Setting PE RBAC permissions and token authentication for orchestrator
Before you run any orchestrator jobs, you need to set the appropriate permissions in PE role-based access control (RBAC) and establish token-based authentication.
Most orchestrator users require the following permissions to run orchestrator jobs or tasks:
| Type | Permission | Definition |
|---|---|---|
| Puppet agent | Run Puppet on agent nodes. | The ability to run Puppet on nodes using the console or orchestrator. Instance must always be "*". |
| Job orchestrator | Start, stop and view jobs | The ability to start and stop jobs and tasks, view jobs and job progress, and view an inventory of nodes that are connected to the PCP broker. |
| Tasks | Run tasks | The ability to run specific tasks on all nodes, a selected node group, or nodes that match a PQL query. |
| Nodes | View node data from PuppetDB. | The ability to view node data imported from PuppetDB. Object must always be "*". |
Assign task permissions to a user role
-
In the console, on the Access control page, click the User roles tab.
-
From the list of user roles, click the one you want to have task permissions.
-
On the Permissions tab, in the Type box, select Tasks.
-
For Permission, select Run tasks, and then select a task from the Object list. For example, facter_task.
-
Click Add permission, and then commit the change.
Using token authentication
Before running an orchestrator job, you must generate an RBAC access token to authenticate to the orchestration service. If you attempt to run a job without a token, PE prompts you to supply credentials.
For information about generating a token with the CLI, see the documentation on token-based authentication.
