mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-03-28 14:23:06 +00:00
Compare commits
8 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
a1f882ac52 | ||
|
8d99ce4207 | ||
|
|
e3e7d71474 | ||
|
|
285fb6b8e0 | ||
|
|
d2648b142a | ||
|
|
67e192242c | ||
|
|
9eefc1ae7c | ||
|
|
f2b3e88d5a |
@@ -104,13 +104,160 @@ Example playbook to add an inclusive condition to an existing rule
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: "My domain hosts"
|
||||
description: "my automember condition"
|
||||
automember_tye: hostgroup
|
||||
automember_type: hostgroup
|
||||
action: member
|
||||
inclusive:
|
||||
- key: fqdn
|
||||
expression: ".*.mydomain.com"
|
||||
```
|
||||
|
||||
Example playbook to ensure group membership for all users has been rebuilt
|
||||
|
||||
```yaml
|
||||
- name: Playbook to ensure group membership for all users has been rebuilt
|
||||
hosts: ipaserver
|
||||
become: yes
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: group
|
||||
state: rebuilt
|
||||
```
|
||||
|
||||
Example playbook to ensure group membership for given users has been rebuilt
|
||||
|
||||
|
||||
```yaml
|
||||
- name: Playbook to ensure group membership for given users has been rebuilt
|
||||
hosts: ipaserver
|
||||
become: yes
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
users:
|
||||
- user1
|
||||
- user2
|
||||
state: rebuilt
|
||||
```
|
||||
|
||||
Example playbook to ensure hostgroup membership for all hosts has been rebuilt
|
||||
|
||||
```yaml
|
||||
- name: Playbook to ensure hostgroup membership for all hosts has been rebuilt
|
||||
hosts: ipaserver
|
||||
become: yes
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: hostgroup
|
||||
state: rebuilt
|
||||
```
|
||||
|
||||
Example playbook to ensure hostgroup membership for given hosts has been rebuilt
|
||||
|
||||
```yaml
|
||||
- name: Playbook to ensure hostgroup membership for given hosts has been rebuilt
|
||||
hosts: ipaserver
|
||||
become: yes
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
hosts:
|
||||
- host1.mydomain.com
|
||||
- host2.mydomain.com
|
||||
state: rebuilt
|
||||
```
|
||||
|
||||
Example playbook to ensure default group fallback_group for all unmatched group entries is set
|
||||
|
||||
```yaml
|
||||
- name: Playbook to ensure default group fallback_group for all unmatched group entries is set
|
||||
hosts: ipaserver
|
||||
become: yes
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: group
|
||||
default_group: fallback_group
|
||||
```
|
||||
|
||||
Example playbook to ensure default group for all unmatched group entries is not set
|
||||
|
||||
```yaml
|
||||
- name: Playbook to ensure default group for all unmatched group entries is not set
|
||||
hosts: ipaserver
|
||||
become: yes
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
default_group: ""
|
||||
automember_type: group
|
||||
state: absent
|
||||
```
|
||||
|
||||
Example playbook to ensure default hostgroup fallback_hostgroup for all unmatched group entries
|
||||
|
||||
```yaml
|
||||
- name: Playbook to ensure default hostgroup fallback_hostgroup for all unmatched group entries
|
||||
hosts: ipaserver
|
||||
become: yes
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: hostgroup
|
||||
default_group: fallback_hostgroup
|
||||
```
|
||||
|
||||
Example playbook to ensure default hostgroup for all unmatched group entries is not set
|
||||
|
||||
```yaml
|
||||
- name: Playbook to ensure default hostgroup for all unmatched group entries is not set
|
||||
hosts: ipaserver
|
||||
become: yes
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: hostgroup
|
||||
default_group: ""
|
||||
state: absent
|
||||
```
|
||||
|
||||
Example playbook to ensure all orphan automember group rules are removed:
|
||||
|
||||
```yaml
|
||||
- name: Playbook to ensure all orphan automember group rules are removed
|
||||
hosts: ipaserver
|
||||
become: yes
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: group
|
||||
state: orphans_removed
|
||||
```
|
||||
|
||||
Example playbook to ensure all orphan automember hostgroup rules are removed:
|
||||
|
||||
```yaml
|
||||
- name: Playbook to ensure all orphan automember hostgroup rules are removed
|
||||
hosts: ipaserver
|
||||
become: yes
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: hostgroup
|
||||
state: orphans_removed
|
||||
```
|
||||
|
||||
|
||||
Variables
|
||||
---------
|
||||
@@ -129,11 +276,16 @@ Variable | Description | Required
|
||||
`automember_type` | Grouping to which the rule applies. It can be one of `group`, `hostgroup`. | yes
|
||||
`inclusive` | List of dictionaries in the format of `{'key': attribute, 'expression': inclusive_regex}` | no
|
||||
`exclusive` | List of dictionaries in the format of `{'key': attribute, 'expression': exclusive_regex}` | no
|
||||
`users` | Users to rebuild membership for. | no
|
||||
`hosts` | Hosts to rebuild membership for. | no
|
||||
`no_wait` | Don't wait for rebuilding membership. | no
|
||||
`default_group` | Default (fallback) group for all unmatched entries. Use the empty string "" for ensuring the default group is not set. | no
|
||||
`action` | Work on automember or member level. It can be one of `member` or `automember` and defaults to `automember`. | no
|
||||
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
|
||||
`state` | The state to ensure. It can be one of `present`, `absent`, 'rebuilt'. 'orphans_removed' default: `present`. | no
|
||||
|
||||
|
||||
Authors
|
||||
=======
|
||||
|
||||
Mark Hahl
|
||||
Thomas Woerner
|
||||
|
||||
10
playbooks/automember/automember-default-group-not-set.yml
Normal file
10
playbooks/automember/automember-default-group-not-set.yml
Normal file
@@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: Automember default group not set
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
tasks:
|
||||
- name: Ensure automember default group is not set
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: group
|
||||
default_group: ""
|
||||
10
playbooks/automember/automember-default-group-set.yml
Normal file
10
playbooks/automember/automember-default-group-set.yml
Normal file
@@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: Automember default group set
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
tasks:
|
||||
- name: Ensure automember default group is set
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: group
|
||||
default_group: fallback_group
|
||||
@@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: Automember default hostgroup not set
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
tasks:
|
||||
- name: Ensure automember default hostgroup is not set
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: hostgroup
|
||||
default_group: ""
|
||||
10
playbooks/automember/automember-default-hostgroup-set.yml
Normal file
10
playbooks/automember/automember-default-hostgroup-set.yml
Normal file
@@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: Automember default hostgroup set
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
tasks:
|
||||
- name: Ensure automember default hostgroup is set
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: hostgroup
|
||||
default_group: fallback_hostgroup
|
||||
@@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: Automember group membership for all users rebuilt example
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
tasks:
|
||||
- name: Ensure group automember rule admins is present
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: group
|
||||
state: rebuilt
|
||||
@@ -0,0 +1,12 @@
|
||||
---
|
||||
- name: Automember group membership for given users rebuilt example
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
tasks:
|
||||
- name: Ensure group membership for given users has been rebuilt
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
users:
|
||||
- user1
|
||||
- user2
|
||||
state: rebuilt
|
||||
10
playbooks/automember/automember-group-orphans-removed.yml
Normal file
10
playbooks/automember/automember-group-orphans-removed.yml
Normal file
@@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: Automember orphan group rules are removed example
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
tasks:
|
||||
- name: Ensure orphan group rules are removed
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: group
|
||||
state: orphans_removed
|
||||
@@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: Automember hostgroup membership for all hosts rebuilt example
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
tasks:
|
||||
- name: Ensure hostgroup membership for all hosts has been rebuilt
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: hostgroup
|
||||
state: rebuilt
|
||||
@@ -0,0 +1,12 @@
|
||||
---
|
||||
- name: Automember hostgroup membership for given hosts rebuilt example
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
tasks:
|
||||
- name: Ensure hostgroup membership for given hosts has been rebuilt
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
hosts:
|
||||
- host1.mydomain.com
|
||||
- host2.mydomain.com
|
||||
state: rebuilt
|
||||
@@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: Automember orphan hostgroup rules are removed example
|
||||
hosts: ipaserver
|
||||
become: true
|
||||
tasks:
|
||||
- name: Ensure orphan hostgroup rules are removed
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: hostgroup
|
||||
state: orphans_removed
|
||||
@@ -419,6 +419,9 @@ else:
|
||||
def api_get_realm():
|
||||
return api.env.realm
|
||||
|
||||
def api_get_basedn():
|
||||
return api.env.basedn
|
||||
|
||||
def gen_add_del_lists(user_list, res_list):
|
||||
"""
|
||||
Generate the lists for the addition and removal of members.
|
||||
@@ -882,6 +885,11 @@ else:
|
||||
"""Retrieve IPA API realm."""
|
||||
return api_get_realm()
|
||||
|
||||
@staticmethod
|
||||
def ipa_get_basedn():
|
||||
"""Retrieve IPA API basedn."""
|
||||
return api_get_basedn()
|
||||
|
||||
@staticmethod
|
||||
def ipa_command_exists(command):
|
||||
"""
|
||||
|
||||
@@ -79,6 +79,20 @@ options:
|
||||
description: The expression of the regex
|
||||
type: str
|
||||
required: true
|
||||
users:
|
||||
description: Users to rebuild membership for.
|
||||
type: list
|
||||
required: false
|
||||
hosts:
|
||||
description: Hosts to rebuild membership for.
|
||||
type: list
|
||||
required: false
|
||||
no_wait:
|
||||
description: Don't wait for rebuilding membership.
|
||||
type: bool
|
||||
default_group:
|
||||
description: Default (fallback) group for all unmatched entries.
|
||||
type: str
|
||||
action:
|
||||
description: Work on automember or member level
|
||||
default: automember
|
||||
@@ -86,10 +100,11 @@ options:
|
||||
state:
|
||||
description: State to ensure
|
||||
default: present
|
||||
choices: ["present", "absent"]
|
||||
choices: ["present", "absent", "rebuilt", "orphans_removed"]
|
||||
author:
|
||||
- Mark Hahl
|
||||
- Jake Reynolds
|
||||
- Thomas Woerner
|
||||
"""
|
||||
|
||||
EXAMPLES = """
|
||||
@@ -116,12 +131,78 @@ EXAMPLES = """
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
name: "My domain hosts"
|
||||
automember_tye: hostgroup
|
||||
automember_type: hostgroup
|
||||
action: member
|
||||
inclusive:
|
||||
- key: fqdn
|
||||
expression: ".*.mydomain.com"
|
||||
|
||||
# Ensure group membership for all users has been rebuilt
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: group
|
||||
state: rebuilt
|
||||
|
||||
# Ensure group membership for given users has been rebuilt
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
users:
|
||||
- user1
|
||||
- user2
|
||||
state: rebuilt
|
||||
|
||||
# Ensure hostgroup membership for all hosts has been rebuilt
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: hostgroup
|
||||
state: rebuilt
|
||||
|
||||
# Ensure hostgroup membership for given hosts has been rebuilt
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
hosts:
|
||||
- host1.mydomain.com
|
||||
- host2.mydomain.com
|
||||
state: rebuilt
|
||||
|
||||
# Ensure default group fallback_group for all unmatched group entries is set
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: group
|
||||
default_group: fallback_group
|
||||
|
||||
# Ensure default group for all unmatched group entries is not set
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
default_group: ""
|
||||
automember_type: group
|
||||
state: absent
|
||||
|
||||
# Ensure default hostgroup fallback_hostgroup for all unmatched group entries
|
||||
# is set
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: hostgroup
|
||||
default_group: fallback_hostgroup
|
||||
|
||||
# Ensure default hostgroup for all unmatched group entries is not set
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: hostgroup
|
||||
default_group: ""
|
||||
state: absent
|
||||
|
||||
# Example playbook to ensure all orphan automember group rules are removed:
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: group
|
||||
state: orphans_removed
|
||||
|
||||
# Example playbook to ensure all orphan automember hostgroup rules are removed:
|
||||
- ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
automember_type: hostgroup
|
||||
state: orphans_removed
|
||||
"""
|
||||
|
||||
RETURN = """
|
||||
@@ -129,14 +210,14 @@ RETURN = """
|
||||
|
||||
|
||||
from ansible.module_utils.ansible_freeipa_module import (
|
||||
IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, ipalib_errors
|
||||
IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, ipalib_errors, DN
|
||||
)
|
||||
|
||||
|
||||
def find_automember(module, name, grouping):
|
||||
def find_automember(module, name, automember_type):
|
||||
_args = {
|
||||
"all": True,
|
||||
"type": grouping
|
||||
"type": automember_type
|
||||
}
|
||||
|
||||
try:
|
||||
@@ -146,13 +227,40 @@ def find_automember(module, name, grouping):
|
||||
return _result["result"]
|
||||
|
||||
|
||||
def gen_condition_args(grouping,
|
||||
def find_automember_orphans(module, automember_type):
|
||||
_args = {
|
||||
"all": True,
|
||||
"type": automember_type
|
||||
}
|
||||
|
||||
try:
|
||||
_result = module.ipa_command_no_name("automember_find_orphans", _args)
|
||||
except ipalib_errors.NotFound:
|
||||
return None
|
||||
return _result
|
||||
|
||||
|
||||
def find_automember_default_group(module, automember_type):
|
||||
_args = {
|
||||
"all": True,
|
||||
"type": automember_type
|
||||
}
|
||||
|
||||
try:
|
||||
_result = module.ipa_command_no_name("automember_default_group_show",
|
||||
_args)
|
||||
except ipalib_errors.NotFound:
|
||||
return None
|
||||
return _result["result"]
|
||||
|
||||
|
||||
def gen_condition_args(automember_type,
|
||||
key,
|
||||
inclusiveregex=None,
|
||||
exclusiveregex=None):
|
||||
_args = {}
|
||||
if grouping is not None:
|
||||
_args['type'] = grouping
|
||||
if automember_type is not None:
|
||||
_args['type'] = automember_type
|
||||
if key is not None:
|
||||
_args['key'] = key
|
||||
if inclusiveregex is not None:
|
||||
@@ -163,13 +271,23 @@ def gen_condition_args(grouping,
|
||||
return _args
|
||||
|
||||
|
||||
def gen_args(description, grouping):
|
||||
def gen_rebuild_args(automember_type, rebuild_users, rebuild_hosts, no_wait):
|
||||
_args = {"no_wait": no_wait}
|
||||
if automember_type is not None:
|
||||
_args['type'] = automember_type
|
||||
if rebuild_users is not None:
|
||||
_args["users"] = rebuild_users
|
||||
if rebuild_hosts is not None:
|
||||
_args["hosts"] = rebuild_hosts
|
||||
return _args
|
||||
|
||||
|
||||
def gen_args(description, automember_type):
|
||||
_args = {}
|
||||
if description is not None:
|
||||
_args["description"] = description
|
||||
if grouping is not None:
|
||||
_args['type'] = grouping
|
||||
|
||||
if automember_type is not None:
|
||||
_args['type'] = automember_type
|
||||
return _args
|
||||
|
||||
|
||||
@@ -212,14 +330,17 @@ def main():
|
||||
elements="dict",
|
||||
required=False),
|
||||
name=dict(type="list", aliases=["cn"],
|
||||
default=None, required=True),
|
||||
default=None, required=False),
|
||||
description=dict(type="str", default=None),
|
||||
automember_type=dict(type='str', required=False,
|
||||
choices=['group', 'hostgroup']),
|
||||
no_wait=dict(type="bool", default=None),
|
||||
default_group=dict(type="str", default=None),
|
||||
action=dict(type="str", default="automember",
|
||||
choices=["member", "automember"]),
|
||||
state=dict(type="str", default="present",
|
||||
choices=["present", "absent", "rebuild"]),
|
||||
choices=["present", "absent", "rebuilt",
|
||||
"orphans_removed"]),
|
||||
users=dict(type="list", default=None),
|
||||
hosts=dict(type="list", default=None),
|
||||
),
|
||||
@@ -232,6 +353,8 @@ def main():
|
||||
|
||||
# general
|
||||
names = ansible_module.params_get("name")
|
||||
if names is None:
|
||||
names = []
|
||||
|
||||
# present
|
||||
description = ansible_module.params_get("description")
|
||||
@@ -240,6 +363,12 @@ def main():
|
||||
inclusive = ansible_module.params_get("inclusive")
|
||||
exclusive = ansible_module.params_get("exclusive")
|
||||
|
||||
# no_wait for rebuilt
|
||||
no_wait = ansible_module.params_get("no_wait")
|
||||
|
||||
# default_group
|
||||
default_group = ansible_module.params_get("default_group")
|
||||
|
||||
# action
|
||||
action = ansible_module.params_get("action")
|
||||
# state
|
||||
@@ -254,12 +383,51 @@ def main():
|
||||
# Check parameters
|
||||
invalid = []
|
||||
|
||||
if state != "rebuild":
|
||||
invalid = ["rebuild_hosts", "rebuild_users"]
|
||||
if state in ["rebuilt", "orphans_removed"]:
|
||||
invalid = ["name", "description", "exclusive", "inclusive",
|
||||
"default_group"]
|
||||
|
||||
if not automember_type and state != "rebuild":
|
||||
if action == "member":
|
||||
ansible_module.fail_json(
|
||||
msg="'automember_type' is required unless state: rebuild")
|
||||
msg="'action=member' is not usable with state '%s'" % state)
|
||||
|
||||
if state == "rebuilt":
|
||||
if automember_type == "group" and rebuild_hosts is not None:
|
||||
ansible_module.fail_json(
|
||||
msg="state %s: hosts can not be set when type is '%s'" %
|
||||
(state, automember_type))
|
||||
if automember_type == "hostgroup" and rebuild_users is not None:
|
||||
ansible_module.fail_json(
|
||||
msg="state %s: users can not be set when type is '%s'" %
|
||||
(state, automember_type))
|
||||
|
||||
elif state == "orphans_removed":
|
||||
invalid.extend(["users", "hosts"])
|
||||
|
||||
if not automember_type:
|
||||
ansible_module.fail_json(
|
||||
msg="'automember_type' is required unless state: rebuilt")
|
||||
|
||||
else:
|
||||
if default_group is not None:
|
||||
for param in ["name", "exclusive", "inclusive", "users", "hosts"
|
||||
"no_wait"]:
|
||||
if ansible_module.params.get(param) is not None:
|
||||
msg = "Cannot use {0} together with default_group"
|
||||
ansible_module.fail_json(msg=msg.format(param))
|
||||
if action == "member":
|
||||
ansible_module.fail_json(
|
||||
msg="Cannot use default_group with action:member")
|
||||
if state == "absent":
|
||||
ansible_module.fail_json(
|
||||
msg="Cannot use default_group with state:absent")
|
||||
|
||||
else:
|
||||
invalid = ["users", "hosts", "no_wait"]
|
||||
|
||||
if not automember_type:
|
||||
ansible_module.fail_json(
|
||||
msg="'automember_type' is required.")
|
||||
|
||||
ansible_module.params_fail_used_invalid(invalid, state, action)
|
||||
|
||||
@@ -396,16 +564,45 @@ def main():
|
||||
'automember_remove_condition',
|
||||
condition_args])
|
||||
|
||||
elif state == "rebuild":
|
||||
if automember_type:
|
||||
commands.append([None, 'automember_rebuild',
|
||||
{"type": automember_type}])
|
||||
if rebuild_users:
|
||||
commands.append([None, 'automember_rebuild',
|
||||
{"users": rebuild_users}])
|
||||
if rebuild_hosts:
|
||||
commands.append([None, 'automember_rebuild',
|
||||
{"hosts": rebuild_hosts}])
|
||||
if len(names) == 0:
|
||||
if state == "rebuilt":
|
||||
args = gen_rebuild_args(automember_type, rebuild_users,
|
||||
rebuild_hosts, no_wait)
|
||||
commands.append([None, 'automember_rebuild', args])
|
||||
|
||||
elif state == "orphans_removed":
|
||||
res_find = find_automember_orphans(ansible_module,
|
||||
automember_type)
|
||||
if res_find["count"] > 0:
|
||||
commands.append([None, 'automember_find_orphans',
|
||||
{'type': automember_type,
|
||||
'remove': True}])
|
||||
|
||||
elif default_group is not None and state == "present":
|
||||
res_find = find_automember_default_group(ansible_module,
|
||||
automember_type)
|
||||
|
||||
if default_group == "":
|
||||
if isinstance(res_find["automemberdefaultgroup"], list):
|
||||
commands.append([None,
|
||||
'automember_default_group_remove',
|
||||
{'type': automember_type}])
|
||||
ansible_module.warn("commands: %s" % repr(commands))
|
||||
|
||||
else:
|
||||
dn_default_group = [DN(('cn', default_group),
|
||||
('cn', '%ss' % automember_type),
|
||||
('cn', 'accounts'),
|
||||
ansible_module.ipa_get_basedn())]
|
||||
if repr(res_find["automemberdefaultgroup"]) != \
|
||||
repr(dn_default_group):
|
||||
commands.append(
|
||||
[None, 'automember_default_group_set',
|
||||
{'type': automember_type,
|
||||
'automemberdefaultgroup': default_group}])
|
||||
|
||||
else:
|
||||
ansible_module.fail_json(msg="Invalid operation")
|
||||
|
||||
# Execute commands
|
||||
|
||||
|
||||
@@ -289,10 +289,7 @@ def gen_args_smb(netbiosname, ok_as_delegate, ok_to_auth_as_delegate):
|
||||
return _args
|
||||
|
||||
|
||||
def check_parameters(module, state, action, names, parameters):
|
||||
if not isinstance(parameters, dict):
|
||||
raise AssertionError("parameters is not a dict")
|
||||
|
||||
def check_parameters(module, state, action, names):
|
||||
# invalid parameters for everything but state 'present', action 'service'.
|
||||
invalid = ['pac_type', 'auth_ind', 'skip_host_check',
|
||||
'force', 'requires_pre_auth', 'ok_as_delegate',
|
||||
@@ -314,8 +311,8 @@ def check_parameters(module, state, action, names, parameters):
|
||||
invalid = ['delete_continue']
|
||||
|
||||
if (
|
||||
not parameters.get('smb', False)
|
||||
and parameters.get('netbiosname')
|
||||
not module.params_get('smb')
|
||||
and module.params_get('netbiosname')
|
||||
):
|
||||
module.fail_json(
|
||||
msg="Argument 'netbiosname' can not be used without "
|
||||
@@ -437,23 +434,6 @@ def main():
|
||||
|
||||
host = ansible_module.params_get("host")
|
||||
|
||||
allow_create_keytab_user = ansible_module.params_get(
|
||||
"allow_create_keytab_user")
|
||||
allow_create_keytab_group = ansible_module.params_get(
|
||||
"allow_create_keytab_group")
|
||||
allow_create_keytab_host = ansible_module.params_get(
|
||||
"allow_create_keytab_host")
|
||||
allow_create_keytab_hostgroup = ansible_module.params_get(
|
||||
"allow_create_keytab_hostgroup")
|
||||
|
||||
allow_retrieve_keytab_user = ansible_module.params_get(
|
||||
"allow_retrieve_keytab_user")
|
||||
allow_retrieve_keytab_group = ansible_module.params_get(
|
||||
"allow_retrieve_keytab_group")
|
||||
allow_retrieve_keytab_host = ansible_module.params_get(
|
||||
"allow_retrieve_keytab_host")
|
||||
allow_retrieve_keytab_hostgroup = ansible_module.params_get(
|
||||
"allow_retrieve_keytab_hostgroup")
|
||||
delete_continue = ansible_module.params_get("delete_continue")
|
||||
|
||||
# action
|
||||
@@ -462,7 +442,7 @@ def main():
|
||||
state = ansible_module.params_get("state")
|
||||
|
||||
# check parameters
|
||||
check_parameters(ansible_module, state, action, names, vars())
|
||||
check_parameters(ansible_module, state, action, names)
|
||||
|
||||
# Init
|
||||
|
||||
@@ -479,11 +459,26 @@ def main():
|
||||
msg="Skipping host check is not supported by your IPA version")
|
||||
|
||||
commands = []
|
||||
keytab_members = ["user", "group", "host", "hostgroup"]
|
||||
|
||||
for name in names:
|
||||
res_find = find_service(ansible_module, name)
|
||||
res_principals = []
|
||||
|
||||
keytab = {
|
||||
"retrieve": {
|
||||
"allow": {k: [] for k in keytab_members},
|
||||
"disallow": {k: [] for k in keytab_members},
|
||||
},
|
||||
"create": {
|
||||
"allow": {k: [] for k in keytab_members},
|
||||
"disallow": {k: [] for k in keytab_members},
|
||||
},
|
||||
}
|
||||
certificate_add, certificate_del = [], []
|
||||
host_add, host_del = [], []
|
||||
principal_add, principal_del = [], []
|
||||
|
||||
if principal and res_find:
|
||||
# When comparing principals to the existing ones,
|
||||
# the REALM is needded, and are added here for those
|
||||
@@ -534,37 +529,8 @@ def main():
|
||||
|
||||
if res_find is None:
|
||||
commands.append([name, 'service_add', args])
|
||||
|
||||
certificate_add = certificate or []
|
||||
certificate_del = []
|
||||
host_add = host or []
|
||||
host_del = []
|
||||
principal_add = principal or []
|
||||
principal_del = []
|
||||
allow_create_keytab_user_add = \
|
||||
allow_create_keytab_user or []
|
||||
allow_create_keytab_user_del = []
|
||||
allow_create_keytab_group_add = \
|
||||
allow_create_keytab_group or []
|
||||
allow_create_keytab_group_del = []
|
||||
allow_create_keytab_host_add = \
|
||||
allow_create_keytab_host or []
|
||||
allow_create_keytab_host_del = []
|
||||
allow_create_keytab_hostgroup_add = \
|
||||
allow_create_keytab_hostgroup or []
|
||||
allow_create_keytab_hostgroup_del = []
|
||||
allow_retrieve_keytab_user_add = \
|
||||
allow_retrieve_keytab_user or []
|
||||
allow_retrieve_keytab_user_del = []
|
||||
allow_retrieve_keytab_group_add = \
|
||||
allow_retrieve_keytab_group or []
|
||||
allow_retrieve_keytab_group_del = []
|
||||
allow_retrieve_keytab_host_add = \
|
||||
allow_retrieve_keytab_host or []
|
||||
allow_retrieve_keytab_host_del = []
|
||||
allow_retrieve_keytab_hostgroup_add = \
|
||||
allow_retrieve_keytab_hostgroup or []
|
||||
allow_retrieve_keytab_hostgroup_del = []
|
||||
# Use an empty res_find to manage members
|
||||
res_find = {}
|
||||
|
||||
else:
|
||||
for remove in ['skip_host_check', 'force']:
|
||||
@@ -584,68 +550,15 @@ def main():
|
||||
res_find):
|
||||
commands.append([name, "service_mod", args])
|
||||
|
||||
certificate_add, certificate_del = gen_add_del_lists(
|
||||
certificate, res_find.get("usercertificate"))
|
||||
# Manage members
|
||||
certificate_add, certificate_del = gen_add_del_lists(
|
||||
certificate, res_find.get("usercertificate"))
|
||||
|
||||
host_add, host_del = gen_add_del_lists(
|
||||
host, res_find.get('managedby_host', []))
|
||||
host_add, host_del = gen_add_del_lists(
|
||||
host, res_find.get('managedby_host'))
|
||||
|
||||
principal_add, principal_del = \
|
||||
gen_add_del_lists(principal, res_principals)
|
||||
|
||||
(allow_create_keytab_user_add,
|
||||
allow_create_keytab_user_del) = \
|
||||
gen_add_del_lists(
|
||||
allow_create_keytab_user, res_find.get(
|
||||
'ipaallowedtoperform_write_keys_user',
|
||||
[]))
|
||||
(allow_retrieve_keytab_user_add,
|
||||
allow_retrieve_keytab_user_del) = \
|
||||
gen_add_del_lists(
|
||||
allow_retrieve_keytab_user, res_find.get(
|
||||
'ipaallowedtoperform_read_keys_user',
|
||||
[]))
|
||||
(allow_create_keytab_group_add,
|
||||
allow_create_keytab_group_del) = \
|
||||
gen_add_del_lists(
|
||||
allow_create_keytab_group, res_find.get(
|
||||
'ipaallowedtoperform_write_keys_group',
|
||||
[]))
|
||||
(allow_retrieve_keytab_group_add,
|
||||
allow_retrieve_keytab_group_del) = \
|
||||
gen_add_del_lists(
|
||||
allow_retrieve_keytab_group,
|
||||
res_find.get(
|
||||
'ipaallowedtoperform_read_keys_group',
|
||||
[]))
|
||||
(allow_create_keytab_host_add,
|
||||
allow_create_keytab_host_del) = \
|
||||
gen_add_del_lists(
|
||||
allow_create_keytab_host,
|
||||
res_find.get(
|
||||
'ipaallowedtoperform_write_keys_host',
|
||||
[]))
|
||||
(allow_retrieve_keytab_host_add,
|
||||
allow_retrieve_keytab_host_del) = \
|
||||
gen_add_del_lists(
|
||||
allow_retrieve_keytab_host,
|
||||
res_find.get(
|
||||
'ipaallowedtoperform_read_keys_host',
|
||||
[]))
|
||||
(allow_create_keytab_hostgroup_add,
|
||||
allow_create_keytab_hostgroup_del) = \
|
||||
gen_add_del_lists(
|
||||
allow_create_keytab_hostgroup,
|
||||
res_find.get(
|
||||
'ipaallowedtoperform_write_keys_hostgroup',
|
||||
[]))
|
||||
(allow_retrieve_keytab_hostgroup_add,
|
||||
allow_retrieve_keytab_hostgroup_del) = \
|
||||
gen_add_del_lists(
|
||||
allow_retrieve_keytab_hostgroup,
|
||||
res_find.get(
|
||||
'ipaallowedtoperform_read_keys_hostgroup',
|
||||
[]))
|
||||
principal_add, principal_del = gen_add_del_lists(
|
||||
principal, res_principals)
|
||||
|
||||
elif action == "member":
|
||||
if res_find is None:
|
||||
@@ -653,137 +566,31 @@ def main():
|
||||
|
||||
certificate_add = gen_add_list(
|
||||
certificate, res_find.get("usercertificate"))
|
||||
certificate_del = []
|
||||
|
||||
host_add = gen_add_list(
|
||||
host, res_find.get("managedby_host"))
|
||||
host_del = []
|
||||
host, res_find.get('managedby_host'))
|
||||
|
||||
principal_add = gen_add_list(principal, res_principals)
|
||||
principal_del = []
|
||||
|
||||
allow_create_keytab_user_add = gen_add_list(
|
||||
allow_create_keytab_user,
|
||||
res_find.get("ipaallowedtoperform_write_keys_user")
|
||||
)
|
||||
|
||||
allow_create_keytab_user_del = []
|
||||
allow_create_keytab_group_add = gen_add_list(
|
||||
allow_create_keytab_group,
|
||||
res_find.get("ipaallowedtoperform_write_keys_group")
|
||||
)
|
||||
allow_create_keytab_group_del = []
|
||||
allow_create_keytab_host_add = gen_add_list(
|
||||
allow_create_keytab_host,
|
||||
res_find.get("ipaallowedtoperform_write_keys_host")
|
||||
)
|
||||
allow_create_keytab_host_del = []
|
||||
allow_create_keytab_hostgroup_add = gen_add_list(
|
||||
allow_create_keytab_hostgroup,
|
||||
res_find.get(
|
||||
"ipaallowedtoperform_write_keys_hostgroup")
|
||||
)
|
||||
allow_create_keytab_hostgroup_del = []
|
||||
allow_retrieve_keytab_user_add = gen_add_list(
|
||||
allow_retrieve_keytab_user,
|
||||
res_find.get("ipaallowedtoperform_read_keys_user")
|
||||
)
|
||||
allow_retrieve_keytab_user_del = []
|
||||
allow_retrieve_keytab_group_add = gen_add_list(
|
||||
allow_retrieve_keytab_group,
|
||||
res_find.get("ipaallowedtoperform_read_keys_group")
|
||||
)
|
||||
allow_retrieve_keytab_group_del = []
|
||||
allow_retrieve_keytab_host_add = gen_add_list(
|
||||
allow_retrieve_keytab_host,
|
||||
res_find.get("ipaallowedtoperform_read_keys_host")
|
||||
)
|
||||
allow_retrieve_keytab_host_del = []
|
||||
allow_retrieve_keytab_hostgroup_add = gen_add_list(
|
||||
allow_retrieve_keytab_hostgroup,
|
||||
res_find.get("ipaallowedtoperform_read_keys_hostgroup")
|
||||
)
|
||||
allow_retrieve_keytab_hostgroup_del = []
|
||||
|
||||
if principal_add:
|
||||
commands.append([name, "service_add_principal",
|
||||
{"krbprincipalname": principal_add}])
|
||||
if principal_del:
|
||||
commands.append([name, "service_remove_principal",
|
||||
{"krbprincipalname": principal_del}])
|
||||
|
||||
for _certificate in certificate_add:
|
||||
commands.append([name, "service_add_cert",
|
||||
{
|
||||
"usercertificate":
|
||||
_certificate,
|
||||
}])
|
||||
# Remove certificates
|
||||
for _certificate in certificate_del:
|
||||
commands.append([name, "service_remove_cert",
|
||||
{
|
||||
"usercertificate":
|
||||
_certificate,
|
||||
}])
|
||||
|
||||
# Add hosts.
|
||||
if host is not None and len(host) > 0 and len(host_add) > 0:
|
||||
commands.append([name, "service_add_host",
|
||||
{"host": host_add}])
|
||||
# Remove hosts
|
||||
if host is not None and len(host) > 0 and len(host_del) > 0:
|
||||
commands.append([name, "service_remove_host",
|
||||
{"host": host_del}])
|
||||
|
||||
# Allow create keytab
|
||||
if len(allow_create_keytab_user_add) > 0 or \
|
||||
len(allow_create_keytab_group_add) > 0 or \
|
||||
len(allow_create_keytab_host_add) > 0 or \
|
||||
len(allow_create_keytab_hostgroup_add) > 0:
|
||||
commands.append(
|
||||
[name, "service_allow_create_keytab",
|
||||
{'user': allow_create_keytab_user_add,
|
||||
'group': allow_create_keytab_group_add,
|
||||
'host': allow_create_keytab_host_add,
|
||||
'hostgroup': allow_create_keytab_hostgroup_add
|
||||
}])
|
||||
|
||||
# Disallow create keytab
|
||||
if len(allow_create_keytab_user_del) > 0 or \
|
||||
len(allow_create_keytab_group_del) > 0 or \
|
||||
len(allow_create_keytab_host_del) > 0 or \
|
||||
len(allow_create_keytab_hostgroup_del) > 0:
|
||||
commands.append(
|
||||
[name, "service_disallow_create_keytab",
|
||||
{'user': allow_create_keytab_user_del,
|
||||
'group': allow_create_keytab_group_del,
|
||||
'host': allow_create_keytab_host_del,
|
||||
'hostgroup': allow_create_keytab_hostgroup_del
|
||||
}])
|
||||
|
||||
# Allow retrieve keytab
|
||||
if len(allow_retrieve_keytab_user_add) > 0 or \
|
||||
len(allow_retrieve_keytab_group_add) > 0 or \
|
||||
len(allow_retrieve_keytab_host_add) > 0 or \
|
||||
len(allow_retrieve_keytab_hostgroup_add) > 0:
|
||||
commands.append(
|
||||
[name, "service_allow_retrieve_keytab",
|
||||
{'user': allow_retrieve_keytab_user_add,
|
||||
'group': allow_retrieve_keytab_group_add,
|
||||
'host': allow_retrieve_keytab_host_add,
|
||||
'hostgroup': allow_retrieve_keytab_hostgroup_add
|
||||
}])
|
||||
|
||||
# Disllow retrieve keytab
|
||||
if len(allow_retrieve_keytab_user_del) > 0 or \
|
||||
len(allow_retrieve_keytab_group_del) > 0 or \
|
||||
len(allow_retrieve_keytab_host_del) > 0 or \
|
||||
len(allow_retrieve_keytab_hostgroup_del) > 0:
|
||||
commands.append(
|
||||
[name, "service_disallow_retrieve_keytab",
|
||||
{'user': allow_retrieve_keytab_user_del,
|
||||
'group': allow_retrieve_keytab_group_del,
|
||||
'host': allow_retrieve_keytab_host_del,
|
||||
'hostgroup': allow_retrieve_keytab_hostgroup_del
|
||||
}])
|
||||
# get keytab management lists for any 'action'.
|
||||
for perm in ["create", "retrieve"]:
|
||||
oper = "write" if perm == "create" else "read"
|
||||
for key in ["user", "group", "host", "hostgroup"]:
|
||||
add_list, del_list = (
|
||||
gen_add_del_lists(
|
||||
ansible_module.params_get(
|
||||
"allow_%s_keytab_%s" % (perm, key)
|
||||
),
|
||||
res_find.get(
|
||||
'ipaallowedtoperform_%s_keys_%s'
|
||||
% (oper, key)
|
||||
)
|
||||
)
|
||||
)
|
||||
keytab[perm]["allow"][key] = add_list
|
||||
# Only remove members if action is 'service'
|
||||
if action == "service":
|
||||
keytab[perm]["disallow"][key] = del_list
|
||||
|
||||
elif state == "absent":
|
||||
if action == "service":
|
||||
@@ -795,97 +602,30 @@ def main():
|
||||
if res_find is None:
|
||||
ansible_module.fail_json(msg="No service '%s'" % name)
|
||||
|
||||
# Remove principals
|
||||
principal_del = gen_intersection_list(
|
||||
principal, res_principals)
|
||||
if principal_del:
|
||||
commands.append([name, "service_remove_principal",
|
||||
{"krbprincipalname": principal_del}])
|
||||
|
||||
# Remove certificates
|
||||
if certificate is not None:
|
||||
existing = res_find.get('usercertificate', [])
|
||||
for _certificate in certificate:
|
||||
if _certificate in existing:
|
||||
commands.append([name, "service_remove_cert",
|
||||
{
|
||||
"usercertificate":
|
||||
_certificate,
|
||||
}])
|
||||
certificate_del = gen_intersection_list(
|
||||
certificate, res_find.get("usercertificate"))
|
||||
|
||||
# Add hosts
|
||||
host = gen_intersection_list(
|
||||
host_del = gen_intersection_list(
|
||||
host, res_find.get("managedby_host"))
|
||||
if host is not None:
|
||||
commands.append(
|
||||
[name, "service_remove_host", {"host": host}])
|
||||
|
||||
allow_create_keytab_user_del = gen_intersection_list(
|
||||
allow_create_keytab_user,
|
||||
res_find.get("ipaallowedtoperform_write_keys_user")
|
||||
)
|
||||
allow_create_keytab_group_del = gen_intersection_list(
|
||||
allow_create_keytab_group,
|
||||
res_find.get("ipaallowedtoperform_write_keys_group")
|
||||
)
|
||||
allow_create_keytab_host_del = gen_intersection_list(
|
||||
allow_create_keytab_host,
|
||||
res_find.get("ipaallowedtoperform_write_keys_host")
|
||||
)
|
||||
allow_create_keytab_hostgroup_del = gen_intersection_list(
|
||||
allow_create_keytab_hostgroup,
|
||||
res_find.get(
|
||||
"ipaallowedtoperform_write_keys_hostgroup")
|
||||
)
|
||||
|
||||
# Allow create keytab
|
||||
if any([
|
||||
allow_create_keytab_user_del,
|
||||
allow_create_keytab_group_del,
|
||||
allow_create_keytab_host_del,
|
||||
allow_create_keytab_hostgroup_del
|
||||
]):
|
||||
commands.append(
|
||||
[name, "service_disallow_create_keytab",
|
||||
{'user': allow_create_keytab_user_del,
|
||||
'group': allow_create_keytab_group_del,
|
||||
'host': allow_create_keytab_host_del,
|
||||
'hostgroup': allow_create_keytab_hostgroup_del
|
||||
}])
|
||||
|
||||
allow_retrieve_keytab_user_del = gen_intersection_list(
|
||||
allow_retrieve_keytab_user,
|
||||
res_find.get("ipaallowedtoperform_read_keys_user")
|
||||
)
|
||||
allow_retrieve_keytab_group_del = gen_intersection_list(
|
||||
allow_retrieve_keytab_group,
|
||||
res_find.get("ipaallowedtoperform_read_keys_group")
|
||||
)
|
||||
allow_retrieve_keytab_host_del = gen_intersection_list(
|
||||
allow_retrieve_keytab_host,
|
||||
res_find.get("ipaallowedtoperform_read_keys_host")
|
||||
)
|
||||
allow_retrieve_keytab_hostgroup_del = \
|
||||
gen_intersection_list(
|
||||
allow_retrieve_keytab_hostgroup,
|
||||
res_find.get(
|
||||
"ipaallowedtoperform_read_keys_hostgroup")
|
||||
)
|
||||
|
||||
# Allow retriev keytab
|
||||
if any([
|
||||
allow_retrieve_keytab_user_del,
|
||||
allow_retrieve_keytab_group_del,
|
||||
allow_retrieve_keytab_host_del,
|
||||
allow_retrieve_keytab_hostgroup_del
|
||||
]):
|
||||
commands.append(
|
||||
[name, "service_disallow_retrieve_keytab",
|
||||
{'user': allow_retrieve_keytab_user,
|
||||
'group': allow_retrieve_keytab_group,
|
||||
'host': allow_retrieve_keytab_host,
|
||||
'hostgroup': allow_retrieve_keytab_hostgroup
|
||||
}])
|
||||
for perm in ["create", "retrieve"]:
|
||||
oper = "write" if perm == "create" else "read"
|
||||
for key in ["user", "group", "host", "hostgroup"]:
|
||||
res_param = (
|
||||
'ipaallowedtoperform_%s_keys_%s'
|
||||
% (oper, key)
|
||||
)
|
||||
module_params = ansible_module.params_get(
|
||||
"allow_%s_keytab_%s" % (perm, key)
|
||||
)
|
||||
existing = res_find.get(res_param)
|
||||
del_list = (
|
||||
gen_intersection_list(module_params, existing)
|
||||
)
|
||||
keytab[perm]["disallow"][key] = del_list
|
||||
|
||||
elif state == "disabled":
|
||||
if action == "service":
|
||||
@@ -898,9 +638,50 @@ def main():
|
||||
ansible_module.fail_json(
|
||||
msg="Invalid action '%s' for state '%s'" %
|
||||
(action, state))
|
||||
# Members are not managed when disabling service.
|
||||
# Continue with next 'name'.
|
||||
continue
|
||||
else:
|
||||
ansible_module.fail_json(msg="Unkown state '%s'" % state)
|
||||
|
||||
# Manage members
|
||||
if principal_add:
|
||||
commands.append([name, "service_add_principal",
|
||||
{"krbprincipalname": principal_add}])
|
||||
if principal_del:
|
||||
commands.append([name, "service_remove_principal",
|
||||
{"krbprincipalname": principal_del}])
|
||||
|
||||
if certificate_add:
|
||||
commands.append([name, "service_add_cert",
|
||||
{"usercertificate": certificate_add}])
|
||||
if certificate_del:
|
||||
commands.append([name, "service_remove_cert",
|
||||
{"usercertificate": certificate_del}])
|
||||
|
||||
if host_add:
|
||||
commands.append([name, "service_add_host",
|
||||
{"host": host_add}])
|
||||
if host_del:
|
||||
commands.append([name, "service_remove_host",
|
||||
{"host": host_del}])
|
||||
|
||||
# manage keytab permissions.
|
||||
for perm in ["create", "retrieve"]:
|
||||
for mode in ["allow", "disallow"]:
|
||||
for key in ["user", "group", "host", "hostgroup"]:
|
||||
if keytab[perm][mode][key]:
|
||||
commands.append([
|
||||
name,
|
||||
"service_%s_%s_keytab" % (mode, perm),
|
||||
keytab[perm][mode]
|
||||
])
|
||||
break
|
||||
|
||||
# Check mode exit
|
||||
if ansible_module.check_mode:
|
||||
ansible_module.exit_json(changed=len(commands) > 0, **exit_args)
|
||||
|
||||
# Execute commands
|
||||
changed = ansible_module.execute_ipa_commands(
|
||||
commands, fail_on_member_errors=True)
|
||||
|
||||
@@ -13,8 +13,8 @@
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: server
|
||||
name: ThisShouldNotWork
|
||||
state: rebuild
|
||||
automember_type: group
|
||||
state: rebuilt
|
||||
register: result
|
||||
failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
|
||||
when: ipa_host_is_client
|
||||
|
||||
166
tests/automember/test_automember_default_group.yml
Normal file
166
tests/automember/test_automember_default_group.yml
Normal file
@@ -0,0 +1,166 @@
|
||||
---
|
||||
- name: Test automember default groups
|
||||
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
||||
become: true
|
||||
|
||||
tasks:
|
||||
|
||||
# SET FACTS
|
||||
|
||||
# CLEANUP TEST ITEMS
|
||||
|
||||
- name: Ensure group testgroup is absent
|
||||
ipagroup:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testgroup
|
||||
state: absent
|
||||
|
||||
- name: Ensure hostgroup testhostgroup is absent
|
||||
ipahostgroup:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testhostgroup
|
||||
state: absent
|
||||
|
||||
- name: Ensure automember default group is unset
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
default_group: ""
|
||||
automember_type: group
|
||||
|
||||
- name: Ensure automember default hostgroup is unset
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
default_group: ""
|
||||
automember_type: hostgroup
|
||||
|
||||
# CREATE TEST ITEMS
|
||||
|
||||
- name: Ensure group testgroup is present
|
||||
ipagroup:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testgroup
|
||||
state: present
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure hostgroup testhostgroup is present
|
||||
ipahostgroup:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testhostgroup
|
||||
state: present
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
# TESTS
|
||||
|
||||
# GROUP TEST
|
||||
|
||||
- name: Ensure automember default group is set to testgroup
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
default_group: testgroup
|
||||
automember_type: group
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure automember default group is set to testgroup, again
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
default_group: testgroup
|
||||
automember_type: group
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Ensure automember default group is unset
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
default_group: ""
|
||||
automember_type: group
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure automember default group is unset, again
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
default_group: ""
|
||||
automember_type: group
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
# HOSTGROUP TEST
|
||||
|
||||
- name: Ensure automember default hostgroup is set to testhostgroup
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
default_group: testhostgroup
|
||||
automember_type: hostgroup
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure automember default hostgroup is set to testhostgroup, again
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
default_group: testhostgroup
|
||||
automember_type: hostgroup
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Ensure automember default hostgroup is unset
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
default_group: ""
|
||||
automember_type: hostgroup
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure automember default hostgroup is unset, again
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
default_group: ""
|
||||
automember_type: hostgroup
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
# CLEANUP TEST ITEMS
|
||||
|
||||
- name: Ensure group testgroup is absent
|
||||
ipagroup:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testgroup
|
||||
state: absent
|
||||
|
||||
- name: Ensure hostgroup testhostgroup is absent
|
||||
ipahostgroup:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testhostgroup
|
||||
state: absent
|
||||
|
||||
- name: Ensure automember default group is unset
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
default_group: ""
|
||||
automember_type: group
|
||||
|
||||
- name: Ensure automember default hostgroup is unset
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
default_group: ""
|
||||
automember_type: hostgroup
|
||||
250
tests/automember/test_automember_orphans_removed.yml
Normal file
250
tests/automember/test_automember_orphans_removed.yml
Normal file
@@ -0,0 +1,250 @@
|
||||
---
|
||||
- name: Test automember orphans_removed
|
||||
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
||||
become: true
|
||||
|
||||
tasks:
|
||||
|
||||
# SET FACTS
|
||||
|
||||
- name: Get Domain from server name
|
||||
set_fact:
|
||||
ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] |
|
||||
join ('.') }}"
|
||||
when: ipaserver_domain is not defined
|
||||
|
||||
# CLEANUP TEST ITEMS
|
||||
|
||||
- name: Ensure user testuser is absent
|
||||
ipauser:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testuser
|
||||
state: absent
|
||||
|
||||
- name: Ensure group testgroup is absent
|
||||
ipagroup:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testgroup
|
||||
state: absent
|
||||
|
||||
- name: Ensure host testhost is absent
|
||||
ipahost:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: "{{ 'testhost.' + ipaserver_domain }}"
|
||||
state: absent
|
||||
|
||||
- name: Ensure hostgroup testhostgroup is absent
|
||||
ipahostgroup:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testhostgroup
|
||||
state: absent
|
||||
|
||||
- name: Ensure automember group testgroup is absent
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testgroup
|
||||
automember_type: group
|
||||
state: absent
|
||||
|
||||
- name: Ensure automember hostgroup testhostgroup is absent
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testhostgroup
|
||||
automember_type: hostgroup
|
||||
state: absent
|
||||
|
||||
# CREATE TEST ITEMS
|
||||
|
||||
- name: Ensure user testuser is present
|
||||
ipauser:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testuser
|
||||
first: Test
|
||||
last: User
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure host testhost is present
|
||||
ipahost:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: "{{ 'testhost.' + ipaserver_domain }}"
|
||||
force: yes
|
||||
reverse: no
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure group testgroup is present
|
||||
ipagroup:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testgroup
|
||||
state: present
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure hostgroup testhostgroup is present
|
||||
ipahostgroup:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testhostgroup
|
||||
state: present
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
# TESTS
|
||||
|
||||
# GROUP TEST
|
||||
|
||||
- name: Ensure automember group testgroup exists
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testgroup
|
||||
automember_type: group
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure automember group condition exits for users
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testgroup
|
||||
automember_type: group
|
||||
action: member
|
||||
inclusive:
|
||||
- key: uid
|
||||
expression: uid
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure group testgroup is absent
|
||||
ipagroup:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testgroup
|
||||
state: absent
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure group orphans have been removed
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
automember_type: group
|
||||
state: orphans_removed
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure group orphans have been removed again
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
automember_type: group
|
||||
state: orphans_removed
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
# HOSTGROUP TEST
|
||||
|
||||
- name: Ensure automember hostgroup testhostgroup exists
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testhostgroup
|
||||
automember_type: hostgroup
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure automember hostgroup condition exits for hosts
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testhostgroup
|
||||
automember_type: hostgroup
|
||||
action: member
|
||||
inclusive:
|
||||
- key: fqdn
|
||||
expression: "{{ '.*.' + ipaserver_domain }}"
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure hostgroup testhostgroup is absent
|
||||
ipahostgroup:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testhostgroup
|
||||
state: absent
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure hostgroup orphans have been removed
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
automember_type: hostgroup
|
||||
state: orphans_removed
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure hostgroup orphans have been removed again
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
automember_type: hostgroup
|
||||
state: orphans_removed
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
# CLEANUP TEST ITEMS
|
||||
|
||||
- name: Ensure user testuser is absent
|
||||
ipauser:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testuser
|
||||
state: absent
|
||||
|
||||
- name: Ensure group testgroup is absent
|
||||
ipagroup:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testgroup
|
||||
state: absent
|
||||
|
||||
- name: Ensure host testhost is absent
|
||||
ipahost:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: "{{ 'testhost.' + ipaserver_domain }}"
|
||||
state: absent
|
||||
|
||||
- name: Ensure hostgroup testhostgroup is absent
|
||||
ipahostgroup:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testhostgroup
|
||||
state: absent
|
||||
|
||||
- name: Ensure automember group testgroup is absent
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testgroup
|
||||
automember_type: group
|
||||
state: absent
|
||||
|
||||
- name: Ensure automember hostgroup testhostgroup is absent
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testhostgroup
|
||||
automember_type: hostgroup
|
||||
state: absent
|
||||
155
tests/automember/test_automember_rebuilt.yml
Normal file
155
tests/automember/test_automember_rebuilt.yml
Normal file
@@ -0,0 +1,155 @@
|
||||
---
|
||||
- name: Test automember rebuilt
|
||||
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
||||
become: true
|
||||
|
||||
tasks:
|
||||
|
||||
# SET FACTS
|
||||
|
||||
- name: Get Domain from server name
|
||||
set_fact:
|
||||
ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] |
|
||||
join ('.') }}"
|
||||
when: ipaserver_domain is not defined
|
||||
|
||||
# CLEANUP TEST ITEMS
|
||||
|
||||
- name: Ensure user testuser is absent
|
||||
ipauser:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testuser
|
||||
state: absent
|
||||
|
||||
- name: Ensure host testhost is absent
|
||||
ipahost:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: "{{ 'testhost.' + ipaserver_domain }}"
|
||||
state: absent
|
||||
|
||||
# CREATE TEST ITEMS
|
||||
|
||||
- name: Ensure user testuser is present
|
||||
ipauser:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testuser
|
||||
first: Test
|
||||
last: User
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure host testhost is present
|
||||
ipahost:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: "{{ 'testhost.' + ipaserver_domain }}"
|
||||
force: yes
|
||||
reverse: no
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
# TESTS
|
||||
|
||||
- name: Ensure group membership has been rebuilt
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
automember_type: group
|
||||
state: rebuilt
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure group membership has been rebuilt no_wait
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
automember_type: group
|
||||
no_wait: yes
|
||||
state: rebuilt
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure group membership for given users has been rebuilt
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
users:
|
||||
- testuser
|
||||
state: rebuilt
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure hostgroup membership for given hosts has been rebuilt
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
hosts:
|
||||
- "{{ 'testhost.' + ipaserver_domain }}"
|
||||
state: rebuilt
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure group membership for given users has been rebuilt with type group
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
automember_type: group
|
||||
users:
|
||||
- testuser
|
||||
state: rebuilt
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure hostgroup membership for given hosts has been rebuilt with type hostgroup
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
automember_type: hostgroup
|
||||
hosts:
|
||||
- "{{ 'testhost.' + ipaserver_domain }}"
|
||||
state: rebuilt
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Ensure group membership rebuild fails with hosts
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
automember_type: group
|
||||
hosts:
|
||||
- "{{ 'testhost.' + ipaserver_domain }}"
|
||||
state: rebuilt
|
||||
register: result
|
||||
failed_when: not result.failed or
|
||||
"hosts can not be set when type is 'group'" not in result.msg
|
||||
|
||||
- name: Ensure hostgroup membership rebuild fails with users
|
||||
ipaautomember:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
automember_type: hostgroup
|
||||
users:
|
||||
- testuser
|
||||
state: rebuilt
|
||||
register: result
|
||||
failed_when: not result.failed or
|
||||
"users can not be set when type is 'hostgroup'" not in result.msg
|
||||
|
||||
# CLEANUP TEST ITEMS
|
||||
|
||||
- name: Ensure user testuser is absent
|
||||
ipauser:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: testuser
|
||||
state: absent
|
||||
|
||||
- name: Ensure host testhost is absent
|
||||
ipahost:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
name: "{{ 'testhost.' + ipaserver_domain }}"
|
||||
state: absent
|
||||
Reference in New Issue
Block a user