Skip to content

Commit

Permalink
Merge pull request #1061 from winem/update-ansible-docs-remove-ewc
Browse files Browse the repository at this point in the history 
Ansible Installer: Remove EWC & Update regarding LDAP, RBAC & FlowUI
  • Loading branch information
@winem
winem authored May 6, 2021
2 parents b579753 + cbb8f16 commit 2ae722a
Showing 1 changed file with 60 additions and 6 deletions.
66 changes: 60 additions & 6 deletions docs/source/install/ansible.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,9 @@ complete installation:
- ``nodejs`` - Dependency for ``st2chatops``.
- ``st2chatops`` - Install and configure st2chatops for hubot adapter integration with |st2|.
- ``st2smoketests`` - Simple checks to see if |st2| is working.
- ``ewc`` - Install and configure |ewc|, including ``LDAP`` and ``RBAC``. StackStorm < 3.3 only.
- ``ewc_smoketests`` - Simple checks to see if |ewc| is working. StackStorm < 3.3 only.

For StackStorm versions earlier than 3.3, Extreme Networks provided a commercial version of the StackStorm automation platform (EWC). EWC contained advanced features like RBAC, LDAP and the Workflow Designer. Since StackStorm 3.4 RBAC and LDAP are core-features of StackStorm itself and the FlowUI as part of ``st2web`` replaces the Workflow Designer. Therefore, the ``ewc`` role is no longer supported and the LDAP and RBAC backends are now configured and deployed via the ``st2`` role. The FlowUI does not require any configuration.


Example Play
---------------------------
Expand Down Expand Up @@ -126,7 +127,6 @@ By default we generate a self-signed certificate for ``nginx`` in ``st2web`` rol
st2web_ssl_certificate: "{{ lookup('file', 'local/path/to/domain-name.crt') }}"
st2web_ssl_certificate_key: "{{ lookup('file', 'local/path/to/domain-name.key') }}"


Installing Behind a Proxy
-------------------------

Expand All @@ -145,11 +145,65 @@ If you are installing from behind a proxy, you can use the environment variables
roles:
- st2

Enabling LDAP authentication and add RBAC configuration
-------------------------------------------------------

|ewc|
-----
.. include:: common/ewc_intro.rst
By default :doc:`LDAP authentication </authentication>` & :doc:`RBAC </rbac>` are disabled. You can enable and configure these features via the Stackstorm.st2 role to allow/restrict/limit |st2| functionality to specific users:

.. sourcecode:: yaml

- name: Install and configure st2 with enabled LDAP authentication and RBAC
role: st2
vars:
st2_version: latest
st2_auth_enable: yes
st2_auth_username: testu
st2_auth_password: testp
st2_save_credentials: yes
st2_system_user: stanley
st2_system_user_in_sudoers: yes
# Dict to edit https://github.com/StackStorm/st2/blob/master/conf/st2.conf.sample
st2_config: {}
st2_ldap_enable: yes
st2_ldap:
# Configure the LDAP connection and query attributes
# https://docs.stackstorm.com/authentication.html#ldap
backend_kwargs:
bind_dn: "cn=Administrator,cn=users,dc=change-you-org,dc=net"
bind_password: "foobar123"
base_ou: "dc=example,dc=net"
group_dns:
- "CN=stormers,OU=groups,DC=example,DC=net"
host: identity.example.net
port: 389
id_attr: "samAccountName"
st2_rbac_enable: yes
st2_rbac:
# Define roles and permissions
# https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants
roles:
- name: core_local_only
description: "This role has access only to action core.local in pack 'core'"
enabled: true
permission_grants:
- resource_uid: "action:core:local"
permission_types:
- action_execute
- action_view
- permission_types:
- runner_type_list
# Assign roles to specific users
# https://docs.stackstorm.com/rbac.html#defining-user-role-assignments
assignments:
- name: test_user
roles:
- core_local_only
- name: stanley
roles:
- admin
- name: chuck_norris
roles:
- system_admin

.. note::

Expand Down

0 comments on commit 2ae722a

Please sign in to comment.