|
Packit |
8cb997 |
Sudorule module
|
|
Packit |
8cb997 |
===============
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Description
|
|
Packit |
8cb997 |
-----------
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
The sudorule (Sudo Rule) module allows to ensure presence and absence of Sudo Rules and host, hostgroups, users, and user groups as members of Sudo Rule.
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Features
|
|
Packit |
8cb997 |
--------
|
|
Packit |
8cb997 |
* Sudo Rule management
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Supported FreeIPA Versions
|
|
Packit |
8cb997 |
--------------------------
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
FreeIPA versions 4.4.0 and up are supported by the ipasudorule module.
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Requirements
|
|
Packit |
8cb997 |
------------
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
**Controller**
|
|
Packit |
8cb997 |
* Ansible version: 2.8+
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
**Node**
|
|
Packit |
8cb997 |
* Supported FreeIPA version (see above)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Usage
|
|
Packit |
8cb997 |
=====
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Example inventory file
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
```ini
|
|
Packit |
8cb997 |
[ipaserver]
|
|
Packit |
8cb997 |
ipaserver.test.local
|
|
Packit |
8cb997 |
```
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Example playbook to make sure Sudo Rule is present:
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
```yaml
|
|
Packit |
8cb997 |
---
|
|
Packit |
8cb997 |
- name: Playbook to handle sudorules
|
|
Packit |
8cb997 |
hosts: ipaserver
|
|
Packit |
8cb997 |
become: true
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
tasks:
|
|
Packit |
8cb997 |
# Ensure Sudo Rule is present
|
|
Packit |
8cb997 |
- ipasudorule:
|
|
Packit |
8cb997 |
ipaadmin_password: MyPassword123
|
|
Packit |
8cb997 |
name: testrule1
|
|
Packit |
8cb997 |
```
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Example playbook to make sure sudocmds are present in Sudo Rule:
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
```yaml
|
|
Packit |
8cb997 |
---
|
|
Packit |
8cb997 |
- name: Playbook to handle sudorules
|
|
Packit |
8cb997 |
hosts: ipaserver
|
|
Packit |
8cb997 |
become: true
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
tasks:
|
|
Packit |
8cb997 |
# Ensure Sudo Rule is present
|
|
Packit |
8cb997 |
- ipasudorule:
|
|
Packit |
8cb997 |
ipaadmin_password: MyPassword123
|
|
Packit |
8cb997 |
name: testrule1
|
|
Packit |
8cb997 |
cmd:
|
|
Packit |
8cb997 |
- /sbin/ifconfig
|
|
Packit |
8cb997 |
action: member
|
|
Packit |
8cb997 |
```
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Example playbook to make sure sudocmds are not present in Sudo Rule:
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
```yaml
|
|
Packit |
8cb997 |
---
|
|
Packit |
8cb997 |
- name: Playbook to handle sudorules
|
|
Packit |
8cb997 |
hosts: ipaserver
|
|
Packit |
8cb997 |
become: true
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
tasks:
|
|
Packit |
8cb997 |
# Ensure Sudo Rule is present
|
|
Packit |
8cb997 |
- ipasudorule:
|
|
Packit |
8cb997 |
ipaadmin_password: MyPassword123
|
|
Packit |
8cb997 |
name: testrule1
|
|
Packit |
8cb997 |
cmd:
|
|
Packit |
8cb997 |
- /sbin/ifconfig
|
|
Packit |
8cb997 |
action: member
|
|
Packit |
8cb997 |
state: absent
|
|
Packit |
8cb997 |
```
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Example playbook to make sure Sudo Rule is absent:
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
```yaml
|
|
Packit |
8cb997 |
---
|
|
Packit |
8cb997 |
- name: Playbook to handle sudorules
|
|
Packit |
8cb997 |
hosts: ipaserver
|
|
Packit |
8cb997 |
become: true
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
tasks:
|
|
Packit |
8cb997 |
# Ensure Sudo Rule is present
|
|
Packit |
8cb997 |
- ipasudorule:
|
|
Packit |
8cb997 |
ipaadmin_password: MyPassword123
|
|
Packit |
8cb997 |
name: testrule1
|
|
Packit |
8cb997 |
```
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Variables
|
|
Packit |
8cb997 |
=========
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ipasudorule
|
|
Packit |
8cb997 |
---------------
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Variable | Description | Required
|
|
Packit |
8cb997 |
-------- | ----------- | --------
|
|
Packit |
8cb997 |
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
|
|
Packit |
8cb997 |
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
|
|
Packit |
8cb997 |
`name` \| `cn` | The list of sudorule name strings. | yes
|
|
Packit |
8cb997 |
`description` | The sudorule description string. | no
|
|
Packit |
8cb997 |
`usercategory` | User category the rule applies to. Choices: ["all"] | no
|
|
Packit |
8cb997 |
`hostcategory` | Host category the rule applies to. Choices: ["all"] | no
|
|
Packit |
8cb997 |
`cmdcategory` | Command category the rule applies to. Choices: ["all"] | no
|
|
Packit |
8cb997 |
`nomembers` | Suppress processing of membership attributes. (bool) | no
|
|
Packit |
8cb997 |
`host` | List of host name strings assigned to this sudorule. | no
|
|
Packit |
8cb997 |
`hostgroup` | List of host group name strings assigned to this sudorule. | no
|
|
Packit |
8cb997 |
`user` | List of user name strings assigned to this sudorule. | no
|
|
Packit |
8cb997 |
`group` | List of user group name strings assigned to this sudorule. | no
|
|
Packit |
8cb997 |
`cmd` | List of sudocmd name strings assigned to this sudorule. | no
|
|
Packit |
8cb997 |
`cmdgroup` | List of sudocmd group name strings assigned wto this sudorule. | no
|
|
Packit |
8cb997 |
`action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no
|
|
Packit |
8cb997 |
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Authors
|
|
Packit |
8cb997 |
=======
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
Rafael Jeffman
|