|
Packit |
8cb997 |
HBACrule module
|
|
Packit |
8cb997 |
===============
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Description
|
|
Packit |
8cb997 |
-----------
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
The hbacrule (HBAC Rule) module allows to ensure presence and absence of HBAC Rules and host, hostgroups, HBAC Services, HBAC Service Groups, users, and user groups as members of HBAC Rule.
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Features
|
|
Packit |
8cb997 |
--------
|
|
Packit |
8cb997 |
* HBAC Rule management
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Supported FreeIPA Versions
|
|
Packit |
8cb997 |
--------------------------
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
FreeIPA versions 4.4.0 and up are supported by the ipahbacrule module.
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Requirements
|
|
Packit |
8cb997 |
------------
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
**Controller**
|
|
Packit |
8cb997 |
* Ansible version: 2.8+
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
**Node**
|
|
Packit |
8cb997 |
* Supported FreeIPA version (see above)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Usage
|
|
Packit |
8cb997 |
=====
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Example inventory file
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
```ini
|
|
Packit |
8cb997 |
[ipaserver]
|
|
Packit |
8cb997 |
ipaserver.test.local
|
|
Packit |
8cb997 |
```
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Example playbook to make sure HBAC Rule login exists:
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
```yaml
|
|
Packit |
8cb997 |
---
|
|
Packit |
8cb997 |
- name: Playbook to handle hbacrules
|
|
Packit |
8cb997 |
hbacsvcs: ipaserver
|
|
Packit |
8cb997 |
become: true
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
tasks:
|
|
Packit |
8cb997 |
# Ensure HBAC Rule login is present
|
|
Packit |
8cb997 |
- ipahbacrule:
|
|
Packit |
8cb997 |
ipaadmin_password: MyPassword123
|
|
Packit |
8cb997 |
name: login
|
|
Packit |
8cb997 |
```
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Example playbook to make sure HBAC Rule login exists with the only HBAC Service sshd:
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
```yaml
|
|
Packit |
8cb997 |
---
|
|
Packit |
8cb997 |
- name: Playbook to handle hbacrules
|
|
Packit |
8cb997 |
hbacsvcs: ipaserver
|
|
Packit |
8cb997 |
become: true
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
tasks:
|
|
Packit |
8cb997 |
# Ensure HBAC Rule login is present with the only HBAC Service sshd
|
|
Packit |
8cb997 |
- ipahbacrule:
|
|
Packit |
8cb997 |
ipaadmin_password: MyPassword123
|
|
Packit |
8cb997 |
name: login
|
|
Packit |
8cb997 |
hbacsvc:
|
|
Packit |
8cb997 |
- sshd
|
|
Packit |
8cb997 |
```
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Example playbook to make sure HBAC Service sshd is present in HBAC Rule login:
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
```yaml
|
|
Packit |
8cb997 |
---
|
|
Packit |
8cb997 |
- name: Playbook to handle hbacrules
|
|
Packit |
8cb997 |
hbacsvcs: ipaserver
|
|
Packit |
8cb997 |
become: true
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
tasks:
|
|
Packit |
8cb997 |
# Ensure HBAC Service sshd is present in HBAC Rule login
|
|
Packit |
8cb997 |
- ipahbacrule:
|
|
Packit |
8cb997 |
ipaadmin_password: MyPassword123
|
|
Packit |
8cb997 |
name: login
|
|
Packit |
8cb997 |
hbacsvc:
|
|
Packit |
8cb997 |
- sshd
|
|
Packit |
8cb997 |
action: member
|
|
Packit |
8cb997 |
```
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
```yaml
|
|
Packit |
8cb997 |
---
|
|
Packit |
8cb997 |
- name: Playbook to handle hbacrules
|
|
Packit |
8cb997 |
hbacsvcs: ipaserver
|
|
Packit |
8cb997 |
become: true
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
tasks:
|
|
Packit |
8cb997 |
# Ensure HBAC Service sshd is present in HBAC Rule login
|
|
Packit |
8cb997 |
- ipahbacrule:
|
|
Packit |
8cb997 |
ipaadmin_password: MyPassword123
|
|
Packit |
8cb997 |
name: login
|
|
Packit |
8cb997 |
hbacsvc:
|
|
Packit |
8cb997 |
- sshd
|
|
Packit |
8cb997 |
action: member
|
|
Packit |
8cb997 |
state: absent
|
|
Packit |
8cb997 |
```
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Example playbook to make sure HBAC Rule login is absent:
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
```yaml
|
|
Packit |
8cb997 |
---
|
|
Packit |
8cb997 |
- name: Playbook to handle hbacrules
|
|
Packit |
8cb997 |
hbacsvcs: ipaserver
|
|
Packit |
8cb997 |
become: true
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
tasks:
|
|
Packit |
8cb997 |
# Ensure HBAC Rule login is present
|
|
Packit |
8cb997 |
- ipahbacrule:
|
|
Packit |
8cb997 |
ipaadmin_password: MyPassword123
|
|
Packit |
8cb997 |
name: login
|
|
Packit |
8cb997 |
state: absent
|
|
Packit |
8cb997 |
```
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Variables
|
|
Packit |
8cb997 |
=========
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ipahbacrule
|
|
Packit |
8cb997 |
---------------
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Variable | Description | Required
|
|
Packit |
8cb997 |
-------- | ----------- | --------
|
|
Packit |
8cb997 |
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
|
|
Packit |
8cb997 |
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
|
|
Packit |
8cb997 |
`name` \| `cn` | The list of hbacrule name strings. | yes
|
|
Packit |
8cb997 |
`description` | The hbacrule description string. | no
|
|
Packit |
8cb997 |
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all"] | no
|
|
Packit |
8cb997 |
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all"] | no
|
|
Packit |
8cb997 |
`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all"] | no
|
|
Packit |
8cb997 |
`nomembers` | Suppress processing of membership attributes. (bool) | no
|
|
Packit |
8cb997 |
`host` | List of host name strings assigned to this hbacrule. | no
|
|
Packit |
8cb997 |
`hostgroup` | List of host group name strings assigned to this hbacrule. | no
|
|
Packit |
8cb997 |
`hbacsvc` | List of HBAC Service name strings assigned to this hbacrule. | no
|
|
Packit |
8cb997 |
`hbacsvcgroup` | List of HBAC Service Group name strings assigned to this hbacrule. | no
|
|
Packit |
8cb997 |
`user` | List of user name strings assigned to this hbacrule. | no
|
|
Packit |
8cb997 |
`group` | List of user group name strings assigned to this hbacrule. | no
|
|
Packit |
8cb997 |
`action` | Work on hbacrule or member level. It can be on of `member` or `hbacrule` and defaults to `hbacrule`. | no
|
|
Packit |
8cb997 |
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Authors
|
|
Packit |
8cb997 |
=======
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Thomas Woerner
|