|
Packit Service |
a166ed |
Role module
|
|
Packit Service |
a166ed |
===========
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Description
|
|
Packit Service |
a166ed |
-----------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
The role module allows to ensure presence, absence of roles and members of roles.
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
The role module is as compatible as possible to the Ansible upstream `ipa_role` module, but additionally offers role member management.
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Features
|
|
Packit Service |
a166ed |
--------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
* Role management
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Supported FreeIPA Versions
|
|
Packit Service |
a166ed |
--------------------------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
FreeIPA versions 4.4.0 and up are supported by the iparole module.
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Requirements
|
|
Packit Service |
a166ed |
------------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
**Controller**
|
|
Packit Service |
a166ed |
* Ansible version: 2.8+
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
**Node**
|
|
Packit Service |
a166ed |
* Supported FreeIPA version (see above)
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Usage
|
|
Packit Service |
a166ed |
=====
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example inventory file
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```ini
|
|
Packit Service |
a166ed |
[ipaserver]
|
|
Packit Service |
a166ed |
ipaserver.test.local
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to make sure role is present with all members:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to manage IPA role with members.
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: yes
|
|
Packit Service |
a166ed |
gather_facts: no
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- iparole:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: somerole
|
|
Packit Service |
a166ed |
user:
|
|
Packit Service |
a166ed |
- pinky
|
|
Packit Service |
a166ed |
group:
|
|
Packit Service |
a166ed |
- group01
|
|
Packit Service |
a166ed |
host:
|
|
Packit Service |
a166ed |
- host01.example.com
|
|
Packit Service |
a166ed |
hostgroup:
|
|
Packit Service |
a166ed |
- hostgroup01
|
|
Packit Service |
a166ed |
privilege:
|
|
Packit Service |
a166ed |
- Group Administrators
|
|
Packit Service |
a166ed |
- User Administrators
|
|
Packit Service |
a166ed |
service:
|
|
Packit Service |
a166ed |
- service01
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to rename a role:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
- iparole:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: somerole
|
|
Packit Service |
a166ed |
rename: anotherrole
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to make sure role is absent:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to manage IPA role.
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: yes
|
|
Packit Service |
a166ed |
gather_facts: no
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- iparole:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: somerole
|
|
Packit Service |
a166ed |
state: absent
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to ensure a user is a member of a role:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to manage IPA role member.
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: yes
|
|
Packit Service |
a166ed |
gather_facts: no
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- iparole:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: somerole
|
|
Packit Service |
a166ed |
user:
|
|
Packit Service |
a166ed |
- pinky
|
|
Packit Service |
a166ed |
action: member
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to ensure a group is a member of a role:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to manage IPA role member.
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: yes
|
|
Packit Service |
a166ed |
gather_facts: no
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- iparole:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: somerole
|
|
Packit Service |
a166ed |
host:
|
|
Packit Service |
a166ed |
- host01.example.com
|
|
Packit Service |
a166ed |
action: member
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to ensure a host is a member of a role:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to manage IPA role member.
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: yes
|
|
Packit Service |
a166ed |
gather_facts: no
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- iparole:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: somerole
|
|
Packit Service |
a166ed |
host:
|
|
Packit Service |
a166ed |
- host01.example.com
|
|
Packit Service |
a166ed |
action: member
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to ensure a hostgroup is a member of a role:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to manage IPA role member.
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: yes
|
|
Packit Service |
a166ed |
gather_facts: no
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- iparole:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: somerole
|
|
Packit Service |
a166ed |
hostgroup:
|
|
Packit Service |
a166ed |
- hostgroup01
|
|
Packit Service |
a166ed |
action: member
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to ensure a service is a member of a role:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to manage IPA role member.
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: yes
|
|
Packit Service |
a166ed |
gather_facts: no
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- iparole:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: somerole
|
|
Packit Service |
a166ed |
service:
|
|
Packit Service |
a166ed |
- service01
|
|
Packit Service |
a166ed |
action: member
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to ensure a privilege is a member of a role:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to manage IPA role member.
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: yes
|
|
Packit Service |
a166ed |
gather_facts: no
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- iparole:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: somerole
|
|
Packit Service |
a166ed |
privilege:
|
|
Packit Service |
a166ed |
- Group Administrators
|
|
Packit Service |
a166ed |
- User Administrators
|
|
Packit Service |
a166ed |
action: member
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to ensure that different members are not associated with a role.
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to manage IPA role member.
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: yes
|
|
Packit Service |
a166ed |
gather_facts: no
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- iparole:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: somerole
|
|
Packit Service |
a166ed |
user:
|
|
Packit Service |
a166ed |
- pinky
|
|
Packit Service |
a166ed |
group:
|
|
Packit Service |
a166ed |
- group01
|
|
Packit Service |
a166ed |
host:
|
|
Packit Service |
a166ed |
- host01.example.com
|
|
Packit Service |
a166ed |
hostgroup:
|
|
Packit Service |
a166ed |
- hostgroup01
|
|
Packit Service |
a166ed |
privilege:
|
|
Packit Service |
a166ed |
- Group Administrators
|
|
Packit Service |
a166ed |
- User Administrators
|
|
Packit Service |
a166ed |
service:
|
|
Packit Service |
a166ed |
- service01
|
|
Packit Service |
a166ed |
action: member
|
|
Packit Service |
a166ed |
state: absent
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Variables
|
|
Packit Service |
a166ed |
---------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
iparole
|
|
Packit Service |
a166ed |
-------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Variable | Description | Required
|
|
Packit Service |
a166ed |
-------- | ----------- | --------
|
|
Packit Service |
a166ed |
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
|
|
Packit Service |
a166ed |
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
|
|
Packit Service |
a166ed |
`name` \| `cn` | The list of role name strings. | yes
|
|
Packit Service |
a166ed |
`description` | A description for the role. | no
|
|
Packit Service |
a166ed |
`rename` | Rename the role object. | no
|
|
Packit Service |
a166ed |
`privilege` | Privileges associated to this role. | no
|
|
Packit Service |
a166ed |
`user` | List of users to be assigned or not assigned to the role. | no
|
|
Packit Service |
a166ed |
`group` | List of groups to be assigned or not assigned to the role. | no
|
|
Packit Service |
a166ed |
`host` | List of hosts to be assigned or not assigned to the role. | no
|
|
Packit Service |
a166ed |
`hostgroup` | List of hostgroups to be assigned or not assigned to the role. | no
|
|
Packit Service |
a166ed |
`service` | List of services to be assigned or not assigned to the role. | no
|
|
Packit Service |
a166ed |
`action` | Work on role or member level. It can be on of `member` or `role` and defaults to `role`. | no
|
|
Packit Service |
a166ed |
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Authors
|
|
Packit Service |
a166ed |
=======
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Rafael Jeffman
|