| *** evrardjp has quit IRC | 04:33 | |
| *** evrardjp has joined #ara | 04:33 | |
| *** TKersten has joined #ara | 05:25 | |
| svg | I'm a bit confused on how I could enable and use external authentication. Am I missing the right section, or is there documentation missing about this? i only see a reference to the Django docs, but not sure what it would take to use this in ARA? | 11:15 |
|---|---|---|
| dmsimard | svg: I don't use external auth myself but it's something that django supports, it's not something implemented specifically by/for ara | 11:23 |
| dmsimard | from ara's perspective you would need to flip the required booleans for requiring authentication: https://ara.readthedocs.io/en/latest/api-security.html#enabling-authentication-for-read-or-write-access | 11:25 |
| dmsimard | and then set ARA_EXTERNAL_AUTH to True | 11:25 |
| dmsimard | then the rest is django/your webserver I think | 11:25 |
| dmsimard | happy to review a patch to improve docs if you get it working :) | 11:26 |
| dmsimard | oh, there is an apache specific howto here that could help point you in the right direction: https://github.com/ansible-community/ara/issues/124#issuecomment-617841597 | 11:30 |
| svg | ok, thank you, situation is clear now; for now I'm using the docker setup, so that would involve a bit more to get it working | 11:58 |
| dmsimard | svg: let me know if you get it working, I'm curious :) | 12:19 |
| svg | dmsimard, having a first look at it; customer would want github authentication, but I fear I'll have to postpone that to later, and stick to a base setup for now, then later I can have a look at extending the docker image locally | 12:20 |
| svg | hm, what would be the problem when getting a warning (<ansible.plugins.callback.ara_default.CallbackModule object at 0x7fe3c6866c70>): 'id' | 12:37 |
| svg | I get on the server atthe same time "POST /api/v1/playbooks HTTP/1.1" 401 | 12:38 |
| svg | I'll double check the password to be sure | 12:38 |
| svg | seems ok, as I can log in on the web frontend | 12:39 |
| svg | (not sure which exact permissions the user used by the callback plugin should have, I select most for now) | 12:40 |
| dmsimard | there's no concept of permission granularity in ara, either you have access to it or you don't | 12:43 |
| dmsimard | did you set ARA_API_USERNAME/PASSWORD as env variables for the callback ? | 12:44 |
| dmsimard | if you turn up verbosity (ansible-playbook -vvv) ansible should print the traceback | 12:44 |
| svg | I set them in ansible.cfg | 12:49 |
| svg | jus tested ot log in on /api, and I don't have that permission, I can login on /admin/ though | 12:49 |
| dmsimard | that's odd | 12:50 |
| svg | oh, so the different user permissions listed at https://ara.team.skedify.io/admin/auth/user/2/change/ have zero effect? | 12:50 |
| dmsimard | we only use login | 12:51 |
| dmsimard | need to afk a bit, brb | 12:51 |
| svg | apologies, pebkac, I had a typo somewhere :-( | 12:54 |
| dmsimard | svg: oh, so it works ? | 13:28 |
| svg | yes | 13:28 |
| svg | my bad | 13:29 |
| dmsimard | nice! so you're using a github token for auth ? | 13:29 |
| svg | oh, no, not looked at the auth yet | 13:29 |
| svg | external auth | 13:29 |
| dmsimard | oh | 13:30 |
| svg | first impresion of running a playbook, it does slow down a lot. or perhaps especially when uploading all files. | 13:30 |
| dmsimard | yes, there is definitely an overhead with vs without ara | 13:30 |
| dmsimard | the objective is for that overhead to be small enough to be worth it, though | 13:30 |
| dmsimard | you want to pay attention to latency between the callback, the API server and the database server | 13:31 |
| svg | first try, using sqlite, and the ara server is located at remote DC, where my hosts are. So we'll see how it evolves, I could test it from a DC local machine later | 13:32 |
| svg | btw, is it possible the playbook vars like ara_playbook_labels don't get templated b yansible before passing them to the callback? | 13:32 |
| svg | I was trying to add a tag with the username of who runs the playbook | 13:33 |
| dmsimard | good question, I don't think I've templated labels before -- only ever specified them as-is | 13:37 |
| dmsimard | by the time the labels get to ara, they are picked up at the beginning of each play so hopefully the templated value is available by then | 13:38 |
| svg | well, seems it isn't, I suspect templating is something that needs to be done explicitly in the code | 13:40 |
| dmsimard | so just to make sure we're talking about the same thing -- you're doing something like this: https://github.com/ansible-community/ara/blob/40894c7027144c4d875e5d5a97e5cfebf75ec318/tests/integration/smoke.yaml#L24-L26 but with something like - "{{ ansible_user }}" ? | 13:41 |
| svg | yes | 13:42 |
| svg | and then I get https://transfer.office.ginsys.eu/inline/py7UQ/20201008154242.png | 13:43 |
| svg | btw, setting this is only per play, not playbook? We alwasy run a site.yaml with multiple playbooks, so we would need to repeat those labels each time I presume. | 13:45 |
| dmsimard | labels apply to the playbook, not the play -- but you'd technically have the ability to change labels across different plays | 13:46 |
| dmsimard | i need to do some testing for the templated label, let me get back to you on that | 13:47 |
| svg | ok! | 13:52 |
| dmsimard | I've reproduced the issue but I'm not sure if it's the fault of ara or ansible, will create an issue on github about it | 13:55 |
| dmsimard | created https://github.com/ansible-community/ara/issues/180 | 14:05 |
| *** TKersten has quit IRC | 14:23 | |
| *** TKersten has joined #ara | 14:23 | |
| *** TKersten has quit IRC | 14:46 | |
| *** etienne has joined #ara | 14:47 | |
| *** gvincent_ has quit IRC | 15:34 | |
| *** gvincent_ has joined #ara | 15:34 | |
| *** gvincent_ has quit IRC | 18:55 | |
| *** etienne has quit IRC | 20:41 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!
