Limit AnsibleTower job templates to those a user can execute

Question

Limit AnsibleTower job templates to those a user can execute

JacobCallahan opened this issue 3 years ago · comments

Ansible Tower admins can limit what users are able to execute. However, this limitation doesn't necessarily mean that a user can't view job templates they aren't able to execute.
The resolution to this issue should be Broker filtering job templates to only those that a user is able to execute.

                "user_capabilities": {
                    "edit": true,
                    "delete": true,
                    "start": true,
                    "schedule": true,
                    "copy": true
                },

Brian Herring · Answer 1 · Fri Jun 18 2021 05:00:27 GMT+0800 (China Standard Time)

Problem

It is non-obvious from broker what listed job-templates or workflows are actionable.

Talking with @JacobCallahan , it seems like only actionable JT/WFs should be listed, based on the users / teams permission for the provider:AnsibleTower

Example of Problem

Example of a user (satqe-user, non-privledged) listing job-templates when all JTs are set to read in a branch which are non-executable by this user

(broker) ➜  broker git:(master) ✗ broker providers AnsibleTower --job-templates
[INFO 210617 16:58:56] Querying provider AnsibleTower
[INFO 210617 16:58:56] Using username and password authentication
[INFO 210617 16:58:57] Available job templates:
    add-vlans-ovirt-vm
 (broker) ➜  broker git:(master) ✗ broker execute --job-template add-vlans-ovirt-vm
[INFO 210617 17:00:10] Using provider AnsibleTower for execution
[INFO 210617 17:00:10] Using username and password authentication
[ERROR 210617 17:00:11] BrokerError: Forbidden (403) received - {'detail': 'You do not have permission to perform this action.'}

Definition of Done

Any / all JTs or WFs listed for the provider:AnsibleTower should be actionable.