source-git / ansible-freeipa

Clone
Source Code
GIT

Blame README-vault.md

c8 c8s master
  1.   8a9012d31c448db2cfb31a24aedcdffa95e3f618
  2.   README-vault.md
Blob History Raw
Packit Service 0a38ef 
Vault module
Packit Service 0a38ef 
===================
Packit Service 0a38ef
Packit Service 0a38ef 
Description
Packit Service 0a38ef 
-----------
Packit Service 0a38ef
Packit Service 0a38ef 
The vault module allows to ensure presence and absence of vault and members of vaults.
Packit Service 0a38ef
Packit Service 0a38ef 
The vault module is as compatible as possible to the Ansible upstream `ipa_vault` module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults.
Packit Service 0a38ef
Packit Service 0a38ef
Packit Service 0a38ef 
Features
Packit Service 0a38ef 
--------
Packit Service 0a38ef 
* Vault management
Packit Service 0a38ef
Packit Service 0a38ef
Packit Service 0a38ef 
Supported FreeIPA Versions
Packit Service 0a38ef 
--------------------------
Packit Service 0a38ef
Packit Service 0a38ef 
FreeIPA versions 4.4.0 and up are supported by the ipavault module.
Packit Service 0a38ef
Packit Service 0a38ef
Packit Service 0a38ef 
Requirements
Packit Service 0a38ef 
------------
Packit Service 0a38ef
Packit Service 0a38ef 
**Controller**
Packit Service 0a38ef 
* Ansible version: 2.8+
Packit Service 0a38ef
Packit Service 0a38ef 
**Node**
Packit Service 0a38ef 
* Supported FreeIPA version (see above)
Packit Service 0a38ef 
* KRA service must be enabled
Packit Service 0a38ef
Packit Service 0a38ef
Packit Service 0a38ef 
Usage
Packit Service 0a38ef 
=====
Packit Service 0a38ef
Packit Service 0a38ef 
Example inventory file
Packit Service 0a38ef
Packit Service 0a38ef 
```ini
Packit Service 0a38ef 
[ipaserver]
Packit Service 0a38ef 
ipaserver.test.local
Packit Service 0a38ef 
```
Packit Service 0a38ef
Packit Service 0a38ef 
Example playbook to make sure vault is present (by default, vault type is `symmetric`):
Packit Service 0a38ef
Packit Service 0a38ef 
```yaml
Packit Service 0a38ef 
---
Packit Service 0a38ef 
- name: Playbook to handle vaults
Packit Service 0a38ef 
  hosts: ipaserver
Packit Service 0a38ef 
  become: true
Packit Service 0a38ef
Packit Service 0a38ef 
  tasks:
Packit Service 0a38ef 
  - ipavault:
Packit Service 0a38ef 
      ipaadmin_password: SomeADMINpassword
Packit Service 0a38ef 
      name: symvault
Packit Service 0a38ef 
      password: SomeVAULTpassword
Packit Service 0a38ef 
      description: A standard private vault.
Packit Service 0a38ef 
```
Packit Service 0a38ef
Packit Service 0a38ef 
Example playbook to make sure that a vault and its members are present:
Packit Service 0a38ef
Packit Service 0a38ef 
```yaml
Packit Service 0a38ef 
---
Packit Service 0a38ef 
- name: Playbook to handle vaults
Packit Service 0a38ef 
  hosts: ipaserver
Packit Service 0a38ef 
  become: true
Packit Service 0a38ef
Packit Service 0a38ef 
  tasks:
Packit Service 0a38ef 
  - ipavault:
Packit Service 0a38ef 
      ipaadmin_password: SomeADMINpassword
Packit Service 0a38ef 
      name: symvault
Packit Service 0a38ef 
      username: admin
Packit Service 0a38ef 
      users: user01
Packit Service 0a38ef 
```
Packit Service 0a38ef
Packit Service 0a38ef 
`action` controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set `action` to `member`.
Packit Service 0a38ef
Packit Service 0a38ef 
Example playbook to make sure that a vault member is present in vault:
Packit Service 0a38ef
Packit Service 0a38ef 
```yaml
Packit Service 0a38ef 
---
Packit Service 0a38ef 
- name: Playbook to handle vaults
Packit Service 0a38ef 
  hosts: ipaserver
Packit Service 0a38ef 
  become: true
Packit Service 0a38ef
Packit Service 0a38ef 
  tasks:
Packit Service 0a38ef 
  - ipavault:
Packit Service 0a38ef 
      ipaadmin_password: SomeADMINpassword
Packit Service 0a38ef 
      name: symvault
Packit Service 0a38ef 
      username: admin
Packit Service 0a38ef 
      users: user01
Packit Service 0a38ef 
      action: member
Packit Service 0a38ef 
```
Packit Service 0a38ef
Packit Service 0a38ef 
Example playbook to make sure that a vault owner is absent in vault:
Packit Service 0a38ef
Packit Service 0a38ef 
```yaml
Packit Service 0a38ef 
---
Packit Service 0a38ef 
- name: Playbook to handle vaults
Packit Service 0a38ef 
  hosts: ipaserver
Packit Service 0a38ef 
  become: true
Packit Service 0a38ef
Packit Service 0a38ef 
  tasks:
Packit Service 0a38ef 
  - ipavault:
Packit Service 0a38ef 
      ipaadmin_password: SomeADMINpassword
Packit Service 0a38ef 
      name: symvault
Packit Service 0a38ef 
      username: admin
Packit Service 0a38ef 
      owner: user01
Packit Service 0a38ef 
      action: member
Packit Service 0a38ef 
      state: absent
Packit Service 0a38ef 
```
Packit Service 0a38ef
Packit Service 0a38ef 
Example playbook to make sure vault data is present in a symmetric vault:
Packit Service 0a38ef
Packit Service 0a38ef 
```yaml
Packit Service 0a38ef 
---
Packit Service 0a38ef 
- name: Playbook to handle vaults
Packit Service 0a38ef 
  hosts: ipaserver
Packit Service 0a38ef 
  become: true
Packit Service 0a38ef
Packit Service 0a38ef 
  tasks:
Packit Service 0a38ef 
  - ipavault:
Packit Service 0a38ef 
      ipaadmin_password: SomeADMINpassword
Packit Service 0a38ef 
      name: symvault
Packit Service 0a38ef 
      username: admin
Packit Service 0a38ef 
      password: SomeVAULTpassword
Packit Service 0a38ef 
      data: >
Packit Service 0a38ef 
        Data archived.
Packit Service 0a38ef 
        More data archived.
Packit Service 0a38ef 
      action: member
Packit Service 0a38ef 
```
Packit Service 0a38ef
Packit Service a166ed 
When retrieving data from a vault, it is recommended that `no_log: yes` is used, so that sensitive data stored in a vault is not logged by Ansible. The data is returned in a dict `vault`, in the field `data` (e.g. `result.vault.data`). An example playbook to retrieve data from a symmetric vault:
Packit Service 0a38ef
Packit Service 0a38ef 
```yaml
Packit Service 0a38ef 
---
Packit Service 0a38ef 
- name: Playbook to handle vaults
Packit Service 0a38ef 
  hosts: ipaserver
Packit Service 0a38ef 
  become: true
Packit Service 0a38ef
Packit Service 0a38ef 
  tasks:
Packit Service a166ed 
  - name: Retrieve data from vault and register it in 'ipavault'
Packit Service a166ed 
    ipavault:
Packit Service 0a38ef 
      ipaadmin_password: SomeADMINpassword
Packit Service 0a38ef 
      name: symvault
Packit Service 0a38ef 
      username: admin
Packit Service 0a38ef 
      password: SomeVAULTpassword
Packit Service 0a38ef 
      state: retrieved
Packit Service a166ed 
    no_log: yes
Packit Service a166ed 
    register: ipavault
Packit Service a166ed
Packit Service a166ed 
  - name: Print retrieved data from vault
Packit Service a166ed 
    debug:
Packit Service a166ed 
      var: ipavault.vault.data
Packit Service 0a38ef 
```
Packit Service 0a38ef
Packit Service 0a38ef 
Example playbook to make sure vault data is absent in a symmetric vault:
Packit Service 0a38ef
Packit Service 0a38ef 
```yaml
Packit Service 0a38ef 
---
Packit Service 0a38ef 
- name: Playbook to handle vaults
Packit Service 0a38ef 
  hosts: ipaserver
Packit Service 0a38ef 
  become: true
Packit Service 0a38ef
Packit Service 0a38ef 
  tasks:
Packit Service 0a38ef 
  - ipavault:
Packit Service 0a38ef 
      ipaadmin_password: SomeADMINpassword
Packit Service 0a38ef 
      name: symvault
Packit Service 0a38ef 
      username: admin
Packit Service 0a38ef 
      password: SomeVAULTpassword
Packit Service 0a38ef 
      action: member
Packit Service 0a38ef 
      state: absent
Packit Service 0a38ef 
```
Packit Service 0a38ef
Packit Service a166ed 
Example playbook to change the password of a symmetric:
Packit Service a166ed
Packit Service a166ed 
```yaml
Packit Service a166ed 
---
Packit Service a166ed 
- name: Playbook to handle vaults
Packit Service a166ed 
  hosts: ipaserver
Packit Service a166ed 
  become: true
Packit Service a166ed
Packit Service a166ed 
  tasks:
Packit Service a166ed 
  - ipavault:
Packit Service a166ed 
      ipaadmin_password: SomeADMINpassword
Packit Service a166ed 
      name: symvault
Packit Service a166ed 
      old_password: SomeVAULTpassword
Packit Service a166ed 
      new_password: SomeNEWpassword
Packit Service a166ed 
```
Packit Service a166ed
Packit Service 0a38ef 
Example playbook to make sure vault is absent:
Packit Service 0a38ef
Packit Service 0a38ef 
```yaml
Packit Service 0a38ef 
---
Packit Service 0a38ef 
- name: Playbook to handle vaults
Packit Service 0a38ef 
  hosts: ipaserver
Packit Service 0a38ef 
  become: true
Packit Service 0a38ef
Packit Service 0a38ef 
  tasks:
Packit Service 0a38ef 
  - ipavault:
Packit Service 0a38ef 
      ipaadmin_password: SomeADMINpassword
Packit Service 0a38ef 
      name: symvault
Packit Service 0a38ef 
      username: admin
Packit Service 0a38ef 
      state: absent
Packit Service 0a38ef 
    register: result
Packit Service 0a38ef 
  - debug:
Packit Service a166ed 
      msg: "{{ result.vault.data }}"
Packit Service 0a38ef 
```
Packit Service 0a38ef
Packit Service 0a38ef 
Variables
Packit Service 0a38ef 
=========
Packit Service 0a38ef
Packit Service 0a38ef 
ipavault
Packit Service 0a38ef 
-------
Packit Service 0a38ef
Packit Service 0a38ef 
Variable | Description | Required
Packit Service 0a38ef 
-------- | ----------- | --------
Packit Service 0a38ef 
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
Packit Service 0a38ef 
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
Packit Service 0a38ef 
`name` \| `cn` | The list of vault name strings. | yes
Packit Service 0a38ef 
`description` | The vault description string. | no
Packit Service 0a38ef 
`nomembers` | Suppress processing of membership attributes. (bool) | no
Packit Service a166ed 
`password` \| `vault_password` \| `ipavaultpassword` \| `old_password`| Vault password. | no
Packit Service a166ed 
`password_file` \| `vault_password_file` \| `old_password_file`| File containing Base64 encoded Vault password. | no
Packit Service a166ed 
`new_password` | Vault new password. | no
Packit Service a166ed 
`new_password_file` | File containing Base64 encoded new Vault password. | no
Packit Service a166ed 
`public_key ` \| `vault_public_key` \| `old_password_file` | Base64 encoded vault public key. | no
Packit Service 0a38ef 
`public_key_file` \| `vault_public_key_file` | Path to file with public key. | no
Packit Service 0a38ef 
`private_key `\| `vault_private_key` | Base64 encoded vault private key. Used only to retrieve data. | no
Packit Service 0a38ef 
`private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no
Packit Service 0a38ef 
`salt` \| `vault_salt` \| `ipavaultsalt` | Vault salt. | no
Packit Service 0a38ef 
`vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
Packit Service 0a38ef 
`user` \| `username` | Any user can own one or more user vaults. | no
Packit Service 0a38ef 
`service` | Any service can own one or more service vaults. | no
Packit Service 0a38ef 
`shared` | Vault is shared. Default to false. (bool) | no
Packit Service 0a38ef 
`users` | Users that are members of the vault. | no
Packit Service 0a38ef 
`groups` | Groups that are member of the vault. | no
Packit Service 0a38ef 
`services` | Services that are member of the vault. | no
Packit Service 0a38ef 
`data` \|`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
Packit Service 0a38ef 
`in` \| `datafile_in` | Path to file with data to be stored in the vault. | no
Packit Service 0a38ef 
`out` \| `datafile_out` | Path to file to store data retrieved from the vault. | no
Packit Service 0a38ef 
`action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
Packit Service 0a38ef 
`state` | The state to ensure. It can be one of `present`, `absent` or `retrieved`, default: `present`. | no
Packit Service 0a38ef
Packit Service 0a38ef
Packit Service 0a38ef 
Return Values
Packit Service 0a38ef 
=============
Packit Service 0a38ef
Packit Service 0a38ef 
ipavault
Packit Service 0a38ef 
--------
Packit Service 0a38ef
Packit Service 0a38ef 
There is only a return value if `state` is `retrieved`.
Packit Service 0a38ef
Packit Service 0a38ef 
Variable | Description | Returned When
Packit Service 0a38ef 
-------- | ----------- | -------------
Packit Service a166ed 
`vault` | Vault dict with archived data. (dict) 
Options: | If `state` is `retrieved` and `out` is not defined.
Packit Service a166ed 
  | `data` - The vault data. | Always
Packit Service 0a38ef
Packit Service 0a38ef
Packit Service 0a38ef 
Notes
Packit Service 0a38ef 
=====
Packit Service 0a38ef
Packit Service 0a38ef 
ipavault uses a client context to execute, and it might affect execution time.
Packit Service 0a38ef
Packit Service 0a38ef
Packit Service 0a38ef 
Authors
Packit Service 0a38ef 
=======
Packit Service 0a38ef
Packit Service 0a38ef 
Rafael Jeffman

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation