--- - name: Test privilege hosts: "{{ ipa_test_host | default('ipaserver') }}" become: true tasks: # CLEANUP TEST ITEMS - name: Ensure privilege "Broad Privilege" is absent ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: - Broad Privilege - DNS Privilege state: absent # CREATE TEST ITEMS # TESTS - name: Ensure privilege Broad Privilege is present ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege description: Broad Privilege register: result failed_when: not result.changed or result.failed - name: Ensure privilege Broad Privilege is present again ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege description: Broad Privilege register: result failed_when: result.changed or result.failed - name: Change privilege Broad Privilege description ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege description: Broad Privilege description register: result failed_when: not result.changed or result.failed - name: Check if adding member permissions would cause a change (issue 669). ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege permission: - "Write IPA Configuration" - "System: Write DNS Configuration" - "System: Update DNS Entries" action: member check_mode: yes register: result failed_when: not result.changed or result.failed - name: Ensure privilege Broad Privilege has permissions ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege permission: - "Write IPA Configuration" - "System: Write DNS Configuration" - "System: Update DNS Entries" action: member register: result failed_when: not result.changed or result.failed - name: Ensure privilege Broad Privilege has permissions, again ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege permission: - "Write IPA Configuration" - "System: Write DNS Configuration" - "System: Update DNS Entries" action: member register: result failed_when: result.changed or result.failed - name: Check if existing member permissions would not cause a change (issue 669). ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege permission: - "Write IPA Configuration" - "System: Write DNS Configuration" - "System: Update DNS Entries" action: member check_mode: yes register: result failed_when: result.changed or result.failed - name: Ensure privilege Broad Privilege member permission "Write IPA Configuration" is absent ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege permission: - "Write IPA Configuration" action: member state: absent register: result failed_when: not result.changed or result.failed - name: Ensure privilege Broad Privilege member permission "Write IPA Configuration" is absent again ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege permission: - "Write IPA Configuration" action: member state: absent register: result failed_when: result.changed or result.failed - name: Ensure privilege Broad Privilege is absent ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege state: absent register: result failed_when: not result.changed or result.failed - name: Ensure privilege Broad Privilege is present ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege register: result failed_when: not result.changed or result.failed - name: Ensure privilege Broad Privilege is renamed to "DNS Privilege" ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege rename: DNS Privilege state: renamed register: result failed_when: not result.changed or result.failed - name: Ensure privilege Broad Privilege cannot be renamed, because it does not exist. ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege rename: DNS Privilege state: renamed register: result failed_when: not result.failed or "No privilege found to be renamed" not in result.msg - name: Ensure privilege cannot be renamed to the same name. ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: DNS Privilege rename: DNS Privilege state: renamed register: result failed_when: result.changed or result.failed - name: Ensure privilege cannot be renamed to the same name. ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: DNS Privilege rename: DNS Privilege state: renamed register: result failed_when: result.changed or result.failed - name: Ensure "Broad Privilege" is absent. ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege state: absent - name: Check if creating privilege Broad Privilege with permission would issue a change. (issue 669) ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege permission: - "Write IPA Configuration" check_mode: yes register: result failed_when: not result.changed or result.failed - name: Ensure privilege Broad Privilege is created with permission. (issue 529) ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege permission: - "Write IPA Configuration" register: result failed_when: not result.changed or result.failed - name: Ensure privilege Broad Privilege is created with permission, again. (issue 529) ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege permission: - "Write IPA Configuration" register: result failed_when: result.changed or result.failed - name: Check if exisintg privilege Broad Privilege with permission would not issue a change. (issue 669) ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: Broad Privilege permission: - "Write IPA Configuration" check_mode: yes register: result failed_when: result.changed or result.failed # CLEANUP TEST ITEMS - name: Ensure privilege testing privileges are absent ipaprivilege: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: - Broad Privilege - DNS Privilege state: absent