0bcb4eaf0f
This patch adds support for retrieving data stored in an IPA vault by
adding a new valid state for ipavault: `retrieved`.
To allow the retrieval of data from assymetric vaults, the attributes
`private_key`, `private_key_files` and `out` were also added to the
module.
The private key files, `private.pem`, should be paired with the already
existing `public.pem` public key files.
Tests were updated to reflect changes and two new playbooks were added:
playbooks/vault/retrive-data-asymmetric-vault.yml
playbooks/vault/retrive-data-symmetric-vault.yml
5.8 KiB
Vault module
Description
The vault module allows to ensure presence and absence of vault and members of vaults.
The vault module is as compatible as possible to the Ansible upstream ipa_vault module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults.
Features
- Vault management
Supported FreeIPA Versions
FreeIPA versions 4.4.0 and up are supported by the ipavault module.
Requirements
Controller
- Ansible version: 2.8+
Node
- Supported FreeIPA version (see above)
- KRA service must be enabled
Usage
Example inventory file
[ipaserver]
ipaserver.test.local
Example playbook to make sure vault is present (by default, vault type is symmetric):
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
password: SomeVAULTpassword
description: A standard private vault.
Example playbook to make sure that a vault and its members are present:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
users: user01
action controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set action to member.
Example playbook to make sure that a vault member is present in vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
users: user01
action: member
Example playbook to make sure that a vault owner is absent in vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
owner: user01
action: member
state: absent
Example playbook to make sure vault data is present in a symmetric vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
password: SomeVAULTpassword
data: >
Data archived.
More data archived.
action: member
Example playbook to retrieve vault data from a symmetric vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
password: SomeVAULTpassword
state: retrieved
Example playbook to make sure vault data is absent in a symmetric vault:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
password: SomeVAULTpassword
action: member
state: absent
Example playbook to make sure vault is absent:
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
state: absent
register: result
- debug:
msg: "{{ result.data }}"
Variables
ipavault
| Variable | Description | Required |
|---|---|---|
ipaadmin_principal |
The admin principal is a string and defaults to admin |
no |
ipaadmin_password |
The admin password is a string and is required if there is no admin ticket available on the node | no |
name | cn |
The list of vault name strings. | yes |
description |
The vault description string. | no |
nomembers |
Suppress processing of membership attributes. (bool) | no |
password | vault_password | ipavaultpassword |
Vault password. | no |
public_key | vault_public_key | ipavaultpublickey |
Base64 encoded vault public key. | no |
public_key_file | vault_public_key_file |
Path to file with public key. | no |
private_key | vault_private_key |
Base64 encoded vault private key. Used only to retrieve data. | no |
private_key_file | vault_private_key_file |
Path to file with private key. Used only to retrieve data. | no |
salt | vault_salt | ipavaultsalt |
Vault salt. | no |
vault_type | ipavaulttype |
Vault types are based on security level. It can be one of standard, symmetric or asymmetric, default: symmetric |
no |
user | username |
Any user can own one or more user vaults. | no |
service |
Any service can own one or more service vaults. | no |
shared |
Vault is shared. Default to false. (bool) | no |
users |
Users that are members of the vault. | no |
groups |
Groups that are member of the vault. | no |
services |
Services that are member of the vault. | no |
data |vault_data | ipavaultdata |
Data to be stored in the vault. | no |
in | datafile_in |
Path to file with data to be stored in the vault. | no |
out | datafile_out |
Path to file to store data retrieved from the vault. | no |
action |
Work on vault or member level. It can be on of member or vault and defaults to vault. |
no |
state |
The state to ensure. It can be one of present, absent or retrieved, default: present. |
no |
Return Values
ipavault
There is only a return value if state is retrieved.
| Variable | Description | Returned When |
|---|---|---|
data |
The data stored in the vault. | If state is retrieved. |
Notes
ipavault uses a client context to execute, and it might affect execution time.
Authors
Rafael Jeffman