gateway_authenticator_maps.yml
In these files we configure the mapping of groups in the enabled authenticator to organization teams in rhaap.
we will probably do this on the global configuration (ALL).
group_vars/all/gateway_authenticator_maps.yml
Here we see the groups for the MGT organization beeing mapped to groups from the enabled LDAP server.
There is a group in LDAP for:
- Admins
- Developers
- Operators
These will inherit rights that are mapped elsewhere.
SuperUsers
The first mapping we will make, is the mapping for the superusers, there is a spacial group for them in the LDAP.
- name: SuperAdmins
authenticator: Auth LDAP container
revoke: true
map_type: is_superuser
triggers:
always: {}
never: {}
groups:
has_and:
- cn=g-aap-admins,ou=groups,dc=homelab,dc=wf
Note, we add the full dn name (in lowercase) to the mapping
If we don't do this, it will not work.
Organization users
For each organization we need 5 mappings: The first mapping is for making all users part of the organization we created for them.
- name: ORG_MGT-members
authenticator: Auth LDAP container
revoke: true
map_type: organization
organization: MGT
role: Organization Member
triggers:
always: {}
never: {}
groups:
has_and:
- cn=ug-mgt,ou=groups,dc=homelab,dc=wf
Next we map the users into the correct groups that are already created earlier.
The only role we map here is the Organization Admin role. All other access rights for teams / users must be done by the organization admins in the config as code files for the organization.
- name: ORG_MGT-admin-team
authenticator: Auth LDAP container
revoke: true
map_type: role
organization: MGT
team: LDAP_MGT_Admins
role: Team Member
triggers:
always: {}
never: {}
groups:
has_and:
- cn=g-aap-mgt-a,ou=groups,dc=homelab,dc=wf
- name: ORG_MGT-D
authenticator: Auth LDAP container
revoke: true
map_type: team
organization: ORG_MGT
team: LDAP_MGT_Developers
role: Team Member
triggers:
always: {}
never: {}
groups:
has_and:
- cn=g-aap-mgt-d,ou=groups,dc=homelab,dc=wf
- name: ORG_MGT-O
authenticator: Auth LDAP container
revoke: true
map_type: team
organization: MGT
team: LDAP_MGT_Operators
role: Team Member
triggers:
always: {}
never: {}
groups:
has_and:
- cn=g-aap-mgt-o,ou=groups,dc=homelab,dc=wf
Lastly, we must specify which users are the organization admins, these users can configure everything within their organization in automation platform. These users are the reason each organization (team) can be in full control of their rhaap configuration.
- name: ORG_MGT-admins
authenticator: Auth LDAP container
revoke: true
map_type: organization
organization: MGT
role: Organization Admin
triggers:
always: {}
never: {}
groups:
has_and:
- cn=g-aap-mgt-a,ou=groups,dc=homelab,dc=wf
The complete file
Below is the complete file for now, later we will add new organization mappings to this file through automation.
---
gateway_authenticator_maps_all:
- name: SuperAdmins
authenticator: Auth LDAP container
revoke: true
map_type: is_superuser
triggers:
always: {}
never: {}
groups:
has_and:
- cn=g-aap-admins,ou=groups,dc=homelab,dc=wf
- name: ORG_MGT-members
authenticator: Auth LDAP container
revoke: true
map_type: organization
organization: MGT
role: Organization Member
triggers:
always: {}
never: {}
groups:
has_and:
- cn=ug-mgt,ou=groups,dc=homelab,dc=wf
- name: ORG_MGT-admin-team
authenticator: Auth LDAP container
revoke: true
map_type: role
organization: MGT
team: LDAP_MGT_Admins
role: Team Member
triggers:
always: {}
never: {}
groups:
has_and:
- cn=g-aap-mgt-a,ou=groups,dc=homelab,dc=wf
- name: ORG_MGT-D
authenticator: Auth LDAP container
revoke: true
map_type: team
organization: ORG_MGT
team: LDAP_MGT_Developers
role: Team Member
triggers:
always: {}
never: {}
groups:
has_and:
- cn=g-aap-mgt-d,ou=groups,dc=homelab,dc=wf
- name: ORG_MGT-O
authenticator: Auth LDAP container
revoke: true
map_type: team
organization: MGT
team: LDAP_MGT_Operators
role: Team Member
triggers:
always: {}
never: {}
groups:
has_and:
- cn=g-aap-mgt-o,ou=groups,dc=homelab,dc=wf
- name: ORG_MGT-admins
authenticator: Auth LDAP container
revoke: true
map_type: organization
organization: MGT
role: Organization Admin
triggers:
always: {}
never: {}
groups:
has_and:
- cn=g-aap-mgt-a,ou=groups,dc=homelab,dc=wf
But you can already see that the variable name used here has the "_all" extension, so the variable will not be overridden as this is not quite a inventory.
Why we do this, will become clear in a moment.
group_vars/dev/gateway_authenticator_maps.yml
As we do not configure extra authenticatior maps in development, this file is an empty set.
---
gateway_euthenticator_maps_dev: []
# No extra config exists
...
Here the variable has the "_dev" extension, so the variable will not be overridden.
group_vars/prod/gateway_authenticator_maps.yml
As we do not configure extra authentication maps in prod, this file is an empty set.
---
gateway_authenticator_maps_prod: []
# No extra config exists
...
Here the variable has the "_prod" extension, so the variable will not be overridden.
When we run a pipeline for a certain environment, the inventory structure will provide us with 2 variables:
- gateway_authenticator_maps_all
- gateway_authenticator_maps_
We will merge these 2 variables into 1: gateway_authenticator_maps and feed this to the infra.aap_configuration.authenticator_map role.
In main.yml the merge of the variables is done by this piece of code:
- name: Set the gateway vars
ansible.builtin.set_fact:
aap_authenticator_maps: >
{{ aap_authenticator_maps_all |
community.general.lists_mergeby(vars['aap_authenticator_maps_' + branch_name],
'name', recursive=true, list_merge='append') }}
This results in the aap_authenticator_maps variable the collection needs.