The inventory file is one of three input files needed to deploy PAM with Ansible:
mypam.ini or similar name)mypam.vars or similar name)mypam.vault or similar name)
Inventory files are INI-format files typically named mypam.ini
or other similar name. The PAM CDM package includes an example inventory file
example.ini that may be used as a template or starting point.
The main purpose of the inventory file is to tell Ansible what remote hosts are available to manage, and how they are organized into groups. The following inventory groups are defined:
| Group | Required? | Host Count | Notes |
|---|---|---|---|
| pam_master | Yes | 1 or more | PAM master node with GUI/API, Session, and Worker applications. |
| pam_remote | No | 0 or more | PAM remote node with Session and Worker applications (no GUI/API). |
| pam_session | No | 0 or more | PAM session-only remote node (no GUI/API or Worker). |
| pam_worker | No | 0 or more | PAM worker-only remote node (no GUI/API or Session). |
| pam_apache | No | 0 or 1 | Ansible-managed Apache load balancer (not for production use). |
| pam_postgres | No | 0 or 1 | Ansible-managed PostgreSQL database (not for production use). |
PAM has a very flexible deployment model. Here are some examples of Ansible inventory files that match some common PAM deployment patterns.
The most simple PAM farm deployment. The inventory is just a single host acting as PAM master node with embedded Apache Derby database.
[pam_master] pam-singlenode.corp.net
Still a single-node PAM deployment, but now Ansible will install PostgreSQL database on the same host.
[pam_master] pam-singlenode.corp.net [pam_postgres] pam-singlenode.corp.net
Still a single-node PAM deployment, but a separate VM is used for PostgreSQL database.
[pam_master]
pam-master.corp.net
[pam_postgres]
pam-database.corp.net
A network load balancer is required for a multi-master PAM farm. In this example, Ansible will install Apache on a VM and configure it as a load balancer for PAM. For production PAM farms, an external load balancer should be used instead.
A database is required for all PAM farms. In this example, Ansible will install PostgreSQL on a VM and configure it for use with PAM. For production PAM farms, an external database should be used instead.
[pam_master]
pam-master-1.corp.net
pam-master-2.corp.net
[pam_apache]
pam-lb.corp.net
[pam_postgres]
pam-database.corp.net
In this context, external simply means not managed by Ansible. This is strongly recommended for production PAM farms. The Ansible-managed Apache and PostgreSQL deployments are not production quality.
In this inventory example, the PAM master nodes are defined but not the Apache load balancer or PostgreSQL database. This means Ansible will not attempt to install Apache or PostgreSQL, but instead get load balancer and database integration details from the Ansible Vars and Ansible Vault files.
[pam_master]
pam-master-1.corp.net
pam-master-2.corp.net
[pam_apache] # empty group, or leave it undefined
[pam_postgres] # empty group, or leave it undefined
This example shows a PAM farm with:
This is just an example of what is possible. A production PAM farm would not use Ansible-managed Apache load balancer or Ansible-managed PostgreSQL database.
[pam_master]
pam-master-1.corp.net
pam-master-2.corp.net
[pam_remote]
pam-remote-1.corp.net
pam-remote-2.corp.net
[pam_session]
pam-session-1.corp.net
pam-session-2.corp.net
[pam_worker]
pam-worker-1.corp.net
pam-worker-2.corp.net
[pam_apache]
pam-lb.corp.net
[pam_postgres]
pam-database.corp.net