gateway_users
This file defines the local users, if you map everything from AD/LDAP, this file is empty.
We use the laocl users to pull and create images and collections, so they are in here.
Additonally the users (organization admins) for the organizations config as code are in here too.
All usernames and passwords should be encrypted here using vault.
NOTE
When using the external vault, this file must be deleted, no users should be defined from a file in that case.
The code to create the aap_user_accounts varible, must be in main.yml and read the vars for the users from the external vault.
See: main.yml
group_vars/all/gateway_users.yml
As we do configure extra users in rhaap, this file is not an empty set.
We create a number of users for specific tasks, like collection uploads form code and collection fetches by project updates that need collections to run a template.
Also for execution environment management separate users are created. This is done, so we can easily mange the tokens for these users, so they will never expire, token expiration is one of the most frustrating things in rhaap.
To prevent token expiration when running the configurationa s code, add the update_secrets: false to each account definition.
If you don't add this, the tokens will expire on every run of the base configuration.
---
aap_user_accounts_all:
- username: coll_upload
password: <password>
email:
first_name: collection
last_name: upload
update_secrets: false
- username: coll_get
password: <very_secret>
email:
first_name: collection
last_name: download
update_secrets: false
- username: ee_upload
password: <even_more_secret>
email:
first_name: ee
last_name: upload
update_secrets: false
- username: ee_pull
password: <i_dont_know>
email:
first_name: ee
last_name: pull
update_secrets: false
- username: CaC_admin_MGT
password: <too_secret_to_not_encrypt>
email:
first_name: admin
last_name: admin
is_superuser: false
update_secrets: false
...
The most usernames I use here are self-explanatory, you are ofcourse gree to use whatever username you prefer.
As last item in this example, you see the username CaC_admin_MGT, thisis the user that is used to run the configuration as code from the organization MGT repository. We only use the 'admin' user for the initial 'base-configuration', all other organizations will use a separate user. This user is organization_admin for their organization and not system_admin for obvious security reasons.
But you can already see that the variable name used here has the "_all" extension, so the variable will not be overridden as this is not quite a inventory.
Why we do this, will become clear in the code of the main.yml file in this repository.
group_vars/dev/gateway_users.yml
As we do not configure extra users in development rhaap, this file is an empty set.
---
gateway_users_dev: []
# No extra config exists
...
Here the variable has the "_dev" extension, so the variable will not be overridden.
group_vars/prod/gateway_users.yml
As we do not configure extra users in production rhaap, this file is an empty set.
---
gateway_users_prod: []
# No extra config exists
...
Here the variable has the "_prod" extension, so the variable will not be overridden.