For beeing able to catch ipalib.errors.NotFound errors in ipahost it is
needed to import ipalib.errors. ipalib.errors is now imported as
ipalib_errors to not have name conflicts with the errors list used in some
of the modules.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1804838
This change is needed to properly handle base64 encoding of certificates
stored as bytes, under Python 3, as used by IPA service. It does not
affect Python 2.7 as bytes are identical to str in this version of the
language.
When retireving certificates stored by FreeIPA service data is returned
as bytes, under Python 3, and encoding then breaks, as there is no
bytes.public_bytes method. In Python 3, encoding with base64 will be the
same for strings and bytes.
ipahost was so far ignoring IP addresses when the host already existed.
This happened because host_mod is not providing functionality to do this.
Now ipaddress is a list and it is possible to ensure a host with several
IP addresses (these can be IPv4 and IPv6). Also it is possible to ensure
presence and absence of IP addresses for an exising host using action
member.
There are no IP address conclict checks as this would lead into issues with
updating an existing host that already is using a duplicate IP address for
example for round-robin (RR). Also this might lead into issues with ensuring
a new host with several IP addresses in this case. Also to ensure a list of
hosts with changing the IP address of one host to another in the list would
result in issues here.
New example playbooks have been added:
playbooks/host/host-present-with-several-ip-addresses.yml
playbooks/host/host-member-ipaddresses-absent.yml
playbooks/host/host-member-ipaddresses-present.yml
A new test has been added for verification:
tests/host/test_host_ipaddresses.yml
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1783976https://bugzilla.redhat.com/show_bug.cgi?id=1783979
Bool types are not iterable. Therefore the comparison using sets was failing
with a TypeError. This prevented to change the bool parameters for hosts.
A test for the host module has been added to verify that the bool parameters
can be modified.
New test:
tests/host/test_host_bool_params.yml
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1784514
There are some commands in the IPA API that do not require
arguments, and current implementation does not allow these
commands to be execute.
This patch adds api_command_no_name to allow the execution
of such commands, which is required, for example, to create
a vaultcontainer management module.
The ipahost management module was not able to add several hosts at once.
Addtionally there have been settings missing.
ansible_freeipa_module has been extended to provide two additional functions
that are needed to simplify the extension of the ipahost module:
gen_add_del_lists(user_list, res_list)
encode_certificate(cert)
gen_add_del_lists will generate the lists for the addition and removal of
members using the provided user and ipa settings.
encode_certificate will encode a certificate using base64 with also taking
FreeIPA and Python versions into account.
The missing settings in ipahost have been:
certificate
managedby_host
principal
create_keytab_[user,group,host,hostgroup]
retrieve_keytab_[user,group,host,hostgroup]
sshpubkey
userclass
auth_ind
requires_pre_auth
ok_as_delegate
ok_to_auth_as_delegate
The README-host.md file has been updated to provide information about the
new settings and also the members. Also examples for the new things have
been added.
New example playbooks have been added:
playbooks/host/add-host.yml
playbooks/host/host-member-allow_create_keytab-absent.yml
playbooks/host/host-member-allow_create_keytab-present.yml
playbooks/host/host-member-allow_retrieve_keytab-absent.yml
playbooks/host/host-member-allow_retrieve_keytab-present.yml
playbooks/host/host-member-certificate-absent.yml
playbooks/host/host-member-certificate-present.yml
playbooks/host/host-member-managedby_host-absent.yml
playbooks/host/host-member-managedby_host-present.yml
playbooks/host/host-member-principal-absent.yml
playbooks/host/host-member-principal-present.yml
playbooks/host/host-present-with-allow_create_keytab.yml
playbooks/host/host-present-with-allow_retrieve_keytab.yml
playbooks/host/host-present-with-certificate.yml
playbooks/host/host-present-with-managedby_host.yml
playbooks/host/host-present-with-principal.yml
playbooks/host/host-present-with-randompassword.yml
playbooks/host/host-present.yml
playbooks/host/hosts-member-certificate-absent.yml
playbooks/host/hosts-member-certificate-present.yml
playbooks/host/hosts-member-managedby_host-absent.yml
playbooks/host/hosts-member-managedby_host-present.yml
playbooks/host/hosts-member-principal-absent.yml
playbooks/host/hosts-member-principal-present.yml
playbooks/host/hosts-present-with-certificate.yml
playbooks/host/hosts-present-with-managedby_host.yml
playbooks/host/hosts-present-with-randompasswords.yml
New tests have been added for the module:
tests/host/certificate/cert1.der
tests/host/certificate/cert1.pem
tests/host/certificate/cert2.der
tests/host/certificate/cert2.pem
tests/host/certificate/cert3.der
tests/host/certificate/cert3.pem
tests/host/certificate/private1.key
tests/host/certificate/private2.key
tests/host/certificate/private3.key
tests/host/certificate/test_host_certificate.yml
tests/host/certificate/test_hosts_certificate.yml
tests/host/test_host.yml
tests/host/test_host_allow_create_keytab.yml
tests/host/test_host_allow_retrieve_keytab.yml
tests/host/test_host_managedby_host.yml
tests/host/test_host_principal.yml
tests/host/test_host_random.yml
tests/host/test_hosts.yml
tests/host/test_hosts_managedby_host.yml
tests/host/test_hosts_principal.yml
The use of gssapi.creds.Credentials is not good if krb5 ticket forwarding
is used. It will fail. gssapi.Credentials with usage and store is the proper
way to do this.
With IPA 4.5 integers for examle in pwpolicy_find are returned as
integer values. The internally generated value will be converted from
integer to string (using to_text) if the value from find call result
is a string (or unicode for Python2).
The function api_get_realm is returning the realm of a connected FreeIPA
api. This is needed for proper principal checks in the extended ipauser
module that supports principals now.
The conversion is needed because older FreeIPA versions are returning
tuples in some cases instead of lists. To be able to compare them the
conversion to a list is needed.
The module_params_get function can and should be used as a replacement of
ansible_module.params.get. For Python2 it is needed to convert parameters
to unicode. Otherwise there will be an error in the FreeIPA API command.
The private function _afm_convert has been added to do the conversion
recursively.
api_check_param can be used to verify if params are available for a command
in the used FreeIPA version. The function has been added as api is normally
not imported into modules.
api_command is always used within try clause, therefore it is not needed
to have an extra try clause within api_command. Additionally it is needed
to get the dofferent errors in the next level.
The GSSAPI can be enabled in the management modules with either the
KRB5CCNAME or the KRB5_CLIENT_KTNAME environment variable.
For KRB5CCNAME it is needed to create a ccache file
kinit admin@TEST.LOCAL -c /root/admin.ccache
that is transferred to the nodes (here into /root) and activated in the
playbook with
environment:
KRB5CCNAME: /root/admin.ccache
For KRB5_CLIENT_KTNAME a admin keytab has to be generated
ipa-getkeytab -s ipaserver.test.local -p admin@TEST.LOCAL -k \
/root/admin.keytab
that is transferred to the nodes (here into /root) and activated in the
playbook with
environment:
KRB5_CLIENT_KTNAME: /root/admin.keytab
It will be needed to set ipaadmin_principal if the admin principal is not
admin.
The management modules can be used without a password in this case.
date_format parses the supported date formats and creates a datetime object.
compare_args_ipa compares generated args with args returned by IPA command
find_ functions.
There are now two topology management modules placed in the plugins folder:
plugins/modules/ipatopologysegment.py
plugins/modules/ipatopologysuffix.py
Topology segments can be added, removed and reinitialized with the
ipatopologysegment module. Also it is possible to verify topology suffixes
with the ipatopologysuffix module.
A new module_utils for plugins has been added:
plugins/module_utils/ansible_freeipa_module.py
And documentation for the modules:
README-topology.md
New sample playbooks are available in playbooks/topology:
playbooks/topology/add-topologysegment.yml
playbooks/topology/delete-topologysegment.yml
playbooks/topology/reinitialize-topologysegment.yml
playbooks/topology/verify-topologysuffix.yml
The plugins folder can be used with the new Ansible Collections supported
by Ansible 2.8 and Ansible galaxy 3.2.
