source-git / ansible-freeipa

Clone
Source Code
GIT

Blame README-vault.md

c8 c8s master
  1.   c8
  2.   README-vault.md
Blob History Raw
Packit Service 0f71a7 
Vault module
Packit Service 0f71a7 
===================
Packit Service 0f71a7
Packit Service 0f71a7 
Description
Packit Service 0f71a7 
-----------
Packit Service 0f71a7
Packit Service 0f71a7 
The vault module allows to ensure presence and absence of vault and members of vaults.
Packit Service 0f71a7
Packit Service 0f71a7 
The vault module is as compatible as possible to the Ansible upstream `ipa_vault` module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults.
Packit Service 0f71a7
Packit Service 0f71a7
Packit Service 0f71a7 
Features
Packit Service 0f71a7 
--------
Packit Service 0f71a7 
* Vault management
Packit Service 0f71a7
Packit Service 0f71a7
Packit Service 0f71a7 
Supported FreeIPA Versions
Packit Service 0f71a7 
--------------------------
Packit Service 0f71a7
Packit Service 0f71a7 
FreeIPA versions 4.4.0 and up are supported by the ipavault module.
Packit Service 0f71a7
Packit Service 0f71a7
Packit Service 0f71a7 
Requirements
Packit Service 0f71a7 
------------
Packit Service 0f71a7
Packit Service 0f71a7 
**Controller**
Packit Service 0f71a7 
* Ansible version: 2.8+
Packit Service 0f71a7
Packit Service 0f71a7 
**Node**
Packit Service 0f71a7 
* Supported FreeIPA version (see above)
Packit Service 0f71a7 
* KRA service must be enabled
Packit Service 0f71a7
Packit Service 0f71a7
Packit Service 0f71a7 
Usage
Packit Service 0f71a7 
=====
Packit Service 0f71a7
Packit Service 0f71a7 
Example inventory file
Packit Service 0f71a7
Packit Service 0f71a7 
```ini
Packit Service 0f71a7 
[ipaserver]
Packit Service 0f71a7 
ipaserver.test.local
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to make sure vault is present (by default, vault type is `symmetric`):
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to handle vaults
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
  - ipavault:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
      name: symvault
Packit Service 0f71a7 
      password: SomeVAULTpassword
Packit Service 0f71a7 
      description: A standard private vault.
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to make sure that a vault and its members are present:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to handle vaults
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
  - ipavault:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
      name: symvault
Packit Service 0f71a7 
      username: admin
Packit Service 0f71a7 
      users: user01
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7 
`action` controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set `action` to `member`.
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to make sure that a vault member is present in vault:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to handle vaults
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
  - ipavault:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
      name: symvault
Packit Service 0f71a7 
      username: admin
Packit Service 0f71a7 
      users: user01
Packit Service 0f71a7 
      action: member
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to make sure that a vault owner is absent in vault:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to handle vaults
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
  - ipavault:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
      name: symvault
Packit Service 0f71a7 
      username: admin
Packit Service 0f71a7 
      owner: user01
Packit Service 0f71a7 
      action: member
Packit Service 0f71a7 
      state: absent
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to make sure vault data is present in a symmetric vault:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to handle vaults
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
  - ipavault:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
      name: symvault
Packit Service 0f71a7 
      username: admin
Packit Service 0f71a7 
      password: SomeVAULTpassword
Packit Service 0f71a7 
      data: >
Packit Service 0f71a7 
        Data archived.
Packit Service 0f71a7 
        More data archived.
Packit Service 0f71a7 
      action: member
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to retrieve vault data from a symmetric vault:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to handle vaults
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
  - ipavault:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
      name: symvault
Packit Service 0f71a7 
      username: admin
Packit Service 0f71a7 
      password: SomeVAULTpassword
Packit Service 0f71a7 
      state: retrieved
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7 
Example playbook to make sure vault data is absent in a symmetric vault:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to handle vaults
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
  - ipavault:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
      name: symvault
Packit Service 0f71a7 
      username: admin
Packit Service 0f71a7 
      password: SomeVAULTpassword
Packit Service 0f71a7 
      action: member
Packit Service 0f71a7 
      state: absent
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 07c305 
Example playbook to change the password of a symmetric:
Packit Service 07c305
Packit Service 07c305 
```yaml
Packit Service 07c305 
---
Packit Service 07c305 
- name: Playbook to handle vaults
Packit Service 07c305 
  hosts: ipaserver
Packit Service 07c305 
  become: true
Packit Service 07c305
Packit Service 07c305 
  tasks:
Packit Service 07c305 
  - ipavault:
Packit Service 07c305 
      ipaadmin_password: SomeADMINpassword
Packit Service 07c305 
      name: symvault
Packit Service 07c305 
      old_password: SomeVAULTpassword
Packit Service 07c305 
      new_password: SomeNEWpassword
Packit Service 07c305 
```
Packit Service 07c305
Packit Service 0f71a7 
Example playbook to make sure vault is absent:
Packit Service 0f71a7
Packit Service 0f71a7 
```yaml
Packit Service 0f71a7 
---
Packit Service 0f71a7 
- name: Playbook to handle vaults
Packit Service 0f71a7 
  hosts: ipaserver
Packit Service 0f71a7 
  become: true
Packit Service 0f71a7
Packit Service 0f71a7 
  tasks:
Packit Service 0f71a7 
  - ipavault:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit Service 0f71a7 
      name: symvault
Packit Service 0f71a7 
      username: admin
Packit Service 0f71a7 
      state: absent
Packit Service 0f71a7 
    register: result
Packit Service 0f71a7 
  - debug:
Packit Service dfa6f2 
      msg: "{{ result.vault.data }}"
Packit Service 0f71a7 
```
Packit Service 0f71a7
Packit Service 0f71a7 
Variables
Packit Service 0f71a7 
=========
Packit Service 0f71a7
Packit Service 0f71a7 
ipavault
Packit Service 0f71a7 
-------
Packit Service 0f71a7
Packit Service 0f71a7 
Variable | Description | Required
Packit Service 0f71a7 
-------- | ----------- | --------
Packit Service 0f71a7 
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
Packit Service 0f71a7 
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
Packit Service 0f71a7 
`name` \| `cn` | The list of vault name strings. | yes
Packit Service 0f71a7 
`description` | The vault description string. | no
Packit Service 0f71a7 
`nomembers` | Suppress processing of membership attributes. (bool) | no
Packit Service 07c305 
`password` \| `vault_password` \| `ipavaultpassword` \| `old_password`| Vault password. | no
Packit Service 07c305 
`password_file` \| `vault_password_file` \| `old_password_file`| File containing Base64 encoded Vault password. | no
Packit Service 07c305 
`new_password` | Vault new password. | no
Packit Service 07c305 
`new_password_file` | File containing Base64 encoded new Vault password. | no
Packit Service 07c305 
`public_key ` \| `vault_public_key` \| `old_password_file` | Base64 encoded vault public key. | no
Packit Service 0f71a7 
`public_key_file` \| `vault_public_key_file` | Path to file with public key. | no
Packit Service 0f71a7 
`private_key `\| `vault_private_key` | Base64 encoded vault private key. Used only to retrieve data. | no
Packit Service 0f71a7 
`private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no
Packit Service 0f71a7 
`salt` \| `vault_salt` \| `ipavaultsalt` | Vault salt. | no
Packit Service 0f71a7 
`vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
Packit Service 0f71a7 
`user` \| `username` | Any user can own one or more user vaults. | no
Packit Service 0f71a7 
`service` | Any service can own one or more service vaults. | no
Packit Service 0f71a7 
`shared` | Vault is shared. Default to false. (bool) | no
Packit Service 0f71a7 
`users` | Users that are members of the vault. | no
Packit Service 0f71a7 
`groups` | Groups that are member of the vault. | no
Packit Service 0f71a7 
`services` | Services that are member of the vault. | no
Packit Service 0f71a7 
`data` \|`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
Packit Service 0f71a7 
`in` \| `datafile_in` | Path to file with data to be stored in the vault. | no
Packit Service 0f71a7 
`out` \| `datafile_out` | Path to file to store data retrieved from the vault. | no
Packit Service 0f71a7 
`action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
Packit Service 0f71a7 
`state` | The state to ensure. It can be one of `present`, `absent` or `retrieved`, default: `present`. | no
Packit Service 0f71a7
Packit Service 0f71a7
Packit Service 0f71a7 
Return Values
Packit Service 0f71a7 
=============
Packit Service 0f71a7
Packit Service 0f71a7 
ipavault
Packit Service 0f71a7 
--------
Packit Service 0f71a7
Packit Service 0f71a7 
There is only a return value if `state` is `retrieved`.
Packit Service 0f71a7
Packit Service 0f71a7 
Variable | Description | Returned When
Packit Service 0f71a7 
-------- | ----------- | -------------
Packit Service 0f71a7 
`data` | The data stored in the vault. | If `state` is `retrieved`.
Packit Service 0f71a7
Packit Service c054a4 
Variable | Description | Returned When
Packit Service c054a4 
-------- | ----------- | -------------
Packit Service c054a4 
`vault` | Vault dict with archived data. (dict) 
Options: | If `state` is `retrieved`.
Packit Service c054a4 
  | `data` - The vault data. | Always
Packit Service c054a4
Packit Service 0f71a7
Packit Service 0f71a7 
Notes
Packit Service 0f71a7 
=====
Packit Service 0f71a7
Packit Service 0f71a7 
ipavault uses a client context to execute, and it might affect execution time.
Packit Service 0f71a7
Packit Service 0f71a7
Packit Service 0f71a7 
Authors
Packit Service 0f71a7 
=======
Packit Service 0f71a7
Packit Service 0f71a7 
Rafael Jeffman

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation