|
Packit Service |
0a38ef |
HBACrule module
|
|
Packit Service |
0a38ef |
===============
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Description
|
|
Packit Service |
0a38ef |
-----------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
The hbacrule (HBAC Rule) module allows to ensure presence and absence of HBAC Rules and host, hostgroups, HBAC Services, HBAC Service Groups, users, and user groups as members of HBAC Rule.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Features
|
|
Packit Service |
0a38ef |
--------
|
|
Packit Service |
0a38ef |
* HBAC Rule management
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Supported FreeIPA Versions
|
|
Packit Service |
0a38ef |
--------------------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
FreeIPA versions 4.4.0 and up are supported by the ipahbacrule module.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Requirements
|
|
Packit Service |
0a38ef |
------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
**Controller**
|
|
Packit Service |
0a38ef |
* Ansible version: 2.8+
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
**Node**
|
|
Packit Service |
0a38ef |
* Supported FreeIPA version (see above)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Usage
|
|
Packit Service |
0a38ef |
=====
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example inventory file
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```ini
|
|
Packit Service |
0a38ef |
[ipaserver]
|
|
Packit Service |
0a38ef |
ipaserver.test.local
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to make sure HBAC Rule login exists:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle hbacrules
|
|
Packit Service |
0a38ef |
hbacsvcs: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
# Ensure HBAC Rule login is present
|
|
Packit Service |
0a38ef |
- ipahbacrule:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: login
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to make sure HBAC Rule login exists with the only HBAC Service sshd:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle hbacrules
|
|
Packit Service |
0a38ef |
hbacsvcs: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
# Ensure HBAC Rule login is present with the only HBAC Service sshd
|
|
Packit Service |
0a38ef |
- ipahbacrule:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: login
|
|
Packit Service |
0a38ef |
hbacsvc:
|
|
Packit Service |
0a38ef |
- sshd
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to make sure HBAC Service sshd is present in HBAC Rule login:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle hbacrules
|
|
Packit Service |
0a38ef |
hbacsvcs: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
# Ensure HBAC Service sshd is present in HBAC Rule login
|
|
Packit Service |
0a38ef |
- ipahbacrule:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: login
|
|
Packit Service |
0a38ef |
hbacsvc:
|
|
Packit Service |
0a38ef |
- sshd
|
|
Packit Service |
0a38ef |
action: member
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle hbacrules
|
|
Packit Service |
0a38ef |
hbacsvcs: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
# Ensure HBAC Service sshd is present in HBAC Rule login
|
|
Packit Service |
0a38ef |
- ipahbacrule:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: login
|
|
Packit Service |
0a38ef |
hbacsvc:
|
|
Packit Service |
0a38ef |
- sshd
|
|
Packit Service |
0a38ef |
action: member
|
|
Packit Service |
0a38ef |
state: absent
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to make sure HBAC Rule login is absent:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle hbacrules
|
|
Packit Service |
0a38ef |
hbacsvcs: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
# Ensure HBAC Rule login is present
|
|
Packit Service |
0a38ef |
- ipahbacrule:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: login
|
|
Packit Service |
0a38ef |
state: absent
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variables
|
|
Packit Service |
0a38ef |
=========
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
ipahbacrule
|
|
Packit Service |
0a38ef |
---------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variable | Description | Required
|
|
Packit Service |
0a38ef |
-------- | ----------- | --------
|
|
Packit Service |
0a38ef |
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
|
|
Packit Service |
0a38ef |
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
|
|
Packit Service |
0a38ef |
`name` \| `cn` | The list of hbacrule name strings. | yes
|
|
Packit Service |
0a38ef |
`description` | The hbacrule description string. | no
|
|
Packit Service |
0a38ef |
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
|
|
Packit Service |
0a38ef |
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
|
|
Packit Service |
0a38ef |
`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all", ""] | no
|
|
Packit Service |
0a38ef |
`nomembers` | Suppress processing of membership attributes. (bool) | no
|
|
Packit Service |
0a38ef |
`host` | List of host name strings assigned to this hbacrule. | no
|
|
Packit Service |
0a38ef |
`hostgroup` | List of host group name strings assigned to this hbacrule. | no
|
|
Packit Service |
0a38ef |
`hbacsvc` | List of HBAC Service name strings assigned to this hbacrule. | no
|
|
Packit Service |
0a38ef |
`hbacsvcgroup` | List of HBAC Service Group name strings assigned to this hbacrule. | no
|
|
Packit Service |
0a38ef |
`user` | List of user name strings assigned to this hbacrule. | no
|
|
Packit Service |
0a38ef |
`group` | List of user group name strings assigned to this hbacrule. | no
|
|
Packit Service |
0a38ef |
`action` | Work on hbacrule or member level. It can be on of `member` or `hbacrule` and defaults to `hbacrule`. | no
|
|
Packit Service |
0a38ef |
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Authors
|
|
Packit Service |
0a38ef |
=======
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Thomas Woerner
|