Red Hat Security: Linux in Physical, Virtual, and Cloud
Run playbooks and manage access to authentication credentials by using automation controller from Red Hat Ansible Automation Platform.
Red Hat Ansible Automation Platform 2 includes a component called automation controller, which was called Red Hat Ansible Tower in earlier versions of Ansible Automation Platform. Automation controller provides a centralized hub to run your Ansible automation code.
Enterprise IT organizations need a way to define and embed automation workflows for other tools and processes. The organizations also need reliable and scalable automation execution, and a centralized system that supports auditing.
With automation controller, companies can standardize how automation is deployed by using a centralized location.
Automation controller provides a framework for running and managing Ansible efficiently on an enterprise scale. Automation controller maintains organization security by introducing features such as a centralized web UI for playbook management, role-based access control (RBAC), and centralized logging and auditing. You can integrate an enterprise's existing workflows and tool sets, such as enabling continuous integration and deployment, by using the automation controller REST API. Automation controller provides mechanisms to enable the centralized use and control of machine credentials and other secrets without exposing the credentials or secrets to the users of automation controller.
From a security perspective, automation controller helps you control, secure, and manage your Ansible automation at scale. You can use automation controller to control who has access to run particular playbooks and which inventories they can use or manage. You can allow users of the automation controller to use machine credentials and control who can manage them, without allowing users to transfer them or see their contents. Automation controller logs who ran what Ansible jobs on what hosts when, and what the results of those jobs were. It provides a way for you to centrally manage your Ansible inventories, to ensure that no hosts are missed.
The environment in Red Hat Ansible Automation Platform 2 decouples the automation controller control plane from its execution environment.
Automation controller uses automation execution environments instead of using the system executables, or uses the Python virtual environments. These environments are container images that you can pull from a central container registry, install on automation controller, and manage through a web UI. If needed, then you can create custom automation execution environments. After confirming that a custom automation execution environment works with your automation code, you can publish the container image to a container registry and then provide the new or updated automation execution environment to automation controller. Using the same automation execution environment helps to ensure that the automation code runs consistently on both your system and in automation controller.
 |
Automation controller design provides the following features:
Decentralized and modular application
Decoupled control plane and execution plane
Containerized virtual environments
On-demand scaling by using container orchestrators
Automation controller runs the control plane (with the web UI and API) on the automation controller system, and runs automation execution environments on other machines that are closer to the managed systems. This design increases efficiency and scaling.
Automation controller provides a centralized location for organizations to run their Ansible Playbooks.
Several resources must exist before you can create a job template to test a playbook in automation controller.
Use the following resources to create a job template:
A machine credential for connecting to the managed hosts.
A source control credential for downloading and synchronizing remote content, such as from a Git repository.
A project that specifies the location of content, such as playbooks.
An inventory with at least one host.
The automation controller dashboard provides a summary of information about hosts, inventories, and projects.
The left navigation bar provides quick access to resources, such as , , , and .
At the upper right of the interface, you can access your user profile, find the About page, view related documentation, and log out.
The dashboard contains the following sections:
A graph that shows the number of successful and failed jobs over a specified time.
A list of that shows which jobs were recently run, their status, and the time that they were run.
A list of that shows a summary of the most recently used templates.
 |
Different people who use an automation controller need different levels of access. Some users need to run existing job templates against a preconfigured inventory of machines. Others need to be able to modify particular inventories, job templates, and playbooks. Still others might need access to change anything in the automation controller installation.
You can create the following types of users in automation controller:
Normal users have read and write access that is limited to the resources (such as inventory, projects, and job templates) for which that user is granted the appropriate roles and privileges.
System auditors implicitly inherit the read-only capability for all objects within the environment.
A system administrator (also known as a superuser) has full system administration privileges with full read and write privileges over the entire automation controller. A system administrator is typically responsible for managing all aspects of automation controller and for managing access to various users.
Note
The initial user (usually admin) that the installation process creates is a superuser.
One superuser must always exist.
To delete the admin user account, you must first create another superuser account.
For large deployments, it can be helpful to categorize users, teams, projects, and inventories into different departments.
An organization is a logical collection of users, teams, projects, and inventories.
All users must belong to an organization, and as part of installation, a Default organization is created.
A user is someone who has access to automation controller with associated permissions and credentials.
A team is a subdivision of an organization with associated users, projects, credentials, and permissions.
A project is a logical collection of Ansible Playbooks.
An inventory is a collection of hosts against which jobs must be launched.
Credentials are used for authentication when launching jobs against machines, synchronizing with inventory sources, and importing project content from a version control system.
You can grant users and teams the ability to use these credentials, without exposing the credential to the user. If a user moves to a different team or leaves the organization, then you do not have to rekey all the systems just because that credential was available in automation controller.
The automation controller uses SSH to connect to remote hosts (or the Windows equivalent). To pass the key from the automation controller to SSH, the key must be decrypted before it can be written to a named pipe. The automation controller then uses that pipe to send the key to SSH (so that it is never written to disk).
If passwords are used, then the automation controller handles the request by responding directly to the password prompt and decrypting the password before writing it to the prompt.
Important
After sensitive authentication data is entered into a credential and encrypted, it can no longer be retrieved in decrypted form through the automation controller web interface.
Some credential types that automation controller uses for authentication are as follows:
Machine credentials are used by automation controller to authenticate to managed hosts on which it is running Ansible jobs.
SCM (source control manager) credentials are used by projects to clone and update the contents of source code repositories from a remote revision control system, such as Git.
Navigate to → to list credentials. Automation controller displays the name and credential type for each credential.
Click the name of any credential to display credential details.
 |
To create a machine credential, navigate to → and click . Specify a name for the credential and choose the machine credential type. Specify additional settings and then click .
| Setting | Description |
|---|---|
| Username | Automation controller uses this username to connect to the managed hosts (similar to the remote_user setting in an ansible.cfg file). |
| Password | Enter the password, or prompt for the password when the credential is used. A password or SSH private key is required. Using a password does not work if a managed host prevents password-based authentication over SSH. |
| SSH Private Key | This key is the associated private key for a public SSH key that is already copied to the managed host. A password or SSH private key is required. |
| Private Key Passphrase | If the private SSH key is password-protected, then enter the passphrase, or prompt for the passphrase when the credential is used. |
| Privilege Escalation Method | Enter the method that is used for privilege escalation (the equivalent of the become_method setting in an ansible.cfg file). |
| Privilege Escalation Username | The automation controller uses this user for tasks that require privilege escalation (the equivalent of the become_user setting in an ansible.cfg file). |
| Privilege Escalation Password | If the user requires a password for privilege escalation, then enter the password, or prompt for the password when the credential is used. |
To create a source control credential, navigate to → and click . Specify a name for the credential and choose the source control credential type.
| Setting | Description |
|---|---|
| Username | Automation controller connects to the source control repository as this user. |
| Password | The password that is associated with the user. The source control repository might disable password-based authentication. In that case, use the SCM private key. |
| SCM Private Key | This key is the associated private key for a public SSH key to the managed host. |
| Private Key Passphrase | If the private SCM key is password-protected, then enter the passphrase. |
Private credentials (credentials that are not assigned to an organization) are accessible only to their creators or to users that have the System Administrator or System Auditor user type.
Other users cannot be assigned roles on private credentials.
To assign roles to credentials, the credential must have an organization. Users and teams in that organization can then share that credential through role assignments.
The following table lists the available credential roles:
| Credential role | Description |
|---|---|
Admin
| Grants users full permissions on a credential. These permissions include deleting and modifying the credential, as well as the ability to use the credential in a job template. |
Use
| Grants users the ability to use a credential in a job template. How to use a credential in a job template is discussed later in this course. |
Read
| Grants users the ability to view the details of a credential. These users cannot decrypt the secrets that belong to that credential through the web UI. |
When you create an organization credential, it is accessible only by the owner and users with either the Admin or Auditor role in the organization in which you created it.
You must configure any additional access, if needed.
You must first save a credential before you can edit it to assign additional roles.
Use the following procedure to grant permissions to an existing organization credential:
Log in as a user with the
Adminrole for the organization in which the credential was created.Click → and then click the name of the credential to edit.
On the credential editor page, on the tab, click to add permissions.
Click either or , and then click to select the users or teams to be assigned roles.
Click to display the list of available roles to apply.
Click .
Important
You can also add permissions for credentials through either the user or team management pages.
Automation controller uses project resources to provide access to Ansible Playbooks. If a project uses source control, such as Git or Subversion, then automation controller synchronizes content from the remote source control repository.
Navigate to → to list existing projects. Click the icon to the left of a project name to expand the project information. You can synchronize projects that use source control from the page.
Use the column to assess whether your project is current. For a Git repository, the revision string matches a commit hash.
 |
To create a project, navigate to → and click .
Projects can specify a default execution environment for job templates. If the environment is not specified, then the project defaults to the execution environment that is defined for automation controller. You can choose job templates for different execution environments.
Choose a source control credential type, such as Git, specify additional settings, and then click .
| Setting | Description |
|---|---|
| Source Control URL | The URL to clone the remote repository. |
| Source Control Branch/Tag/Commit | (Optional) A specific branch, tag, or commit for the repository. Use the option so that job templates can use a different branch, tag, or commit. |
| Source Control Credential | An existing credential to synchronize the remote repository. |
Similar to a local inventory file or directory, you can create inventory resources within automation controller.
Inventories can contain groups of hosts as well as ungrouped hosts.
You can configure variables that apply to the entire inventory (similar to the all group), to a specific group (similar to using the groups_vars directory), and to a specific host (similar to using the host_vars directory).
When creating a job template, you must specify an inventory resource to use.
This inventory is similar to specifying the --inventory (-i) option of the ansible-navigator command.
Automation controller can contain many inventories, both static and dynamic. Inventories that contain dynamic content display the status of the most recent inventory synchronization attempt. Static inventories display in the column.
 |
To create an inventory, navigate to → and click → . Specify a name for the inventory and click .
After creating the inventory, populate the inventory with groups and hosts. You can manually add the groups and hosts, or you can automatically populate them by using an existing inventory file in the project repository.
To manually add a group, navigate to the tab and then click . Enter a name for the group and then click .
To manually add an ungrouped host, which you can do at any time, navigate to the tab for the inventory and click . Enter a name for the host (often the fully qualified domain name for the host) and then click . To manually add a host to a group, navigate to the tab for the inventory, click the group name, and then click the tab for the group. You can either associate an existing host within the inventory or add a new host to the group. When adding a new host, enter a name for the host (often the fully qualified domain name for the host) and then click .
The breadcrumb navigation displays the inventory name and the group name.
In the following example, the serverb.lab.example.com host is added to the apac group in the Web Servers (Prod) inventory.
 |
If a project already contains an inventory file, then you can use the file to automatically populate groups and hosts within automation controller.
Within an existing group, navigate to the tab and then click . Enter a name for the source and then select from the menu. Choose an existing project, select an inventory file that exists within the project, and then click .
 |
Within an existing group, navigate to the tab and then click for the source. A successful inventory synchronization creates the hosts and groups that are defined in the selected inventory file.
A job template is equivalent to running a playbook. Among other things, a job template includes an inventory, and might specify variables to override, or tags to either use or skip.
The page lists existing templates. Expand template information by clicking the icon to the left of any template name. Initiate a new job run by clicking .
 |
To create a job template, navigate to → and then click → . At a minimum, enter a name, select a project, and select a playbook. You can either choose an existing inventory or prompt for an inventory when the job template is launched. Job templates must specify necessary credentials, such as the machine credential that automation controller needs to connect to the managed hosts.
Important
Organizations that forbid storing credentials, such as passwords or passphrases, must configure job templates to prompt for credentials. Any job template that prompts for passwords (or other settings) must be run interactively.
Job templates include additional optional fields.
When you run a playbook with the ansible-navigator command, many of these options have corresponding command-line options.
You can specify these options as part of the job template, or be prompted for customizations when the job template is launched.
| Job template setting or option | Equivalent command-line option |
|---|---|
| Inventory |
--inventory (-i) |
| Execution environment |
--execution-environment-image (--eei) |
| Variables |
--extra-vars (-e) |
| Forks |
--forks (-f) |
| Limit |
--limit (-l) |
| Verbosity |
--verbose (-v) |
| Job tags |
--tags (-t) |
| Skip tags |
--skip-tags
|
| Privilege escalation |
--become (-b) |
When you launch a job template, automation controller uses an execution environment to run the playbook by using all the supplied information. If you configure the job template to prompt for information, such as an inventory, credentials, or variables, then automation controller prompts you for this information. Similarly, if the credentials for your job template prompt for passwords or passphrases, then automation controller prompts you for this information. You must interactively run the job templates that prompt for any information.
Navigate to → to review the job output. In addition to the output of playbook runs, the page displays inventory synchronization jobs and source control update jobs. Each job contains a number to show the order in which automation controller ran the job.
Expand job information by clicking the icon to the left of any job name. Expanded details include who launched the job, which inventory was used, and which execution environment was used. Click a job name to see the full job output.
 |
References
For more information, refer to the Automation Controller User Guide v4.2.1 at https://docs.ansible.com/automation-controller/4.2.1/html/userguide/index.html
For more information, refer to Automation Controller at https://learn.spidernet.pl/en/technologies/management/ansible/automation-controller
For more information, refer to What's New in Ansible Automation Controller 4.0 at https://access.redhat.com/articles/6184841
