This patch adds suport for the IPA CLI option `posix` when modifying
an existing group. Also, enhances verification of `external` and
`posix/non-posix` groups to avoid unneded API failures (e.g. when
no change to the posix/external status is needed).
A new test was added:
tests/group/test_group_external_nonposix.yml
There is a new role management module placed in the plugins folder:
plugins/modules/iparole.py
The role module allows to ensure presence or absence of roles and
manage role members.
Here is the documentation for the module:
README-role.md
New example playbooks have been added:
playbooks/role/role-is-absent.yml
playbooks/role/role-is-present.yml
playbooks/role/role-member-group-absent.yml
playbooks/role/role-member-group-present.yml
playbooks/role/role-member-host-absent.yml
playbooks/role/role-member-host-present.yml
playbooks/role/role-member-hostgroup-absent.yml
playbooks/role/role-member-hostgroup-present.yml
playbooks/role/role-member-privilege-absent.yml
playbooks/role/role-member-privilege-present.yml
playbooks/role/role-member-service-absent.yml
playbooks/role/role-member-service-present.yml
playbooks/role/role-member-user-absent.yml
playbooks/role/role-member-user-present.yml
playbooks/role/role-members-absent.yml
playbooks/role/role-members-present.yml
playbooks/role/role-rename.yml
New tests for the module:
tests/role/test_role.yml
tests/role/test_role_service_member.yml
If a unknown membermanager user presence will be ensured, the unknown user
error was ignored. This has been fixed in ipagroup. The code for the error
handling in ipagroup and ipahostgroup has been adapted because of this.
New tests for tests/[host]group/test_[host]group_membermnager.yml have been
added.
Allows changing passwords of symmetric waults, using a new variable
`new_password` (or the file-base version, `new_password_file`). The
old password must be passed using the `password` or `password_file`
variables that also received new aliases `old_password` and
`old_password_file`, respectively.
Tests were modyfied to reflect the changes.
It was possible to have several entries for names with the hosts and users
lists. This resulted sometimes in errors but also unexpected changes. A new
check has been added to make sure that the names in the users and hosts
lists are unique.
New tests have been added to verify this in the existing files:
- tests/host/test_hosts.yml
- tests/user/test_users.yml
This patch allows the modification of the forward zone policy in
an existing DNS Forward Zone, and fixes some issues with `enable`
and `disable` state that prevented correct behavior of `forwardpolicy`.
Services without certificates, but with keytabs were not being
disabled. This change allows execution of service_disable if
there is a certificate or if has_keytab is true.
A new test was added to verify the issue:
tests/service/test_service_disable.yml
This patch modify the was forwarders are configured, using two attributes,
`ip_address` and `port`, instead of IPA API internal string representation
of `IP port PORT`.
Current implementation of hbacrule and sudorule allow for a new rule
creation script to be partialy successful when a member is provided and
the respective member category is set to `all` (either users, hosts,
services, commands, and their group counterparts).
Since the creation of the rule is independent of the adittion of members,
the rule is succesfully created, but member addition fails, leaving with
a created rule that has no members on it.
This patch fixes both modules by verifying if user, host, service or
commands (and groups of members) are being added if the corresponding
category is set to `all`, when the state is `present` and the action is
not `member`. If so, it fails before the rule is created.
This patch add support for the attributes `maxtostname` and
`ca_renewal_master_server` attributes that were missing and
also provide a more complete set of tests.
This patch adds support for retrieving data stored in an IPA vault by
adding a new valid state for ipavault: `retrieved`.
To allow the retrieval of data from assymetric vaults, the attributes
`private_key`, `private_key_files` and `out` were also added to the
module.
The private key files, `private.pem`, should be paired with the already
existing `public.pem` public key files.
Tests were updated to reflect changes and two new playbooks were added:
playbooks/vault/retrive-data-asymmetric-vault.yml
playbooks/vault/retrive-data-symmetric-vault.yml
This patch fixes handling of password and public_key files, parameter
validation depending on vault type, usage of `salt` attribute and data
retrieval.
Tests were updated to reflect the changes.
New example playbooks are added:
playbooks/vault/vault-is-present-with-password-file.yml
playbooks/vault/vault-is-present-with-public-key-file.yml
A group membership manager is a user or a group that can add members to
a group or remove members from a hostgroup.
This is related to https://pagure.io/freeipa/issue/8114
New parameters have been added to the module:
- `membermanager_user`: List of member manager users assigned to this
group. Only usable with IPA versions 4.8.4 and up.
- `membermanager_group`: List of member manager groups assigned to this
group. Only usable with IPA versions 4.8.4 and up.
These parameters behave like member parameters.
A new test has been added:
- tests/hostgroup/test_hostgroup_membermanager.yml
There is a new dnsrecord managem module placed in the plugins folder:
plugins/modules/ipadnsrecord.py
The dnsrecord module allows management of DNS records and is as compatible
as possible with the Ansible upstream `ipa_dnsrecord` module, but provide
some other features like multiple record management in one execution,
support for more DNS record types, and more.
Here is the documentation for the module:
README-dnsrecord
New example playbooks have been added:
playbooks/dnsrecord/ensure-dnsrecord-is-absent.yml
playbooks/dnsrecord/ensure-dnsrecord-is-present.yml
playbooks/dnsrecord/ensure-presence-multiple-records.yml
playbooks/dnsrecord/ensure-dnsrecord-with-reverse-is-present.yml
playbooks/dnsrecord/ensure-multiple-A-records-are-present.yml
playbooks/dnsrecord/ensure-A-and-AAAA-records-are-absent.yml
playbooks/dnsrecord/ensure-A-and-AAAA-records-are-present.yml
playbooks/dnsrecord/ensure-CNAME-record-is-absent.yml
playbooks/dnsrecord/ensure-CNAME-record-is-present.yml
playbooks/dnsrecord/ensure-MX-record-is-present.yml
playbooks/dnsrecord/ensure-PTR-record-is-present.yml
playbooks/dnsrecord/ensure-SRV-record-is-present.yml
playbooks/dnsrecord/ensure-SSHFP-record-is-present.yml
playbooks/dnsrecord/ensure-TLSA-record-is-present.yml
playbooks/dnsrecord/ensure-TXT-record-is-present.yml
playbooks/dnsrecord/ensure-URI-record-is-present.yml
New tests for the module can be found at:
tests/dnsrecord/test_dnsrecord.yml
tests/dnsrecord/test_compatibility_with_ansible_module.yml
tests/dnsrecord/test_dnsrecord_full_records.yml
A group membership manager is a user or a group that can add members to
a group or remove members from a group.
This is related to https://pagure.io/freeipa/issue/8114
New parameters have been added to the module:
- `membermanager_user`: List of member manager users assigned to this
group. Only usable with IPA versions 4.8.4 and up.
- `membermanager_group`: List of member manager groups assigned to this
group. Only usable with IPA versions 4.8.4 and up.
These parameters behave like member parameters.
A new test has been added:
- tests/group/test_group_membermanager.yml
A group membership manager is a user or a group that can add members to
a group or remove members from a hostgroup.
This is related to https://pagure.io/freeipa/issue/8114
New parameters have been added to the module:
- `membermanager_user`: List of member manager users assigned to this
group. Only usable with IPA versions 4.8.4 and up.
- `membermanager_group`: List of member manager groups assigned to this
group. Only usable with IPA versions 4.8.4 and up.
These parameters behave like member parameters.
A new test has been added:
- tests/hostgroup/test_hostgroup_membermanager.yml
This patch changes auth_ind variable to receive a list of values
instead of a single one, so that more than one value can be set
at once.
Tests have been updated to reflect the change.
When using a variable that is invalid for a given action, the `action`
was not being displayed in the error message, leading to a poor user
experience.
This patch changes auth_ind variable to receive a list of values
instead of a single one, so that more than one value can be set
at once.
Tests have been updated to reflect the change.
When using a variable that is invalid for a given action, the `action`
was not being displayed in the error message, leading to a poor user
experience.
This patch explicitly set `no_log` option for `update_password` attribute
to `False`, so that the warning on `no_log` not being set is not issued
anymore. Ansible incorrectly issued the warning, as `update_password` does
not carry sensitive information.
This patch fixes handling of password and public_key files, parameter
validation depending on vault type, usage of `salt` attribute and data
retrieval.
Tests were updated to reflect the changes.
New example playbooks are added:
playbooks/vault/vault-is-present-with-password-file.yml
playbooks/vault/vault-is-present-with-public-key-file.yml
playbooks/vault/retrive-data-asymmetric-vault.yml
playbooks/vault/retrive-data-symmetric-vault.yml
plugins/modules/ipaconfig.py
The config module allows the user change global config settings.
The config module is as compatible as possible to the Ansible upstream
ipa_config module, but adds many extra variables.
Here is the documentation for the module:
README-config.md
