IPA role members users, groups, hostgroups and privilege must be
compared in a case insensitive way, and either are stored in lowercase
or IPA API fixes the value for proper representation.
This patch forces all comparisons of this values to be performed in
lowercase, and also only modify the values if it is really needed.
Service members in IPA role objects must be compared ignoring character
capitalization, but are stored in a case preserving manner.
This patch modifies the way service members are handled, creating a map
between a lowercase version of the service parameter and the parameter
itself, and using the map key to compare against existing services. The
mapped value is then added as role member, if necessary.
Removed custom code used to create add/del lists in iparole in favor
of ansible_freeipa_module functions, and custom result_handler, to
reduce code duplication, as these methods have equivalent shared
versions.
ERROR: plugins/modules/ipaautomountmap.py:118:30: E203: whitespace before ':'
ERROR: Found 1 compile issue(s) on python 2.6 which need to be resolved:
ERROR: plugins/modules/ipasudorule.py:382:63: SyntaxError: {ensure_fqdn(value.lower(), default_domain) for value in host}
There is a new automount key module placed in the plugins folder:
plugins/modules/ipaautomountkey.py
The server module allows to ensure presence and absence of automount
keys. The module requires an existing automount location and map to
place the key within.
Here is the documentation for the module:
README-automountkey.md
New example playbooks have been added:
playbooks/automount/automount-key-absent.yaml
playbooks/automount/automount-key-present.yaml
New tests for the module:
tests/automount/test_automountkey.yml
Currently, when adding an overlapping set of members causes playbook to
fail as the already existing members are added twice.
This patch refactors membership management by removing duplicate logic
and handling all changes to members in a single place. This change
removed code that was causing the execution failures.
There is a new server management module placed in the plugins folder:
plugins/modules/ipaautomountmap.py
The server module allows to ensure presence and absence of automount
maps. The module requires an existing automount location to place the
map within. It does not create any automount keys with in the map.
Here is the documentation for the module:
README-automountmap.md
New example playbooks have been added:
playbooks/automount/automount-map-absent.yaml
playbooks/automount/automount-map-present.yaml
New tests for the module:
tests/automount/test_automountmap.yml
All ansible-freeipa modules which allow object renaming should support
'state: renamed'.
This patch adds suport for the missing state, and fixes cases where a
user could try to rename the object and set its members, which would
fail depending on the operation order.
Fix#566
Single hostnames can be used for sudorule_add_host and will match fqdn
in IPA internally. Simple host names have to be extended to be FQDN to
be able to compare them for sudorule_host_add and sudorule_host_remove.
Fixes#672
The removal of group or hostgroup orphans has been added to the automember
module.
It can be ensured that orphans have been removed using action: orphans_removed
The automember_type needs to be set for this.
New examples have been added to README-automember.md
New playbooks:
- playbooks/automember/automember-group-orphans-removed.yml
- playbooks/automember/automember-hostgroup-orphans-removed.yml
New tests:
- tests/automember/test_automember_orphans_removed.yml
The fallback group and hostgroup for unmached entries can be set and
unset using default_group. If default_group is empty, then the default
group will be unset.
DN and ipa_get_based provided by ansible_freeipa_module are used in the
code.
New parameters:
- default_group: Default (fallback) group for all unmatched entries.
New parameters and examples have been added to README-automember.md
New playbooks:
- playbooks/automember/automember-default-group-not-set.yml
- playbooks/automember/automember-default-group-set.yml
- playbooks/automember/automember-default-hostgroup-not-set.yml
- playbooks/automember/automember-default-hostgroup-set.yml
New tests:
- tests/automember/test_automember_default_group.yml
There was state: rebuild before, but the code was incomplete and was not
able to run properly.
New parameters:
- users: Limit the rebuild to the given users only
- hosts: Limit the rebuild to the given hosts only
- no_wait: Don't wait for rebuilding membership
New parameters and examples have been added to README-automember.md
tests/automember/test_automember_client_context.yml has been using
state: rebuild and lacked the automember_type parameter.
grouping was used in functions and has been replaced by automember_type.
Some typos in examples have been fixed also.
New playbooks:
- playbooks/automember/automember-group-membership-all-users-rebuilt.yml
- playbooks/automember/automember-group-membership-users-rebuilt.yml
- playbooks/automember/automember-hostgroup-membership-all-hosts-rebuilt.yml
- playbooks/automember/automember-hostgroup-membership-hosts-rebuilt.yml
New tests:
- tests/automember/test_automember_rebuilt.yml
These are indent issues, one item per line for argument_specs items
containing options dicts and missing or overflow spaces for comments
and dict delimiters.
This PR refactors ipaservice to reduce the number of variables (in
favor of a 'struct') and to group member management code so that it
can be leveraged, and not partially duplicated, between the states
and actions.
Altough this code is less direct that the previous one, it will reduce
the number fo changes to be made if changes to member management is
required.
When managing ipaservice members, gen_add_del_lists, gen_add_list and
get_intersection_list should be used and the result tested for empty
sets so already existing or missing members are not added or removed
again.
This changes fixes this behavior, by applying these functions to all
ipaservice members.
This patch add several deprecate warnings to FreeIPABaseModule, and
creates adapters to ease conversion of client classes to
IPAAnsibleModule.
There is no 'ipa_commands' management in IPAAnsibleModule, as 'command's
is a list of tuples containing '(command, name, args)', and should be
managed by the module itself. Commands with no arguments should use an
empty dictionary as 'args'.
The 'ipa_run' method should be replaced by:
```
exit_args = {}
ipaapi_context = self.params_get("ipaapi_context")
with self.ipa_connect(context=ipaapi_context):
self.check_ipa_params()
self.define_ipa_commands()
changed = self.execute_ipa_commands(
self.ipa_commands,
result_handler=my_custom_handler,
exit_args=exit_args
)
self.exit_json(changed=changed, **exit_args)
```
The 'process_command_result' method should be changed to a result
handler:
```
def my_result_handler(self, result, command, name, args, exit_args):
"""Process command result.""'
```
Use of 'ipa_params' should be replaced by IPAAnsibleModule.params_get.
If 'get_ipa_command_args' is used, then the mapping can be created with
class IPAParamMapping (formelly AnsibleFreeIPAParams), which also
enables the same property-like usage of 'ipa_params':
```
param_mapping = IPAParamMapping(module, mapping)
```
The goal is to have all ansible-freeipa modules using the same codebase,
reducing code duplication, and allowing better object composition, for
example, with the IPAParamMapping class.
If a task with 'action: automember' tried to modify an automember rule
and did not provide either 'inclusive' or 'exclusive' parameters, the
regex for the missing arguments would be removed.
This patch fixes this behavior to only modify those parameters that
were set on the task, and leave the missing parameters in the state
they were before the task.
Tests have been updated to verify expected behavior.
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1976922
When setting 'runasuser' or 'runasgroup' for a sudorule, either IPA or
external users and groups can be used, but only IPA users and groups
were being searched for when modifying the attributes, making this task
not idempotent if an external group or user was used..
This patch fixes this issue by comparing users and groups to the IPA
and external setting.
The IPA CLI commands are slightly confusing, as the sudorule-add and
sudorule-mod display separate options for internal and external users
and groups, but these options are deprecated and do not work anymore,
in favor of sudorule-add-runasuser and sudorule-add-runasgroup, which
don't diferentiate between internal and external users, from the CLI
user perspective.
This patch removes the custom command result handler in favor of the
IPAAnsibleModule default member handler and fixes creation of add and
del lists of permissions, fixing the behavior of the moudule execution
when 'check_mode: yes'.
When creating the lists to add/remove principal aliases, if the realm
was not specified, the alias would be used as it did not matched the
existing one, which has the realm part.
This patch fixes the add/del list creation by adding the current API
realm to each alias that does not have the realm part and then use
this modified list to be compared against the existing principal list.
This change also allows the use of the whole list in a single call to
the IPA API to add/remove the principals, instead of a call for every
one item in the list.
