source-git / ansible-freeipa

Clone
Source Code
GIT

Blame README-service.md

c8 c8s master
  1.   c8
  2.   README-service.md
Blob History Raw
Packit Service 0f71a7 
Service module
Packit Service 0f71a7 
==============
Packit Service 0f71a7
Packit Service 0f71a7 
Description
Packit Service 0f71a7 
-----------
Packit Service 0f71a7
Packit Service 0f71a7 
The service module allows to ensure presence and absence of services.
Packit Service 0f71a7
Packit Service 0f71a7
Packit Service 0f71a7 
Features
Packit Service 0f71a7 
--------
Packit Service 0f71a7
Packit Service 0f71a7 
* Service management
Packit Service 0f71a7
Packit Service 0f71a7
Packit Service 0f71a7 
Supported FreeIPA Versions
Packit Service 0f71a7 
--------------------------
Packit Service 0f71a7
Packit Service 0f71a7 
FreeIPA versions 4.4.0 and up are supported by the ipaservice module.
Packit Service 0f71a7
Packit Service 0f71a7 
Option `skip_host_check` requires FreeIPA version 4.7.0 or later.
Packit Service 0f71a7
Packit Service 0f71a7
Packit Service 0f71a7 
Requirements
Packit Service 0f71a7 
------------
Packit Service 0f71a7
Packit Service 0f71a7 
**Controller**
Packit Service 0f71a7 
* Ansible version: 2.8+
Packit Service 0f71a7
Packit Service 0f71a7 
**Node**
Packit Service 0f71a7 
* Supported FReeIPA version (see above)
Packit Service 0f71a7
Packit Service 0f71a7
Packit Service 0f71a7 
Usage
Packit Service 0f71a7 
=====
Packit Service 0f71a7
Packit Service 0f71a7 
Example inventory file
Packit Service 0f71a7
Packit Service 0f71a7 
```ini
Packit Service 0f71a7 
[ipaserver]
Packit Service 0f71a7 
ipaserver.test.local
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to make sure service is present:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to manage IPA service.
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7 
  gather_facts: false
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
  # Ensure service is present
Packit Service 0f71a7 
  - ipaservice:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
      name: HTTP/www.example.com
Packit Service 0f71a7 
      certificate:
Packit Service 0f71a7 
        - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
Packit Service 0f71a7 
        DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
Packit Service 0f71a7 
        ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
Packit Service 0f71a7 
        VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
Packit Service 0f71a7 
        LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
Packit Service 0f71a7 
        oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
Packit Service 0f71a7 
        4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
Packit Service 0f71a7 
        xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
Packit Service 0f71a7 
        UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
Packit Service 0f71a7 
        eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
Packit Service 0f71a7 
        5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
Packit Service 0f71a7 
        uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
Packit Service 0f71a7 
        2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
Packit Service 0f71a7 
        obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
Packit Service 0f71a7 
        /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
Packit Service 0f71a7 
      pac_type: PAD
Packit Service 0f71a7 
      auth_ind: otp
Packit Service 0f71a7 
      requires_pre_auth: false
Packit Service 0f71a7 
      ok_as_delegate: false
Packit Service 0f71a7 
      ok_to_auth_as_delegate: false
Packit Service 0f71a7 
      skip-host-check: true
Packit Service 0f71a7 
      force: true
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to make sure service is absent:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to manage IPA service.
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7 
  gather_facts: false
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
  # Ensure service is present
Packit Service 0f71a7 
  - ipaservice:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
      name: HTTP/www.example.com
Packit Service 0f71a7 
      state: absent
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to make sure service is disabled:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to manage IPA service.
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7 
  gather_facts: false
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
  # Ensure service is present
Packit Service 0f71a7 
  - ipaservice:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
      name: HTTP/www.example.com
Packit Service 0f71a7 
      state: disabled
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to add a service even if the host object does not exist, but only if it does have a DNS entry:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to manage IPA service.
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7 
  gather_facts: false
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
  # Ensure service is present
Packit Service 0f71a7 
  - ipaservice:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
      name: HTTP/www.example.com
Packit Service 0f71a7 
      skip_host_check: true
Packit Service 0f71a7 
      force: false
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to add a service if it does have a DNS entry, but host object exits:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to manage IPA service.
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7 
  gather_facts: false
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
  # Ensure service is present
Packit Service 0f71a7 
  - ipaservice:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
      name: HTTP/www.example.com
Packit Service 0f71a7 
      skip_host_check: false
Packit Service 0f71a7 
      force: true
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to ensure service has a certificate:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to manage IPA service.
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7 
  gather_facts: false
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
  # Ensure service member certificate is present.
Packit Service 0f71a7 
  - ipaservice:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
      name: HTTP/www.example.com
Packit Service 0f71a7 
      certificate:
Packit Service 0f71a7 
        - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
Packit Service 0f71a7 
        DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
Packit Service 0f71a7 
        ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
Packit Service 0f71a7 
        VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
Packit Service 0f71a7 
        LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
Packit Service 0f71a7 
        oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
Packit Service 0f71a7 
        4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
Packit Service 0f71a7 
        xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
Packit Service 0f71a7 
        UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
Packit Service 0f71a7 
        eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
Packit Service 0f71a7 
        5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
Packit Service 0f71a7 
        uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
Packit Service 0f71a7 
        2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
Packit Service 0f71a7 
        obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
Packit Service 0f71a7 
        /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
Packit Service 0f71a7 
      action: member
Packit Service 0f71a7 
      state: present
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to add a principal to the service:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to manage IPA service.
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7 
  gather_facts: false
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
    # Principal host/principal.example.com present in service.
Packit Service 0f71a7 
    - ipaservice:
Packit Service 0f71a7 
        ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
        name: HTTP/www.example.com
Packit Service 0f71a7 
        principal: host/principal.example.com
Packit Service 0f71a7 
        action: member
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to enable a host to manage service:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to manage IPA service.
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7 
  gather_facts: false
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
    # Ensure host can manage service, again.
Packit Service 0f71a7 
    - ipaservice:
Packit Service 0f71a7 
        ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
        name: HTTP/www.example.com
Packit Service 0f71a7 
        host: host1.example.com
Packit Service 0f71a7 
        action: member
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to allow users, groups, hosts or hostgroups to create a keytab of this service:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to manage IPA service.
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7 
  gather_facts: false
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
    # Allow users, groups, hosts or host groups to create a keytab of this service.
Packit Service 0f71a7 
    - ipaservice:
Packit Service 0f71a7 
        ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
        name: HTTP/www.example.com
Packit Service 0f71a7 
        allow_create_keytab_user:
Packit Service 0f71a7 
        - user01
Packit Service 0f71a7 
        - user02
Packit Service 0f71a7 
        allow_create_keytab_group:
Packit Service 0f71a7 
        - group01
Packit Service 0f71a7 
        - group02
Packit Service 0f71a7 
        allow_create_keytab_host:
Packit Service 0f71a7 
        - host1.example.com
Packit Service 0f71a7 
        - host2.example.com
Packit Service 0f71a7 
        allow_create_keytab_hostgroup:
Packit Service 0f71a7 
        - hostgroup01
Packit Service 0f71a7 
        - hostgroup02
Packit Service 0f71a7 
        action: member
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to allow users, groups, hosts or hostgroups to retrieve a keytab of this service:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to manage IPA service.
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7 
  gather_facts: false
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
    # Allow users, groups, hosts or host groups to retrieve a keytab of this service.
Packit Service 0f71a7 
    - ipaservice:
Packit Service 0f71a7 
        ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
        name: HTTP/www.example.com
Packit Service 0f71a7 
        allow_retrieve_keytab_user:
Packit Service 0f71a7 
        - user01
Packit Service 0f71a7 
        - user02
Packit Service 0f71a7 
        allow_retrieve_keytab_group:
Packit Service 0f71a7 
        - group01
Packit Service 0f71a7 
        - group02
Packit Service 0f71a7 
        allow_retrieve_keytab_host:
Packit Service 0f71a7 
        - "{{ host1_fqdn }}"
Packit Service 0f71a7 
        - "{{ host2_fqdn }}"
Packit Service 0f71a7 
        allow_retrieve_keytab_hostgroup:
Packit Service 0f71a7 
        - hostgroup01
Packit Service 0f71a7 
        - hostgroup02
Packit Service 0f71a7 
        action: member
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7
Packit Service 0f71a7 
Variables
Packit Service 0f71a7 
---------
Packit Service 0f71a7
Packit Service 0f71a7 
ipaservice
Packit Service 0f71a7
Packit Service 0f71a7 
Variable | Description | Required
Packit Service 0f71a7 
-------- | ----------- | --------
Packit Service 0f71a7 
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
Packit Service 0f71a7 
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
Packit Service 0f71a7 
`name` \| `service` | The list of service name strings. | yes
Packit Service 0f71a7 
`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
Packit Service 0f71a7 
`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no
Packit Service 0f71a7 
`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
Packit Service 0f71a7 
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
Packit Service 0f71a7 
`ok_as_delegate` \|  `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
Packit Service 0f71a7 
`ok_to_auth_as_delegate` \|  `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
Packit Service 0f71a7 
`skip_host_check` | Force service to be created even when host object does not exist to manage it. Default to false. (bool)| no
Packit Service 0f71a7 
`force` | Force principal name even if host not in DNS. Default to false. (bool) | no
Packit Service 0f71a7 
`host` \| `managedby_host`| Hosts that can manage the service. | no
Packit Service 0f71a7 
`principal` \| `krbprincipalname` | List of principal aliases for the service. | no
Packit Service 0f71a7 
`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
Packit Service 0f71a7 
`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group`| Groups allowed to create a keytab of this host. | no
Packit Service 0f71a7 
`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host`| Hosts allowed to create a keytab of this host. | no
Packit Service 0f71a7 
`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_group`| Host groups allowed to create a keytab of this host. | no
Packit Service 0f71a7 
`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retrieve a keytab of this host. | no
Packit Service 0f71a7 
`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no
Packit Service 0f71a7 
`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no
Packit Service 0f71a7 
`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no
Packit Service 0f71a7 
`continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
Packit Service 0f71a7 
`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
Packit Service 0f71a7 
`state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
Packit Service 0f71a7
Packit Service 0f71a7
Packit Service 0f71a7 
Authors
Packit Service 0f71a7 
=======
Packit Service 0f71a7
Packit Service 0f71a7 
Rafael Jeffman

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation