Setup BWC repos, Install BWC and Setup RBAC

.kitchen.yml

@@ -16,6 +16,9 @@ provisioner:
   idempotency_test: true
   extra_vars:
     st2_pkg_repo: <%= ENV['ST2_REPO'] || 'stable' %>
+    bwc_pkg_repo: <%= ENV['BWC_REPO'] || 'enterprise' %>
+    license_var: <%= ENV['LICENSE'] %>
+    bwc_license: <%= ENV[ENV['LICENSE']] || ENV['BWC_LICENSE_ENTERPRISE'] %>
 
 platforms:
   # Ubuntu Trusty with Upstart

.travis.yml

@@ -9,16 +9,16 @@ branches:
 
 env:
   # default is stable repo
-  - DISTRO=ubuntu-14
-  - DISTRO=ubuntu-16
-  - DISTRO=centos-6
-  - DISTRO=centos-7
+  - DISTRO=ubuntu-14 LICENSE='BWC_LICENSE_ENTERPRISE'
+  - DISTRO=ubuntu-16 LICENSE='BWC_LICENSE_ENTERPRISE'
+  - DISTRO=centos-6 LICENSE='BWC_LICENSE_ENTERPRISE'
+  - DISTRO=centos-7 LICENSE='BWC_LICENSE_ENTERPRISE'
 
   # StackStorm 'unstable' repo check
-  - DISTRO=ubuntu-14 ST2_REPO=unstable
-  - DISTRO=ubuntu-16 ST2_REPO=unstable
-  - DISTRO=centos-6 ST2_REPO=unstable
-  - DISTRO=centos-7 ST2_REPO=unstable
+  - DISTRO=ubuntu-14 ST2_REPO=unstable BWC_REPO=enterprise-unstable LICENSE='BWC_LICENSE_ENTERPRISE_UNSTABLE'
+  - DISTRO=ubuntu-16 ST2_REPO=unstable BWC_REPO=enterprise-unstable LICENSE='BWC_LICENSE_ENTERPRISE_UNSTABLE'
+  - DISTRO=centos-6 ST2_REPO=unstable BWC_REPO=enterprise-unstable LICENSE='BWC_LICENSE_ENTERPRISE_UNSTABLE'
+  - DISTRO=centos-7 ST2_REPO=unstable BWC_REPO=enterprise-unstable LICENSE='BWC_LICENSE_ENTERPRISE_UNSTABLE'
 
 script:
   # run kitchen tests (destroy, create, converge, setup, verify and destroy)

README.md

@@ -47,6 +47,13 @@ Below is the list of variables you can redefine in your playbook to customize st
 | `st2mistral_db`          | `mistral`     | PostgreSQL DB name for Mistral.
 | `st2mistral_db_username` | `mistral`     | PostgreSQL DB user for Mistral.
 | `st2mistral_db_password` | `StackStorm`  | PostgreSQL DB password for Mistral.
+| **bwc**
+| `bwc_license`            | `null`        | BWC license key is required for installing BWC enteprise bits via this ansible role. 
+| `bwc_pkg_repo`           | `enterprise`  | BWC PackageCloud repository to install. [`enterprise`](https://packagecloud.io/StackStorm/enterprise/), [`enterprise-unstable`](https://packagecloud.io/StackStorm/enterprise-unstable/), [`staging-enterprise`](https://packagecloud.io/StackStorm/staging-enteprise/), [`staging-enterprise-unstable`](https://packagecloud.io/StackStorm/staging-enterprise-unstable/)
+| `bwc_version`            | `latest`      | BWC enterprise version to install. Use latest `latest` to get automatic updates or pin it to numeric version like `2.1.1`. The version used here should match `st2_version`. 
+| `bwc_revision`           | `1`           | BWC enterprise revision to install. Used only with pinned `bwc_version`.
+| `bwc_rbac` | [See `bwc_rbac` variable in role defaults](roles/bwc/defaults/main.yml) | BWC RBAC roles and assignments. This is a dictionary with two keys `roles` and `assignments`. `roles` and `assignments` are in turn both arrays. Each element in the array follows the exact YAML schema for [roles](https://bwc-docs.brocade.com/rbac.html#user-permissions) and [assignments](https://bwc-docs.brocade.com/rbac.html#defining-user-role-assignments) defined in BWC documentation.
+| `bwc_ldap` | [See `bwc_ldap` variable in role defaults](roles/bwc/defaults/main.yml) | Settings for BWC LDAP authentication backend. `bwc_ldap` is a dictionary and has one item `backend_kwargs`. `backend_kwargs` should be provided as exactly listed in BWC documentation for [LDAP configuration](https://bwc-docs.brocade.com/authentication.html#auth-backends).
 
 ## Examples
 Install latest `stable` StackStorm with all its components on local machine:

roles/bwc/defaults/main.yml

@@ -0,0 +1,41 @@
+---
+# BWC PackageCloud repository to install: enterprise, enterprise-unstable, staging-enterprise, staging-enterprise-unstable.
+bwc_pkg_repo: "enterprise"
+# 'latest' to get latest version or numeric like '2.1.1'
+bwc_version: latest
+# used only if 'bwc_version' is numeric
+bwc_revision: 1
+
+# BWC license to install BWC enterprise bits
+master_token: "{{ bwc_license }}"
+
+# Specify roles and assignments for BWC RBAC.
+# Roles are pushed as YML files to /opt/stackstorm/rbac/roles
+# Assignments are pushed as YML files to /opt/stackstorm/rbac/assignments/
+# The schema for roles and assignments follow the exact schema definition
+# define in https://bwc-docs.brocade.com/rbac.html#defining-roles-and-permission-grants
+# and https://bwc-docs.brocade.com/rbac.html#defining-user-role-assignments.
+
+bwc_rbac_default_roles: []
+
+bwc_rbac_default_assignments:
+  - name: "{{ st2_system_user }}"
+    roles:
+      - admin
+
+  - name: "{{ st2_auth_username }}"
+    roles:
+      - system_admin
+
+bwc_rbac:
+  roles: "{{ bwc_rbac_default_roles }}"
+
+  assignments: "{{ bwc_rbac_default_assignments }}"
+
+
+# By specifying a valid configuration for LDAP,
+# (See https://bwc-docs.brocade.com/authentication.html#ldap )
+# LDAP auth backend is setup for st2 and BWC.
+# Note that you just need to provide the backend_kwargs.
+bwc_ldap:
+  backend_kwargs: {}

roles/bwc/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+
+- name: reload bwc_rbac
+  become: yes
+  command: st2-apply-rbac-definitions --config-file /etc/st2/st2.conf

roles/bwc/meta/main.yml

@@ -0,0 +1,27 @@
+---
+galaxy_info:
+  description: Install BWC Entperprise components, setup RBAC and LDAP
+  author: lakshmi-kannan
+  company: StackStorm
+  license: Apache 2.0
+  min_ansible_version: 2.2
+  platforms:
+    - name: Ubuntu
+      versions:
+        - trusty
+        - xenial
+    - name: EL
+      versions:
+        - 6
+        - 7
+  categories:
+    - stackstorm
+    - BWC
+    - Brocade Workflow Composer
+    - repositories
+    - packagecloud
+  dependencies:
+    - role: st2repos
+    - role: st2
+    - role: st2web
+    - role: bwc_repos

roles/bwc/tasks/bwc_repos_apt.yml

@@ -0,0 +1,32 @@
+---
+
+- name: Assert that master_token is specified
+  fail: msg="License key must be supplied for BWC enterprise installation."
+  when: bwc_license is not defined
+
+- name: Install prereqs (Debian)
+  become: yes
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - debian-archive-keyring
+    - apt-transport-https
+
+# This is the exact key as the open source repo but this behavior might change.
+- name: Add keys to keyring
+  become: yes
+  apt_key:
+    id: 418A7F2FB0E1E6E7EABF6FE8C2E73424D59097AB
+    url: https://packagecloud.io/StackStorm/{{ bwc_pkg_repo }}/gpgkey
+    state: present
+
+- name: "Add packagecloud.io repository: StackStorm/{{ bwc_pkg_repo }}"
+  become: yes
+  no_log: yes
+  apt_repository:
+    filename: "StackStorm_{{ bwc_pkg_repo }}"
+    repo: 'deb https://{{ bwc_read_token }}:@packagecloud.io/StackStorm/{{ bwc_pkg_repo }}/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release|lower }} main'
+    state: present
+    update_cache: yes
+  register: added_bwc_deb_repository

roles/bwc/tasks/bwc_repos_setup.yml

@@ -0,0 +1,42 @@
+---
+
+- name: Assert that master_token is specified
+  fail: msg="License key must be supplied for BWC enterprise installation."
+  when: bwc_license is not defined
+
+- name: Create packagecloud dir
+  become: yes
+  file:
+    path: "/etc/packagecloud"
+    mode: "u=rwx,g=rx,o=rx"
+    owner: st2
+    group: st2
+    state: directory
+
+- name: Get read token for repo from packagecloud
+  become: yes
+  no_log: yes
+  uri:
+    url: https://{{ bwc_license }}:@packagecloud.io/install/repositories/StackStorm/{{ bwc_pkg_repo }}/tokens.text
+    creates: "/etc/packagecloud/StackStorm_{{ bwc_pkg_repo }}_read_token.txt"  # Don't download if file already exists
+    dest: "/etc/packagecloud/StackStorm_{{ bwc_pkg_repo }}_read_token.txt"
+    force_basic_auth: yes
+    method: POST
+    status_code: 201,200
+    headers:
+      Content-Type: "application/x-www-form-urlencoded"
+    body: "name={{ ansible_nodename }}"
+
+- name: Set bwc_read_token variable
+  become: yes
+  no_log: yes
+  set_fact:
+    bwc_read_token: "{{ lookup('file', '/etc/packagecloud/StackStorm_{{ bwc_pkg_repo }}_read_token.txt') }}"
+
+- name: Add BWC enterprise repos on {{ ansible_distribution }}
+  include: bwc_repos_{{ ansible_pkg_mgr }}.yml
+  tags:
+    - BWC repos
+    - StackStorm enterprise
+  register: bwc_repo_added
+  when: bwc_read_token != ''

roles/bwc/tasks/bwc_repos_yum.yml

@@ -0,0 +1,26 @@
+---
+
+# Fixes "Failure talking to yum: Cannot retrieve repository metadata (repomd.xml) for repository: StackStorm_stable. Please verify its path and try again" when installing st2
+- name: Update ca-certificates package
+  become: yes
+  yum:
+    name: ca-certificates
+    state: latest
+  tags: skip_ansible_lint
+
+- name: "Add packagecloud.io repository: StackStorm/{{ bwc_pkg_repo }}"
+  become: yes
+  no_log: yes
+  yum_repository:
+    name: "StackStorm_{{ bwc_pkg_repo }}"
+    description: "StackStorm_{{ bwc_pkg_repo }}"
+    file: "StackStorm_{{ bwc_pkg_repo }}"
+    baseurl: https://{{ bwc_read_token }}:@packagecloud.io/StackStorm/{{ bwc_pkg_repo }}/el/{{ ansible_distribution_major_version }}/$basearch
+    repo_gpgcheck: yes
+    gpgkey: "https://{{ bwc_read_token }}:@packagecloud.io/StackStorm/{{ bwc_pkg_repo }}/gpgkey"
+    sslcacert: /etc/pki/tls/certs/ca-bundle.crt
+    metadata_expire: 300
+    gpgcheck: no
+    enabled: yes
+    sslverify: yes
+  register: added_bwc_rpm_repository

roles/bwc/tasks/ldap.yml

@@ -0,0 +1,32 @@
+---
+
+- name: Setup st2.conf auth backend to LDAP
+  become: yes
+  # Unfortunately, ``with_dict`` also logs the dict which could leak passwords.
+  no_logs: yes
+  ini_file:
+    dest: /etc/st2/st2.conf
+    section: auth
+    option: backend
+    value: ldap
+    backup: yes
+  # Don't even setup LDAP if backend_kwargs is not defined
+  with_dict: "{{ bwc_ldap.backend_kwargs | default({}) }}"
+  notify:
+    - restart st2api
+    - restart st2stream
+
+- name: Setup st2.conf auth backend_kwargs for LDAP
+  become: yes
+  # Unfortunately, ``with_dict`` also logs the dict which could leak passwords.
+  no_log: yes
+  ini_file:
+    dest: /etc/st2/st2.conf
+    section: auth
+    option: backend_kwargs
+    value: "{{ bwc_ldap.backend_kwargs | to_json | string }}"
+    backup: yes
+  with_dict: "{{ bwc_ldap.backend_kwargs | default({}) }}"
+  notify:
+    - restart st2api
+    - restart st2stream

roles/bwc/tasks/main.yml

@@ -0,0 +1,38 @@
+---
+
+- name: Add BWC enterprise repos
+  include: bwc_repos_setup.yml
+  tags:
+    - BWC repos
+    - StackStorm enterprise
+
+- name: Install latest bwc-enterprise package
+  become: yes
+  package:
+    name: bwc-enterprise
+    state: latest
+  register: bwc_installed
+  when: bwc_repo_added|success and bwc_version == "latest"
+  tags:
+    - bwc
+    - st2 enterprise
+    - skip_ansible_lint
+
+- name: Install pinned bwc-enterprise package
+  become: yes
+  package:
+    name: bwc-enterprise={{ bwc_version }}-{{ bwc_revision }}
+    state: present
+  register: bwc_installed
+  when: bwc_repo_added|success and bwc_version != "latest"
+  tags:
+    - bwc
+    - st2 enterprise
+
+- name: Setup RBAC and setup roles and assignments if bwc_rbac is defined
+  include: "rbac.yml"
+  when: bwc_installed|success and  bwc_rbac is defined
+
+- name: Setup LDAP and set up LDAP configuration
+  include: "ldap.yml"
+  when: bwc_installed|success and bwc_ldap is defined

roles/bwc/tasks/rbac.yml

@@ -0,0 +1,64 @@
+---
+
+  - name: Create BWC RBAC directories
+    become: yes
+    file:
+      path: "{{ item }}"
+      mode: "u=rwx,g=rx,o=rx"
+      owner: st2
+      group: st2
+      state: directory
+    with_items:
+      - /opt/stackstorm/rbac/assignments
+      - /opt/stackstorm/rbac/roles
+
+  - name: Copy default RBAC roles to /opt/stackstorm/rbac/roles directory
+    become: yes
+    template:
+      src: rbac_roles/roles.yml.j2
+      dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml
+      owner: st2
+      group: st2
+    with_items: "{{ bwc_rbac_default_roles }}"
+
+  - name: Copy user defined RBAC roles to /opt/stackstorm/rbac/roles directory
+    become: yes
+    template:
+      src: rbac_roles/roles.yml.j2
+      dest: /opt/stackstorm/rbac/roles/{{ item.name }}.yaml
+      owner: st2
+      group: st2
+    with_items: "{{ bwc_rbac.roles }}"
+    when: bwc_rbac.roles is defined
+
+  - name: Copy default RBAC assignments to /opt/stackstorm/rbac/assignments directory
+    become: yes
+    template:
+      src: rbac_assignments/assignments.yml.j2
+      dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml
+      owner: st2
+      group: st2
+    with_items: "{{ bwc_rbac_default_assignments }}"
+
+  - name: Copy user defined RBAC assignments to /opt/stackstorm/rbac/assignments directory
+    become: yes
+    template:
+      src: rbac_assignments/assignments.yml.j2
+      dest: /opt/stackstorm/rbac/assignments/{{ item.name }}.yaml
+      owner: st2
+      group: st2
+    with_items: "{{ bwc_rbac.assignments }}"
+    when: bwc_rbac.assignments is defined
+
+  - name: Enable RBAC in st2 configuration
+    become: yes
+    ini_file:
+      dest: /etc/st2/st2.conf
+      section: rbac
+      option: enable
+      value: True
+      backup: yes
+    notify:
+      - restart st2
+      - reload bwc_rbac
+      - restart st2api

roles/bwc/templates/rbac_assignments/assignments.yml.j2

@@ -0,0 +1,5 @@
+---
+
+  username: {{ item.name }}
+  roles:
+    {{ item.roles | to_nice_yaml }}

roles/bwc/templates/rbac_roles/roles.yml.j2

@@ -0,0 +1,6 @@
+---
+
+name: {{ item.name }}
+description: {{ item.description }}
+permission_grants:
+    {{ item.permission_grants | to_nice_json }}

stackstorm.yml

@@ -12,3 +12,4 @@
     - st2web
     - nodejs
     - st2smoketests
+    - bwc