/ansible/ansible-tower/issues/5164)] -* allow passing `-e create_preload_data=False` to skip creating default - organization/project/inventory/credential/job_template during Tower - installation - [[#5746](https://github.com/ansible/ansible-tower/issues/5746)] -* removed links from group to `inventory_source` including the field and - related links, removed `start` and `schedule` capabilities from - group serializer and added `user_capabilities` to inventory source - serializer, allow user creation and naming of inventory sources - [[#5741](https://github.com/ansible/ansible-tower/issues/5741)] -* support sourcing inventory from a file inside of a project's source - tree [[#2477](https://github.com/ansible/ansible-tower/issues/2477)] -* added support for custom cloud and network credential types, which give the - customer the ability to modify environment variables, extra vars, and - generate file-based credentials (such as file-based certificates or .ini - files) at `ansible-playbook` runtime - [[#5876](https://github.com/ansible/ansible-tower/issues/5876)] -* added support for assigning multiple cloud and network credential types on - `JobTemplates`. ``JobTemplates`` can prompt for "extra credentials" at - launch time in the same manner as promptable machine credentials - [[#5807](https://github.com/ansible/ansible-tower/issues/5807)] - [[#2913](https://github.com/ansible/ansible-tower/issues/2913)] -* custom inventory sources can now specify a ``Credential``; you - can store third-party credentials encrypted within Tower and use their - values from within your custom inventory script (by - for example - reading - an environment variable or a file's contents) - [[#5879](https://github.com/ansible/ansible-tower/issues/5879)] -* Added support for configuring groups of instance nodes to run tower - jobs [[#5898](https://github.com/ansible/ansible-tower/issues/5898)] -* Fixed an issue installing Tower on multiple nodes where cluster - internal node references are used - [[#6231](https://github.com/ansible/ansible-tower/pull/6231)] -* Tower now uses a modified version of [Fernet](https://github.com/fernet/spec/blob/master/Spec.md). - Our `Fernet256` class uses `AES-256-CBC` instead of `AES-128-CBC` for all encrypted fields. - [[#826](https://github.com/ansible/ansible-tower/issues/826)] -* Added the ability to set custom environment variables set for playbook runs, - inventory updates, project updates, and notification sending. - [[#3508](https://github.com/ansible/ansible-tower/issues/3508)] -* Added --diff mode to Job Templates and Ad-Hoc Commands. The diff can be found in the - standard out when diff mode is enabled. [[#4525](https://github.com/ansible/ansible-tower/issues/4325)] -* Support accessing some Tower resources via their name-related unique identifiers apart from primary keys. -(named URL) [[#3362](https://github.com/ansible/ansible-tower/issues/3362)] -* Support TACACS+ authentication. [[#3400](https://github.com/ansible/ansible-tower/issues/3400)] -* Support sending system logs to external log aggregators via direct TCP/UDP connection. -[[#5783](https://github.com/ansible/ansible-tower/pull/5783)] -* Remove Rackspace as a supported inventory source type and credential type. -[[#6117](https://github.com/ansible/ansible-tower/pull/6117)] -* Changed names of tower-mange commands `register_instance` -> `provision_instance`, - `deprovision_node` -> `deprovision_instance`, and `instance_group_remove` -> `remove_from_queue`, - which backward compatibility support for 3.1 use pattern - [[#6915](https://github.com/ansible/ansible-tower/issues/6915)]