14. Security¶
The multi-tenancy RBAC features of Tower are sufficient to control who can run certain projects on what systems. For instance, you could easily control that engineering could not push to production.
All playbooks are executed via the awx filesystem user. For running jobs, Ansible Tower defaults to offering job isolation via Linux namespacing and chroots. This projection ensures jobs can only access playbooks and roles from the Project directory for that job template and common locations such as /opt. Playbooks are not able to access roles, playbooks, or data from other Projects by default.
If you need to disable this projection (not recommended), you can edit /etc/tower/settings.py and set AWX_PROOT_ENABLED to False.
Note
In this scenario, playbooks have access to the filesystem and all that that implies; therefore, users who have access to edit playbooks must be trusted.
For credential security, users may choose to upload locked SSH keys and set the unlock password to “ask”. You can also choose to have the system prompt them for SSH credentials or sudo passwords rather than having the system store them in the database.
14.1. Playbook Access and Information Sharing¶
By default, Tower’s multi-tenant security prevents playbooks from reading files outside of their project directory. To share information between playbooks or to read files on the filesystem outside of their project directory, you must edit /etc/tower/settings.py and add the directories that are available to the AWX_PROOT_SHOW_PATHS setting.
The following paths, plus any user specified paths, are hidden by AWX_PROOT_HIDE_PATHS:
/etc/tower/var/lib/awx/var/log/tmp/var/lib/awx/projects/var/lib/awx/job_status
The following paths, plus any user specified paths, are shown by AWX_PROOT_SHOW_PATHS:
/var/lib/awx/projects/<current_project>/tmp/ansible_tower_xxxxx
The primary file you may want to add to AWX_PROOT_SHOW_PATHS is /var/lib/awx/.ssh, if your playbooks need to use keys or settings defined there.
14.2. PRoot functionality and variables¶
The PRoot functionality in Ansible Tower limits which directories on the Tower file system are available for playbooks to see and use during playbook runs. You may find that you need to customize your PRoot settings in some cases. To fine tune your usage of PRoot, there are certain variables that can be set:
# Enable proot support for running jobs (playbook runs only).
AWX_PROOT_ENABLED = False
# Command/path to proot.
AWX_PROOT_CMD = 'proot'
# Additional paths to hide from jobs using proot.
AWX_PROOT_HIDE_PATHS = []
# Additional paths to show for jobs using proot.
AWX_PROOT_SHOW_PATHS = []
To customize your PRoot settings, navigate to the /etc/tower/settings.py file. Once your changes have been saved, restart services with the ansible-tower-service restart command.
14.3. Role-Based Access Controls¶
A role is essentially a collection of permissions and all users receive permissions only through the roles to which they are assigned or through roles they inherit through the role hierarchy. Within an organization, roles are relatively stable, while users and permissions are both numerous and may change rapidly.
Role-Based Access Controls (RBAC) are built into Tower and allow Tower administrators to delegate access to server inventories, organizations, and more. Administrators can also centralize the management of various credentials, allowing end users to leverage a needed secret without ever exposing that secret to the end user. RBAC controls allow Tower to help you increase security and streamline management.
RBAC controls also give you the capability to explicitly permit User and Teams of Users to run playbooks against certain sets of hosts. Users and teams are restricted to just the sets of playbooks and hosts that to which they are granted permission. And, with Tower, you can create or import as many Users and Teams as you require–create users and teams manually or import them from LDAP or Active Directory.
RBACs are easiest to think of in terms of who or what can see, change, or delete an “object” for which a specific permission is being set.
14.3.1. Users¶
Views
User records can be viewed by the user who owns the user record, by the Organization Admin (if the user is a part of the organization they are associated with), and by the Super User.
Changes
The user who owns the user record can makes changes to that user record, as can the Organization Admin (if the user is a part of the organization they are associated with), and the Super User. Organization Admins can add users to their organizations. Super Users can add users to any organization.
Deletions
The Organization Admin can remove a user if the user is a part of their organization. Super Users can remove any user from any organization as needed.
14.3.2. Organizations¶
Views
Users who can see an organization must be a member of that organization, must be the Organization Admin for that organization, or a Super User.
Changes
Only Organization Admins (for the particular organization they are associated with) and Super Users can make changes to an organization.
Deletions
Only Organization Admins (for the particular organization they are associated with) and Super Users can remove an organization.
14.3.3. Inventories¶
Views
Super Users can view any inventory and Organization Admins (for the particular organization they are associated with) can view inventories for their organization. Users or Teams associated with the inventory who have Read, Write, or Administrator privileges can also view the inventory for which they have explicit permission granted.
Changes
Super Users can edit any inventory and Organization Admins (for the particular organization they are associated with) can edit inventories for their organization. Users or Teams associated with the inventory who have Write or Administrator privileges granted can also edit an inventory.
Deletions
Super Users can remove any inventory and Organization Admins (for the particular organization they are associated with) can remove inventories for their organization. Users or Teams associated with the inventory who have the Administrator privilege granted can also remove an inventory.
Ad Hoc Commands
Super Users and Organization Admins (for the particular organization they are associated with) can run ad hoc commands against inventories for their organization. Users or Teams associated with the inventory who have Read, Write, or Administrator privileges granted, with the “Run Ad Hoc Commands” checkmark selected can also remove an inventory.
14.3.4. Hosts¶
Views
Anyone who can view an inventory can view hosts assigned to that inventory.
Changes
Super Users can edit any inventory host and Organization Admins (for the particular organization they are associated with) can edit inventory hosts for their organization. Users or Teams associated with the inventory who have Write or Administrator privileges granted can also edit an inventory host.
Deletions
Super Users can remove any inventory host and Organization Admins (for the particular organization they are associated with) can remove inventory hosts for their organization. Users or Teams associated with the inventory who have the Administrator privilege granted can also remove an inventory host.
14.3.5. Groups¶
Views
Anyone who can view an inventory can view hosts assigned to that inventory.
Changes
Super Users can edit any inventory group and Organization Admins (for the particular organization they are associated with) can edit inventory groups for their organization. Users or Teams associated with the inventory who have Write or Administrator privileges granted can also edit an inventory group.
Deletions
Super Users can remove any inventory group and Organization Admins (for the particular organization they are associated with) can remove inventory groups for their organization. Users or Teams associated with the inventory who have the Administrator privilege granted can also remove an inventory group.
14.3.6. Inventory Updates¶
Views
Super Users can view any inventory update and Organization Admins (for the particular organization they are associated with) can view inventory updates for their organization. Users or Teams associated with the inventory with Administrator privileges granted can also see inventory updates.
Deletions
Super Users can remove any inventory update and Organization Admins (for the particular organization they are associated with) can remove inventory updates for their organization. Users or Teams associated with the inventory with Administrator privileges granted can also remove inventory updates.
14.3.7. Credentials¶
Views
Super Users and Organization Admins (for the particular organization they are associated with) can view credentials. The User or Team which owns the credential can also view it.
Changes
Super Users and Organization Admins (for the particular organization they are associated with) can edit credentials. The User or Team which owns the credential can also edit it.
Deletions
Super Users and Organization Admins (for the particular organization they are associated with) can remove credentials. The User or Team which owns the credential can also remove it.
14.3.8. Teams¶
Views
Super Users and Organization Admins (for the particular organization they are associated with) can view Teams. The users associated with that Team can also view the Team.
Changes
Super Users and Organization Admins (for the particular organization they are associated with) can edit Teams.
Deletions
Super Users and Organization Admins (for the particular organization they are associated with) can remove Teams or individual team members.
14.3.9. Projects¶
Views
Super Users and Organization Admins (for projects linked to the organization they are associated with) can view projects. Users or Teams associated with a project can also view that project. Users or Teams granted explicit permission for a project can also view that project, even if they are outside of the organization for which the project is associated.
Changes
Super Users and Organization Admins (for projects linked to the organization they are associated with) can edit projects.
Deletions
Super Users and Organization Admins (for projects linked to the organization they are associated with) can remove projects
14.3.10. Project Updates¶
Views
Super Users and Organization Admins (for project updates linked to the organization they are associated with) can view projects. Users or Teams associated with a project can also view that project. Users or Teams granted explicit permission for a project can also view that project, even if they are outside of the organization for which the project is associated.
Changes
Super Users and Organization Admins (for project updates linked to the organization they are associated with) can edit projects.
Deletions
Super Users and Organization Admins (for project updates linked to the organization they are associated with) can remove projects
14.3.11. Job Templates¶
Job Templates have three associated actions–Check, Run, and Create.
- Check: Users or Team members with Check level permissions can run Check type jobs. Check is great for dry-runs and testing the Ansible playbook.
- Run: Users with Run level permissions can run Check and Run type jobs.
- Create: Users or Team members with Create level permissions can create new Job Templates. Super Users and Organization Admins (for job templates linked to the organization they are associated with) can create Job Templates.
Views
Super Users and Organization Admins (for job templates linked to the organization they are associated with) can view job templates. Users granted access to view the inventory, project, and credential can view an associated job template. Users with explicit team-based permissions granted during the job template setup can also view an associated job template. If you can see jobs run on the Job Template, you can view the job template.
- System Job Templates: Only Super Users can view.
- Ad hoc commands: Super Users and Organization Admins (for job templates linked to the organization they are associated with) can view ad hoc command job templates. Users and team members with explicit team-based Read permissions granted, along with the ad hoc command flag set, can also view ad hoc command job templates.
Launch
Super Users and Organization Admins (for job templates linked to the organization they are associated with) can launch job templates. Users granted team-based Run or Check level permissions or Users with team-based Create level permissions can launch job templates for which they are associated. If you can view it, you can start it.
- System Job Templates: Only Super Users can launch.
- Ad hoc commands: Super Users and Organization Admins (for job templates linked to the organization they are associated with) can launch ad hoc command job templates. Users and team members with explicit team-based Read permissions granted, along with the ad hoc command flag set, can also launch ad hoc command job templates.
Create
Super Users and Organization Admins (for job templates linked to the organization they are associated with) can create job templates. Users granted a team-based Create level permission can also create a job template.
- System Job Templates: Only Super Users can create.
Deletions
Super Users and Organization Admins (for job templates linked to the organization they are associated with) can remove job templates. Users granted team-based Create level permissions can also remove a job template. Anyone with permission to create a job template also has permission to remove it.
- System Job Templates: Only Super Users can remove.
14.3.12. Activity Stream¶
View
Activity Stream information is available as read-only. Users can only see activity on objects for which they have been granted permission to view. If a user cannot see the job template or the organization, they cannot view anything in the activity stream for those two events.
Cleanup Job
Only Super Users can access this activity stream.
Note
Activity Streams are only available to those with Enterprise-level licenses.