Limit AnsibleTower job templates to those a user can execute
JacobCallahan opened this issue · comments
Ansible Tower admins can limit what users are able to execute. However, this limitation doesn't necessarily mean that a user can't view job templates they aren't able to execute.
The resolution to this issue should be Broker filtering job templates to only those that a user is able to execute.
"user_capabilities": {
"edit": true,
"delete": true,
"start": true,
"schedule": true,
"copy": true
},
Problem
It is non-obvious from broker
what listed job-templates
or workflows
are actionable.
Talking with @JacobCallahan , it seems like only actionable JT/WFs should be listed, based on the users / teams permission for the provider:AnsibleTower
Example of Problem
Example of a user (satqe-user, non-privledged) listing job-templates
when all JTs are set to read
in a branch which are non-executable by this user
(broker) ➜ broker git:(master) ✗ broker providers AnsibleTower --job-templates
[INFO 210617 16:58:56] Querying provider AnsibleTower
[INFO 210617 16:58:56] Using username and password authentication
[INFO 210617 16:58:57] Available job templates:
add-vlans-ovirt-vm
(broker) ➜ broker git:(master) ✗ broker execute --job-template add-vlans-ovirt-vm
[INFO 210617 17:00:10] Using provider AnsibleTower for execution
[INFO 210617 17:00:10] Using username and password authentication
[ERROR 210617 17:00:11] BrokerError: Forbidden (403) received - {'detail': 'You do not have permission to perform this action.'}
Definition of Done
Any / all JTs or WFs listed for the provider:AnsibleTower
should be actionable.