Add configure SS and pipeline

[mamedin]

This PR will use the features added by the following PRs:

-artefactual/archivematica#681
-artefactual/archivematica-storage-service#213

Specifically, this PR allows to:

a) Create a SS superuser
b) Create a dashboard admin user and register the pipeline on the SS.

To configure SS and pipeline on a deployment, the following boolean
extra-vars have to be enabled:

• archivematica_src_configure_dashboard : To create the dashboard admin user and
  to register pipeline on SS
• archivematica_src_configure_ss : To create SS superuser

They are disabled by default.

connects to #161

[mamedin]

This fixes #161

[mamedin]

You can use the following variables on vars.yml file for testing:

archivematica_src_configure_ss_user: "ss_user"
archivematica_src_configure_ss_password: "password_ss"
archivematica_src_configure_ss_email: "[email protected]"
#archivematica_src_configure_ss_api_key: "9fd9a15258c244b2ca4bbee0a2393809"
archivematica_src_configure_ss_url: "http://SS_IP_ADDRESS:8000"
archivematica_src_configure_am_user: "dashboard_user"
archivematica_src_configure_am_password: "password_dashboard"
archivematica_src_configure_am_email: "[email protected]"
#archivematica_src_configure_am_api_key: "058d6ca988fecd5a6bf4ab24492e7ee8c954f485"
archivematica_src_configure_am_org_name: "org_name"
archivematica_src_configure_am_org_id: "12345"
#archivematica_src_configure_am_whitelist: '"1.2.3.3 127.0.0.1"'

To run the playbook with the configure feature, use the extravars:

• "archivematica_src_configure_ss_dashboard=yes": To configure SS and dashboard
• "archivematica_src_configure_ss=yes": To create SS superadmin only
• "archivematica_src_configure_dashboard=yes": To create the dashboard andmin and register the pipeline.

[mamedin]

I forgot to mention the more important thing. There's a breaking change in the PR artefactual/archivematica#681 about the dashboard API whitelist: an empty whitelist now means: "allow from all".

Do you think that a better default whitelist could be "localhost" or another value?

[scollazo]

Some feedback provided

[scollazo]

Can you add also the "First name" and "last name" fields? This way, we have all the configuration options exposed here.

[scollazo]

This should be one line for each switch, it would improve readability

[scollazo]

What do you think about deleting the default test user when this is set?

[scollazo]

You have archivematica_src_configure_dashboard and archivematica_src_configure_ss_dashboard: "no", but seems like this configures both things always.

[scollazo]

I think passwords should be something line "PleaseChangeMe!", so users don't forget to set them

[scollazo]

As the files have only two tasks each, what about consolidating them into a single one?

[mamedin]

Thanks Santi, I have considered all your suggestions except for entering the variables "First name" and "Last name"

The variables "First name" and "Last name" were not contemplated in the artefactual/archivematica#681 PR, so it requires an AM additional change.

I have simplified the variables and tags since it could lead to confusion and it made the configuration more complicated. Now there is only the amsrc-configure tag and the variables ``archivematica_src_configure_ss and archivematica_src_configure_dashboard.

The default SS test user is deleted when adding a custom SS superuser.

I have consolidated all task into a single file, called configure.yml.

The default password was set to "PleaseChangeMe!"

The format is now cleaner introducing some line breaks to facilitate the reading of the code.

This PR is ready for CR again.

[scollazo]

Some more comments

[scollazo]

I think you can set the env in a line, as we do here:

ansible-archivematica-src/tasks/ss-db.yml

Line 17 in a38b2d1

environment: "{{ archivematica_src_ss_environment }}"

[scollazo]

Is this dead code?

[scollazo]

I'm thinking about adding a "security" measure, to avoid breaking currently configured systems:

• Check if there is an "admin" user created
• If so, trigger an ansible prompt and ask if we want to continue.

[sevein]

@mamedin 🏓

[sevein]

Let's try to get this merged? It's a nice feature.

[mamedin]

Hi @sevein to merge:

-I need to change the PR to take account the last @scollazo's suggestions:
* Remove dead code
* Set one-line environment

• Import these Jisc commits to Archivematica and Storage Service (to make idempotent):
  * dashboard: make create_super_user idempotent in installer steps JiscSD/archivematica#46
  * dashboard: make setup_pipeline funcs idempotent JiscSD/archivematica#55
  * https://github.com/JiscRDSS/archivematica-storage-service/pull/19/files

[sevein]

@mamedin ops ok I see. Any of that is going to happen for AM17 so I guess we can ignore this PR for now. Thanks!

[scollazo]

Although not idempotent, the changes in this PR work on am 1.7. @mamedin can you address my comments about setting environment vars so we can merge this?

We should also create a bug in archivematica in order to get the changes needed for idempotency into 1.7.1, or at least in qa/1.x

[mamedin]

@scollazo It is ready for QA, I have included your suggestions about stting environment.

[scollazo]

Feedback added. What happens if you run this playbook twice? Does the password get reset?

[scollazo]

Duplicated?

[scollazo]

Use "test org" for org, and "test id" for id?

[scollazo]

For the ss api key, the condition is when: "archivematica_src_configure_ss_api_key is undefined and archivematica_src_configure_ss|bool", but here you are not checking for archivematica_src_configure_dashboard

[mamedin]

Yes, it was done intentionally in case just SS is installed.

[scollazo]

I'm not getting your point, I think that the other case (deploying the dashboard, with the ss in other server), will also fail.

Thinking out loud , does it make sense to place this steps in pipeline-dbconf.yml for the dashboard, and ss-db.yml for the storage service? This way you can rely on archivematica_src_install_am and archivematica_src_install_ss to avoid this issue.

[scollazo]

I think that using cd, and chdir later, is not needed

[scollazo]

Also, typo

[mamedin]

Yes, this "cd" is not needed. The typo is prior to this change, and this variable is used several times in the role. I'll include the typo fix as a separate commit.

[scollazo]

I'm not getting your point, I think that the other case (deploying the dashboard, with the ss in other server), will also fail.

Thinking out loud , does it make sense to place this steps in pipeline-dbconf.yml for the dashboard, and ss-db.yml for the storage service? This way you can rely on archivematica_src_install_am and archivematica_src_install_ss to avoid this issue.

[mamedin]

Pending to the artefactual/archivematica-storage-service#364 (comment)

I found some problems that I want to fix:

• Deleting the SS test user could be a problem when running this role several times
• It fails using the amsrc-configure tag when the archivematica_src_mcpclient_clamav_tcp_port variable is not defined

[sevein]

Related: artefactual/archivematica#1131.

[sevein]

Related: artefactual/archivematica#1134.

[mamedin]

I have updated again this PR. I added 2 basic test looking at the dashboard database to check whether the pipeline is already registered or the dashboard user already exists. With these 2 basic tests we make sure that this role only runs in new deployments, which is where it makes sense.

I have rebased again to check the last commits and now there are no problems when using the amsrc-configure tag and some variables are not defined.

It is ready for CR again.

There are new changes that needs to be cr'ed again

[scollazo]

Instead of aborting if the user is already created, why not check for it first, and only create it when needed?

[mamedin]

Hi @scollazo , the artefactual/archivematica#1165 PR will make the dashboard installer idempotent, so the last commit could be removed because it is not needed.

[jhsimpson]

I made a copy of this branch and rebased my copy on top of the recent changes in the master branch of this repo: https://github.com/jhsimpson/ansible-archivematica-src/tree/dev/configure-ss-dashboard

I tested this deploying to an Ubunt 16.04 host, using this dev branch of deploy-pub:

https://github.com/artefactual/deploy-pub/tree/dev/deploy-am-post17

This worked great for me, on a fresh install. I haven't tested upgrades or other os'es. I did have to play around a bit to figure out what ansible variables I actually needed. You can see the variables I used here:https://github.com/artefactual/deploy-pub/blob/dev/deploy-am-post17/playbooks/archivematica/vars-singlenode-qa.yml

@mamedin I think that last commit could stay, it is not bad to check if the users exist, even if the dashboard installer itself is idempotent, it is possible for users to be created by other methods (in db directly, by django shell commands).

[mamedin]

In this last commit I have changed a bit the order of the tasks and checks. Now instead of abort when it detects the pipeline was configured or the pipeline user exists, it does nothing and sends a message.

[scollazo]

It has been a long way, but imho, this is ready for merge, kudos @mamedin !

We should add those new values to the docs in a separate commit.

[scollazo]

LGTM!