Red Hat SummitInstalling and Configuring Central Authentication for the Ansible Automation Platform
Enable central authentication functions for your Ansible Automation Platform
Abstract
Preface
Ansible Automation Platform Central Authentication is a third-party identity provider (idP) solution, allowing for a simplified single sign-on solution that can be used across the Ansible Automation Platform. Platform administrators can utilize central authentication to test connectivity and authentication, as well as onboard new users and manage user permissions by configuring and assigning them to groups. Along with OpenID Connect-based and LDAP support, central authentication also provides a supported REST API which can be used to bootstrap customer usage.
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
Chapter 1. Ansible Automation Platform Central Authentication for automation hub
To enable Ansible Automation Platform Central Authentication for your automation hub, start by downloading the Red Hat Ansible Automation Platform installer then proceed with the necessary set up procedures as detailed in this guide.
The installer in this guide will install central authentication for a basic standalone deployment. Standalone mode only runs one central authentication server instance, and thus will not be usable for clustered deployments. Standalone mode can be useful to test drive and play with the features of central authentication, but it is not recommended that you use standalone mode in production as you will only have a single point of failure.
To install central authentication in a different deployment mode, please see this guide for more deployment options.
1.1. System Requirements
There are several minimum requirements to install and run Ansible Automation Platform Central Authentication:
- Any operating system that runs Java
- Java 8 JDK
- zip or gzip and tar
- At least 512mb of RAM
- At least 1gb of disk space
- A shared external database like PostgreSQL, MySQL, Oracle, etc. if you want to run central authentication in a cluster. Please see the database configuration section of this guide for more information.
- Network multicast support on your machine if you want to run in a cluster. central authentication can be clustered without multicast, but this requires some configuration changes. Please see the clustering section of this guide for more information.
-
On Linux, it is recommended to use
/dev/urandomas a source of random data to prevent central authentication hanging due to lack of available entropy, unless/dev/randomusage is mandated by your security policy. To achieve that on Oracle JDK 8 and OpenJDK 8, set thejava.security.egdsystem property on startup tofile:/dev/urandom.
1.2. Installing Ansible Automation Platform Central Authentication for use with automation hub
The Ansible Automation Platform Central Authentication installation will be included with your Red Hat Ansible Automation Platform installer. Install the Ansible Automation Platform using the following procedures, then configure the necessary parameters in your inventory file to successfully install both the Ansible Automation Platform and central authentication.
1.2.1. Choosing and obtaining a Red Hat Ansible Automation Platform installer
Choose the Red Hat Ansible Automation Platform installer you need based on your Red Hat Enterprise Linux environment internet connectivity. Review the scenarios below and determine which Red Hat Ansible Automation Platform installer meets your needs.
A valid Red Hat customer account is required to access Red Hat Ansible Automation Platform installer downloads on the Red Hat Customer Portal.
Installing with internet access
Choose the Red Hat Ansible Automation Platform installer if your Red Hat Enterprise Linux environment is connected to the internet. Installing with internet access will retrieve the latest required repositories, packages, and dependencies.
- Navigate to https://access.redhat.com/downloads/content/480
- Click for the Ansible Automation Platform <latest-version> Setup.
Extract the files:
$ tar xvzf ansible-automation-platform-setup-<latest-version>.tar.gz
Installing without internet access
Use the Red Hat Ansible Automation Platform Bundle installer if you are unable to access the internet, or would prefer not to install separate components and dependencies from online repositories. Access to Red Hat Enterprise Linux repositories is still needed. All other dependencies are included in the tar archive.
- Navigate to https://access.redhat.com/downloads/content/480
- Click for the Ansible Automation Platform <latest-version> Setup Bundle.
Extract the files:
$ tar xvzf ansible-automation-platform-setup-bundle-<latest-version>.tar.gz
1.2.2. Configuring the Red Hat Ansible Automation Platform installer
Before running the installer, edit the inventory file found in the installer package to configure the installation of automation hub and Ansible Automation Platform Central Authentication.
Provide a reachable IP address for the [automationhub] host to ensure users can sync content from Private Automation Hub from a different node and push new images to the container registry.
Navigate to the installer directory:
Online installer:
$ cd ansible-automation-platform-setup-<latest-version>
Bundled installer:
$ cd ansible-automation-platform-setup-bundle-<latest-version>
- Open the inventory file using a text editor.
Edit the inventory file parameters under
[automationhub]to specify an installation of automation hub host:-
Add group host information under
[automationhub]using an IP address or FQDN for the automation hub location. -
Enter passwords for
automationhub_admin_password,automation_pg_password, and any additional parameters based on your installation specifications.
-
Add group host information under
-
Enter a password in the
sso_keystore_passwordfield. Edit the inventory file parameters under
[SSO]to specify a host on which to install central authentication:-
Enter a password in the
sso_console_admin_passwordfield, and any additional parameters based on your installation specifications.
-
Enter a password in the
1.2.3. Running the Red Hat Ansible Automation Platform installer
With the inventory file updated, run the installer using the setup.sh playbook found in the installer package.
Run the
setup.shplaybook:$ ./setup.sh
1.2.4. Log in as a central authentication admin user
With Red Hat Ansible Automation Platform installed, log in as an admin user to the central authentication server using the admin credentials that you specified in your inventory file.
- Navigate to your Ansible Automation Platform Central Authentication instance.
-
Login using the admin credentials you specified in your inventory file, in the
sso_console_admin_usernameandsso_console_admin_password fields.
With Ansible Automation Platform Central Authentication successfully installed, and the admin user logged in, you can proceed by adding a user storage provider (such as LDAP) using the following procedures.
Chapter 2. Adding a User Storage Provider (LDAP/Kerberos) to Ansible Automation Platform Central Authentication
Ansible Automation Platform Central Authentication comes with a built-in LDAP/AD provider. You can add your LDAP provider to central authentication to be able to import user attributes from your LDAP database.
Prerequisites
- You are logged in as an SSO admin user.
Procedure
- Log in to Ansible Automation Platform Central Authentication as an SSO admin user.
- From the navigation bar, select → .
- Using the dropdown menu labeled Add provider, select your LDAP provider to proceed to the LDAP configuration page.
The following table lists the available options for your LDAP configuration:
| Configuration Option | Description |
| Storage mode | Set to On if you want to import users into the central authentication user database. See this section for more information. |
| Edit mode | Determines the types of modifications that admins can make on user metadata. See this section for more information. |
| Console Display Name | Name used when this provider is referenced in the admin console |
| Priority | The priority of this provider when looking up users or adding a user |
| Sync Registrations | Enable if you want new users created by Ansible Automation Platform Central Authentication in the admin console or the registration page to be added to LDAP |
| Allow Kerberos authentication | Enable Kerberos/SPNEGO authentication in the realm with users data provisioned from LDAP. See this section for more information. |
Chapter 3. Assigning automation hub administrator permissions
Hub administrative users will need to be assigned the role of hubadmin in order to manage user permissions and groups. You can assign the role of hubadmin to a user through the Ansible Automation Platform Central Authentication client.
Prerequisites
- A user storage provider (e.g., LDAP) has been added to your central authentication
Procedure
-
Navigate to the
ansible-automation-platformrealm on your SSO client. - From the navigation bar, select → .
- Select a user from the list by clicking their ID.
- Click the Role Mappings tab.
- Using the dropdown menu under Client Roles, select automation-hub.
- Click from the Available Roles field, then click .
The user is now a hubadmin. Repeat steps 3-6 to assign any additional users the hubadmin role.
Chapter 4. Adding an identity broker to Ansible Automation Platform Central Authentication
Ansible Automation Platform Central Authentication supports both social and protocol-based providers. You can add an identity broker to central authentication to enable social authentication for your realm, allowing users to log in using an existing social network account, such as Google, Facebook, GitHub etc.
For a list of supported social networks and for more information to enable them, please see this section.
Protocol-based providers are those that rely on a specific protocol in order to authenticate and authorize users. They allow you to connect to any identity provider compliant with a specific protocol. Ansible Automation Platform Central Authentication provides support for SAML v2.0 and OpenID Connect v1.0 protocols.
Procedure
- Log in to Ansible Automation Platform Central Authenticationas an admin user.
- Under the Configure section on the side navigation bar, click .
- Using the dropdown menu labeled Add provider, select your identity provider to proceed to the identity provider configuration page.
The following table lists the available options for your identity provider configuration:
| Configuration Option | Description |
| Alias |
The alias is a unique identifier for an identity provider. It is used to reference an identity provider internally. Some protocols such as |
| Enabled | Turns the provider on/off. |
| Hide on Login Page |
If enabled, this provider will not be shown as a login option on the login page. Clients can still request to use this provider by using the |
| Account Linking Only | If enabled, this provider cannot be used to login users and will not be shown as an option on the login page. Existing accounts can still be linked with this provider. |
| Store Tokens | Whether or not to store the token received from the identity provider. |
| Stored Tokens Readable | Whether or not users are allowed to retrieve the stored identity provider token. This also applies to the broker client-level role read token. |
| Trust Email | Whether an email address provided by the identity provider will be trusted. If the realm requires email validation, users that log in from this IDP will not have to go through the email verification process. |
| GUI Order | The order number that sorts how the available IDPs are listed on the login page. |
| First Login Flow | Select an authentication flow that will be triggered for users that log in to central authentication through this IDP for the first time. |
| Post Login Flow | Select an authentication flow that is triggered after the user finishes logging in with the external identity provider. |
4.1. Managing group permissions with Ansible Automation Platform Central Authentication
You can manage user access on the Ansible Automation Platform by assigning specific permissions to user groups. As users log in to the Ansible Automation Platform for the first time, their groups will appear in the user access page in automation hub, allowing you to assign user access and permissions to each group.
4.1.1. Assigning permissions to Groups
You can assign permissions to groups in automation hubthat enable users to access specific features in the system.
Prerequisites
You are signed in as a hubadmin user.
Procedure
- Log in to your local automation hub.
- Navigate to Groups.
- Click on a group name.
- Click Edit.
- Click in the field for the permission type and select permissions that appear in the list.
- Click Save when finished assigning permissions.
The group can now access features in automation hub associated with their assigned permissions.
4.1.2. Automation Hub permissions
Permissions provide a defined set of actions each group performs on a given object. Determine the required level of access for your groups based on the following permissions:
| Object | Permission | Description |
|---|---|---|
| namespace | Add namespace Upload to namespace Change namespace Delete namespace | Groups with these permissions can create, upload collections, or delete a namespace. |
| collections | Modify Ansible repo content Delete collections | Groups with this permission can move content between repositories using the Approval feature, certify or reject features to move content from the staging to published or rejected repositories, abd delete collections. |
| users | View user Delete user Add user Change user | Groups with these permissions can manage user configuration and access in automation hub. |
| groups | View group Delete group Add group Change group | Groups with these permissions can manage group configuration and access in automation hub. |
| collection remotes | Change collection remote View collection remote | Groups with these permissions can configure remote repository by navigating to → . |
| containers | Change container namespace permissions Change containers Change image tags Create new containers Push to existing containers Delete container repository | Groups with these permissions can manage container repositories in automation hub. |
| remote registries | Add remote registry Change remote registry Delete remote registry | Groups with these permissions can add, change, or delete remote registries added to automation hub. |
| task management | Change task Delete task View all tasks | Groups with these permissions can manage tasks added to Task Management in automation hub. |
