Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Changes to Controller Admin #1364

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -2,22 +2,21 @@

= {ControllerNameStart} configuration

You can configure {ControllerName} settings within the *Settings* screen in the following tabs:
You can configure {ControllerName} settings from the *Systems Settings* screen in the following tabs:

image::ag-settings-menu-screen.png[Settings]

Each tab contains fields with a *Reset* option, enabling you to revert any value entered back to the default value.
*Reset All* enables you to revert all the values to their factory default values.

*Save* applies the changes you make, but it does not exit the edit dialog.
To return to the *Settings* page, from the navigation panel select {MenuAEAdminSettings} or use the breadcrumbs at the top of the current view.
Click btn:[Save] to apply the changes you make.

include::platform/proc-controller-authentication.adoc[leveloffset=+1]
include::platform/proc-controller-configure-jobs.adoc[leveloffset=+1]
include::platform/proc-controller-configure-system.adoc[leveloffset=+1]
//Changed at 2.5
include::platform/proc-controller-configure-user-interface.adoc[leveloffset=+1]
//Changes at 2.5
include::platform/proc-controller-configure-usability-analytics.adoc[leveloffset=+2]
include::platform/con-controller-custom-logos.adoc[leveloffset=+2]
//Doesn't appear to be availaable at 2.5
//include::platform/con-controller-custom-logos.adoc[leveloffset=+2]
include::platform/con-controller-additional-settings.adoc[leveloffset=+1]
include::platform/proc-controller-obtaining-subscriptions.adoc[leveloffset=+1]
include::platform/con-controller-keep-subscription-in-compliance.adoc[leveloffset=+2]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,16 @@

= Performance tuning for {ControllerName}

Tune your {ControllerName} to optimize performance and scalability. When planning your workload, ensure that you identify your performance and scaling needs, adjust for any limitations, and monitor your deployment.
Tune your {ControllerName} to optimize performance and scalability.
When planning your workload, ensure that you identify your performance and scaling needs, adjust for any limitations, and monitor your deployment.

{ControllerNameStart} is a distributed system with multiple components that you can tune, including the following:

* Task system in charge of scheduling jobs
* Control Plane in charge of controlling jobs and processing output
* Execution plane where jobs run
* Web server in charge of serving the API
* Websocket system that serve and broadcast websocket connections and data
* Database used by multiple components
* Task system in charge of scheduling jobs.
* Control Plane in charge of controlling jobs and processing output.
* Web server in charge of serving the API.
* Websocket system that serve and broadcast websocket connections and data.
* Database used by multiple components.

include::platform/ref-controller-capacity-planning.adoc[leveloffset=+1]
include::platform/ref-controller-workload-characteristics.adoc[leveloffset=+2]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ You might find that you need to customize your playbook runs to expose additiona
To fine tune your use of job isolation, there are certain variables that can be set.

By default, {ControllerName} uses the system's `/tmp` directory as its staging area.
You can change this in the *Job Execution Path* field on the *Jobs settings* page, or in the REST API at `/api/v2/settings/jobs`, using:
You can change this in the REST API at `/api/v2/settings/jobs`, using:

[literal, options="nowrap" subs="+attributes"]
----
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

= {ControllerNameStart} logfiles

{ControllerNameStart} logfiles can be accessed from two centralized locations:
You can access {ControllerName} logfiles from two centralized locations:

* `/var/log/tower/`
* `/var/log/supervisor/`
Expand All @@ -16,7 +16,7 @@ In the `/var/log/tower/` directory, you can view logfiles captured by:
* *management_playbooks.log:* Captures the logs of management playbook runs, and isolated job runs such as copying the metadata.
* *rsyslog.err:* Captures rsyslog errors authenticating with external logging services when sending logs to them.
* *task_system.log:* Captures the logs of tasks that {ControllerName} is running in the background, such as adding cluster instances and logs related to information gathering or processing for analytics.
* *tower_rbac_migrations.log:* Captures the logs for rbac database migration or upgrade.
* *tower_rbac_migrations.log:* Captures the logs for RBAC database migration or upgrade.
* *tower_system_tracking_migrations.log:* Captures the logs of the controller system tracking migration or upgrade.
* *wsbroadcast.log:* Captures the logs of websocket connections in the controller nodes.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
= Logging and Aggregation

Logging provides the capability to send detailed logs to third-party external log aggregation services.
Services connected to this data feed serve as a means of gaining insight into {ControllerName} use or technical trends.
Services connected to this data feed are a means of gaining insight into {ControllerName} use or technical trends.
The data can be used to analyze events in the infrastructure, monitor for anomalies, and correlate events in one service with events in another.

The types of data that are most useful to {ControllerName} are job fact data, job events or job runs, activity stream data, and log messages.
Expand Down
Binary file modified downstream/images/ag-settings-menu-screen.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified downstream/images/configure-controller-system-logging-types.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,9 @@ For example, if you have a subscription capacity of 10 hosts:
= Viewing the host activity

.Procedure
//[ddacosta] I don't see a Host Metrics menu selection off the standalone navigation panel. Should it be Resources > Hosts? If so, add replace with {MenuInfrastructureHosts}
//[ddacosta] I don't see a Host Metrics menu selection off the standalone navigation panel. Should it be Infrastructure > Hosts? If so, add replace with {MenuInfrastructureHosts}
//[ddacosta] For 2.5 Host Metrics is off the Analytics menu. Use {MenuAAHostMetrics}
. In the navigation panel, select menu:Host Metrics[] to view the activity associated with hosts, such as those that have been automated and deleted.
. In the navigation panel, select {MenuAAHostMetrics} to view the activity associated with hosts, such as those that have been automated and deleted.
+
Each unique hostname is listed and sorted by the user's preference.
+
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,16 @@
= Minimize administrative accounts

Minimizing the access to system administrative accounts is crucial for maintaining a secure system.

A system administrator or root user can access, edit, and disrupt any system application.

Limit the number of people or accounts with root access, where possible.

Do not give out _sudo_ to _root_ or _awx_ (the {ControllerName} user) to untrusted users.

Note that when restricting administrative access through mechanisms like _sudo_, restricting to a certain set of commands can still give a wide range of access.
Any command that enables execution of a shell or arbitrary shell commands, or any command that can change files on the system, is equal to full root access.

With {ControllerName}, any {ControllerName} "system administrator" or "superuser" account can edit, change, and update an inventory or automation definition in {ControllerName}.
With {ControllerName}, any {ControllerName} "system administrator" or "superuser" account can edit, change, and update an inventory or automation definition in {ControllerName}.

Restrict this to the minimum set of users possible for low-level {ControllerName} configuration and disaster recovery only.
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,4 @@

If an {ControllerName} credential is only stored in the controller, you can further secure it.
You can configure services such as OpenSSH to only permit credentials on connections from specific addresses.
Credentials used by automation can be different from credentials used by system administrators for disaster-recovery or other ad hoc management, allowing for easier auditing.
Credentials used by automation can be different from credentials used by system administrators for disaster-recovery or other ad hoc management, this makes auditing easier.
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
= Understand the architecture of {PlatformNameShort} and {ControllerName}

{PlatformNameShort} and {ControllerName} comprise a general-purpose, declarative automation platform.
That means that once an Ansible playbook is launched (by {ControllerName}, or directly on the command line), the playbook, inventory, and credentials provided to Ansible are considered to be the source of truth.
That means that once an Ansible playbook is launched (by {ControllerName}, by {Navigator}, or directly on the command line), the playbook, inventory, and credentials provided to Ansible are considered to be the source of truth.
If you want policies around external verification of specific playbook content, job definition, or inventory contents, you must complete these processes before the automation is launched, either by the {ControllerName} web UI, or the {ControllerName} API.

The use of source control, branching, and mandatory code review is best practice for Ansible automation.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ These messages can be configured as required.
Use the following procedure to modify the default API 4XX errors log message format.

.Procedure
. From the navigation panel, select {MenuAEAdminSettings} then select *Logging settings*.
. From the navigation panel, select {MenuSetLogging}.
. On the *Logging settings* page, click btn:[Edit].
. Modify the field *Log Format For API 4XX Errors*.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Once you create and register your developer application with the appropriate ser

.Procedure
//[ddacosta] For 2.5, this will change to Access Management > Authentication
. From the navigation panel, select {MenuAEAdminSettings}.
. From the navigation panel, select {MenuAMAuthentication}.
. Select from the following *Authentication* options:

* xref:controller-set-up-azure[Azure AD settings]
Expand Down
10 changes: 5 additions & 5 deletions downstream/modules/platform/proc-controller-configure-jobs.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,14 @@

= Configuring jobs

The *Jobs* tab enables you to configure the types of modules that can be used by the {ControllerName}'s Ad Hoc Commands feature, set limits on the number of jobs that can be scheduled, define their output size, and other details pertaining to working with jobs in {ControllerName}.
From the navigation pane, selecting *Jobs* enables you to configure the types of modules that can be used by the {ControllerName}'s Ad Hoc Commands feature, set limits on the number of jobs that can be scheduled, define their output size, and other details pertaining to working with jobs in {ControllerName}.

.Procedure

. From the navigation panel, select {MenuAEAdminSettings}.
. Select *Jobs settings* in the *Jobs* option.
. From the navigation panel, select {MenuSetJob}.
. On the *Jobs settings* page, click btn:[Edit].
Set the configurable options from the fields provided.
Click the tooltip image:question_circle.png[Tool tip,15,15] icon next to the field that you need additional information about.
Click the tooltip image:question_circle.png[Tool tip,15,15] icon next to the field to provide additional information.
+
For more information about configuring Galaxy settings, see the link:{BaseURL}/red_hat_ansible_automation_platform/{PlatformVers}/html-single/automation_controller_user_guide/index#ref-projects-galaxy-support[Ansible Galaxy Support] section of the _{ControllerUG}_.
+
Expand All @@ -18,4 +18,4 @@ For more information about configuring Galaxy settings, see the link:{BaseURL}/r
The values for all timeouts are in seconds.
====
+
. Click btn:[Save] to apply the settings and btn:[Cancel] to abandon the changes.
. Click btn:[Save] to apply the settings.
38 changes: 16 additions & 22 deletions downstream/modules/platform/proc-controller-configure-system.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -2,37 +2,31 @@

= Configuring system settings

The *System* tab enables you to complete the following actions:
The *System Settings* page enables you to complete the following actions:

* Define the base URL for the {ControllerName} host
* Configure alerts
* Enable activity capturing
* Control visibility of users
* Enable certain {ControllerName} features and functionality through a license file
* Configure logging aggregation options
* Gather data for {Analytics}

.Procedure

. From the navigation panel, select {MenuAEAdminSettings}.
. Choose from the following *System* options:
* *Miscellaneous System settings*: Enable activity streams, specify the default {ExecEnvShort}, define the base URL for the {ControllerName} host, enable {ControllerName} administration alerts, set user visibility, define analytics, specify usernames and passwords, and configure proxies.
* *Miscellaneous Authentication settings*: Configure options associated with authentication methods (built-in or SSO), sessions (timeout, number of sessions logged in, tokens), and social authentication mapping.
* *Logging settings*: Configure logging options based on the type you choose:
+
image::ag-configure-aap-system-logging-types.png[Logging settings]
+
For more information about each of the logging aggregation types, see the xref:assembly-controller-logging-aggregation[Logging and Aggregation] section.
. From the navigation panel, select {MenuSetSystem}.
. Click btn:[Edit].
. Set the configurable options from the fields provided.
Click the tooltip image:question_circle.png[Tool tip,15,15] icon next to the field that you need additional information about.
+
The following is an example of the *Miscellaneous System* settings:
+
image::ag-configure-aap-system.png[Misc. system settings]
+
[NOTE]
====
The *Allow External Users to Create Oauth2 Tokens* setting is disabled by default.
This ensures external users cannot create their own tokens.
If you enable then disable it, any tokens created by external users in the meantime still exist, and are not automatically revoked.
====
. Click btn:[Save] to apply the settings and btn:[Cancel] to abandon the changes.
//+
//The following is an example of the *Miscellaneous System* settings:
//+
//image::ag-configure-aap-system.png[Misc. system settings]
//+
//[NOTE]
//====
//The *Allow External Users to Create Oauth2 Tokens* setting is disabled by default.
//This ensures external users cannot create their own tokens.
//If you enable then disable it, any tokens created by external users in the meantime still exist, and are not automatically revoked.
//====
. Click btn:[Save] to apply the settings.
Original file line number Diff line number Diff line change
Expand Up @@ -8,18 +8,22 @@ Only users installing a trial of {PlatformName} or a fresh installation of {Cont

{ControllerNameStart} collects user data automatically to help improve the product.
//[ddacosta]Modified this sentence since the procedure explains how to get to the UI settings.
You can opt out or control the way {ControllerName} collects data by setting your participation level in the *User Interface settings*.
//You can opt out or control the way {ControllerName} collects data by setting your participation level in the *User Interface settings*.

.Procedure

. From the navigation panel, select {MenuAEAdminSettings}.
. Select *User Interface settings* from the *User Interface* options.
. Click btn:[Edit].
. Select the desired level of data collection from the *User Analytics Tracking State* list:
* *Off*: Prevents any data collection.
* *Anonymous*: Enables data collection without your specific user data.
* *Detailed*: Enables data collection including your specific user data.
. Click btn:[Save] to apply the settings or btn:[Cancel] to abandon the changes.
. From the navigation panel, select {MenuSetSystem}.
. On the *System Settings* page, click btn:[Edit].
. Select the *Gather data for {Analytics}* checkbox.
. Enter the following information:
* *Last gather data for {Analytics}*: Set the date and time.
//No tool tip for the next one. This is a guess.
* *Last gathered entries from the data collection service of {Analytics}*: Enter the data and time data was last gathered.
* *{Analytics} Gather Interval*: Interval (in seconds) between data gathering.
//The following are marked with a red asterisk, it doesn't explain why.
* *Last cleanup date for HostMetrics*: Set the date and time.
* *Last computing date of HostMetricsSummaryMonthly*: Set the date and time.
. Click btn:[Save] to apply the settings.

.Additional resources

Expand Down
Original file line number Diff line number Diff line change
@@ -1,11 +1,21 @@
[id="controller-configure-user-interface"]

= Configuring the user interface
= Configuring the user preferences

The *User Interface* tab enables you to set {ControllerName} analytics settings, and configure custom logos and login messages.
//The *User Interface* tab enables you to set {ControllerName} analytics settings, and configure custom logos and login messages.

.Procedure

. From the navigation panel, select {MenuAEAdminSettings}.
. Select *User Interface settings* from the *User Interface* option.
. Click btn:[Edit] to configure your preferences.
. From the navigation panel, select {MenuSetUserPref}.
. You change the following settings:

* *Refresh Interval*: Select the refresh interval for the page.
This refreshes the data on the page at the selected interval.
The refresh happens in the background and does not reload the page.
* *Color Theme*: Select from `Dark theme`, `Light theme` or `System default`.
* *Table Layout*: Select from `Comfortable` or 'Compact'.
* *Form Columns*: Select from `Multiple columns of inputs` or `Sincle column of inputs`.
* *Form Labels*: Select from `Labels above inputs` or `Labels beside inputs`.
* *Date Format*: Select from `Show dates as date and time` or 'Show date relative to the current time'.
* *Preferred Data Format*: Select from `JSON` or `YAML`.
. Click btn:[Save] to accpt your changes.
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,5 @@

. Disable live streaming events by using one of the following methods:
.. In the API, set `UI_LIVE_UPDATES_ENABLED` to *False*.
.. Navigate to your {ControllerName}. Open the *Miscellaneous System Settings* window. Set the *Enable Activity Stream* toggle to *Off*.
.. In the navigation panel, select {MenuSetSystem}.
.. On the *System Settings* page, clear the *Enable Activity Stream* checkbox.
Loading