|
Packit Service |
0a38ef |
# -*- coding: utf-8 -*-
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Authors:
|
|
Packit Service |
0a38ef |
# Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# Copyright (C) 2019 Red Hat
|
|
Packit Service |
0a38ef |
# see file 'COPYING' for use and warranty information
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# This program is free software; you can redistribute it and/or modify
|
|
Packit Service |
0a38ef |
# it under the terms of the GNU General Public License as published by
|
|
Packit Service |
0a38ef |
# the Free Software Foundation, either version 3 of the License, or
|
|
Packit Service |
0a38ef |
# (at your option) any later version.
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# This program is distributed in the hope that it will be useful,
|
|
Packit Service |
0a38ef |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
0a38ef |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit Service |
0a38ef |
# GNU General Public License for more details.
|
|
Packit Service |
0a38ef |
#
|
|
Packit Service |
0a38ef |
# You should have received a copy of the GNU General Public License
|
|
Packit Service |
0a38ef |
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
ANSIBLE_METADATA = {
|
|
Packit Service |
0a38ef |
"metadata_version": "1.0",
|
|
Packit Service |
0a38ef |
"supported_by": "community",
|
|
Packit Service |
0a38ef |
"status": ["preview"],
|
|
Packit Service |
0a38ef |
}
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
DOCUMENTATION = """
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
module: ipaservice
|
|
Packit Service |
0a38ef |
short description: Manage FreeIPA service
|
|
Packit Service |
0a38ef |
description: Manage FreeIPA service
|
|
Packit Service |
0a38ef |
options:
|
|
Packit Service |
0a38ef |
ipaadmin_principal:
|
|
Packit Service |
0a38ef |
description: The admin principal
|
|
Packit Service |
0a38ef |
default: admin
|
|
Packit Service |
0a38ef |
ipaadmin_password:
|
|
Packit Service |
0a38ef |
description: The admin password
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
name:
|
|
Packit Service |
0a38ef |
description: The service to manage
|
|
Packit Service |
0a38ef |
required: true
|
|
Packit Service |
0a38ef |
aliases: ["service"]
|
|
Packit Service |
0a38ef |
certificate:
|
|
Packit Service |
0a38ef |
description: Base-64 encoded service certificate.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
type: list
|
|
Packit Service |
a166ed |
aliases: ["usercertificate"]
|
|
Packit Service |
0a38ef |
pac_type:
|
|
Packit Service |
0a38ef |
description: Supported PAC type.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
choices: ["MS-PAC", "PAD", "NONE"]
|
|
Packit Service |
0a38ef |
type: list
|
|
Packit Service |
0a38ef |
aliases: ["pac_type", "ipakrbauthzdata"]
|
|
Packit Service |
0a38ef |
auth_ind:
|
|
Packit Service |
0a38ef |
description: Defines a whitelist for Authentication Indicators.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
choices: ["otp", "radius", "pkinit", "hardened"]
|
|
Packit Service |
0a38ef |
aliases: ["krbprincipalauthind"]
|
|
Packit Service |
0a38ef |
skip_host_check:
|
|
Packit Service |
0a38ef |
description: Skip checking if host object exists.
|
|
Packit Service |
0a38ef |
required: False
|
|
Packit Service |
0a38ef |
type: bool
|
|
Packit Service |
0a38ef |
force:
|
|
Packit Service |
0a38ef |
description: Force principal name even if host is not in DNS.
|
|
Packit Service |
0a38ef |
required: False
|
|
Packit Service |
0a38ef |
type: bool
|
|
Packit Service |
0a38ef |
requires_pre_auth:
|
|
Packit Service |
0a38ef |
description: Pre-authentication is required for the service.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
type: bool
|
|
Packit Service |
0a38ef |
default: False
|
|
Packit Service |
0a38ef |
aliases: ["ipakrbrequirespreauth"]
|
|
Packit Service |
0a38ef |
ok_as_delegate:
|
|
Packit Service |
0a38ef |
description: Client credentials may be delegated to the service.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
type: bool
|
|
Packit Service |
0a38ef |
default: False
|
|
Packit Service |
0a38ef |
aliases: ["ipakrbokasdelegate"]
|
|
Packit Service |
a166ed |
ok_to_auth_as_delegate:
|
|
Packit Service |
a166ed |
description: Allow service to authenticate on behalf of a client.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
type: bool
|
|
Packit Service |
0a38ef |
default: False
|
|
Packit Service |
a166ed |
aliases: ["ipakrboktoauthasdelegate"]
|
|
Packit Service |
0a38ef |
principal:
|
|
Packit Service |
0a38ef |
description: List of principal aliases for the service.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
type: list
|
|
Packit Service |
0a38ef |
aliases: ["krbprincipalname"]
|
|
Packit Service |
0a38ef |
smb:
|
|
Packit Service |
0a38ef |
description: Add a SMB service. Can only be used with new services.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
type: bool
|
|
Packit Service |
0a38ef |
netbiosname:
|
|
Packit Service |
0a38ef |
description: NETBIOS name for the SMB service.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
type: str
|
|
Packit Service |
0a38ef |
host:
|
|
Packit Service |
0a38ef |
description: Host that can manage the service.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
type: list
|
|
Packit Service |
0a38ef |
aliases: ["managedby_host"]
|
|
Packit Service |
0a38ef |
allow_create_keytab_user:
|
|
Packit Service |
a166ed |
description: Users allowed to create a keytab of this host.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
type: list
|
|
Packit Service |
0a38ef |
aliases: ["ipaallowedtoperform_write_keys_user"]
|
|
Packit Service |
0a38ef |
allow_create_keytab_group:
|
|
Packit Service |
a166ed |
description: Groups allowed to create a keytab of this host.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
type: list
|
|
Packit Service |
0a38ef |
aliases: ["ipaallowedtoperform_write_keys_group"]
|
|
Packit Service |
0a38ef |
allow_create_keytab_host:
|
|
Packit Service |
a166ed |
description: Hosts allowed to create a keytab of this host.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
type: list
|
|
Packit Service |
0a38ef |
aliases: ["ipaallowedtoperform_write_keys_host"]
|
|
Packit Service |
0a38ef |
allow_create_keytab_hostgroup:
|
|
Packit Service |
a166ed |
description: Host group allowed to create a keytab of this host.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
type: list
|
|
Packit Service |
0a38ef |
aliases: ["ipaallowedtoperform_write_keys_hostgroup"]
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_user:
|
|
Packit Service |
a166ed |
description: User allowed to retrieve a keytab of this host.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
type: list
|
|
Packit Service |
0a38ef |
aliases: ["ipaallowedtoperform_read_keys_user"]
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_group:
|
|
Packit Service |
a166ed |
description: Groups allowed to retrieve a keytab of this host.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
type: list
|
|
Packit Service |
0a38ef |
aliases: ["ipaallowedtoperform_read_keys_group"]
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_host:
|
|
Packit Service |
a166ed |
description: Hosts allowed to retrieve a keytab of this host.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
type: list
|
|
Packit Service |
0a38ef |
aliases: ["ipaallowedtoperform_read_keys_host"]
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_hostgroup:
|
|
Packit Service |
a166ed |
description: Host groups allowed to retrieve a keytab of this host.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
type: list
|
|
Packit Service |
0a38ef |
aliases: ["ipaallowedtoperform_read_keys_hostgroup"]
|
|
Packit Service |
0a38ef |
continue:
|
|
Packit Service |
0a38ef |
description:
|
|
Packit Service |
0a38ef |
Continuous mode. Don't stop on errors. Valid only if `state` is `absent`.
|
|
Packit Service |
0a38ef |
required: false
|
|
Packit Service |
0a38ef |
default: True
|
|
Packit Service |
0a38ef |
type: bool
|
|
Packit Service |
0a38ef |
action:
|
|
Packit Service |
0a38ef |
description: Work on service or member level
|
|
Packit Service |
0a38ef |
default: service
|
|
Packit Service |
0a38ef |
choices: ["member", "service"]
|
|
Packit Service |
0a38ef |
state:
|
|
Packit Service |
0a38ef |
description: State to ensure
|
|
Packit Service |
0a38ef |
default: present
|
|
Packit Service |
0a38ef |
choices: ["present", "absent", "disabled"]
|
|
Packit Service |
0a38ef |
author:
|
|
Packit Service |
0a38ef |
- Rafael Jeffman
|
|
Packit Service |
0a38ef |
"""
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
EXAMPLES = """
|
|
Packit Service |
0a38ef |
# Ensure service is present
|
|
Packit Service |
0a38ef |
- ipaservice:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: HTTP/www.example.com
|
|
Packit Service |
0a38ef |
pac_type:
|
|
Packit Service |
0a38ef |
- MS-PAC
|
|
Packit Service |
0a38ef |
- PAD
|
|
Packit Service |
0a38ef |
auth_ind: otp
|
|
Packit Service |
0a38ef |
skip_host_check: true
|
|
Packit Service |
0a38ef |
force: false
|
|
Packit Service |
0a38ef |
requires_pre_auth: true
|
|
Packit Service |
0a38ef |
ok_as_delegate: false
|
|
Packit Service |
0a38ef |
ok_to_auth_as_delegate: false
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Ensure service is absent
|
|
Packit Service |
0a38ef |
- ipaservice:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: HTTP/www.example.com
|
|
Packit Service |
0a38ef |
state: absent
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Ensure service member certificate is present.
|
|
Packit Service |
0a38ef |
- ipaservice:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: HTTP/www.example.com
|
|
Packit Service |
0a38ef |
certificate:
|
|
Packit Service |
0a38ef |
- MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
|
|
Packit Service |
0a38ef |
DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
|
|
Packit Service |
0a38ef |
ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
|
|
Packit Service |
0a38ef |
VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
|
|
Packit Service |
0a38ef |
LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
|
|
Packit Service |
0a38ef |
oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
|
|
Packit Service |
0a38ef |
4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
|
|
Packit Service |
0a38ef |
xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
|
|
Packit Service |
0a38ef |
UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
|
|
Packit Service |
0a38ef |
eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
|
|
Packit Service |
0a38ef |
5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
|
|
Packit Service |
0a38ef |
uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
|
|
Packit Service |
0a38ef |
2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
|
|
Packit Service |
0a38ef |
obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
|
|
Packit Service |
0a38ef |
/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
|
|
Packit Service |
0a38ef |
action: member
|
|
Packit Service |
0a38ef |
state: present
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Ensure principal host/test.example.com present in service.
|
|
Packit Service |
0a38ef |
- ipaservice:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: HTTP/www.example.com
|
|
Packit Service |
0a38ef |
principal:
|
|
Packit Service |
0a38ef |
- host/test.example.com
|
|
Packit Service |
0a38ef |
action: member
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Ensure host can manage service.
|
|
Packit Service |
0a38ef |
- ipaservice:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: HTTP/www.example.com
|
|
Packit Service |
0a38ef |
host:
|
|
Packit Service |
0a38ef |
- host1.example.com
|
|
Packit Service |
0a38ef |
- host2.example.com
|
|
Packit Service |
0a38ef |
action: member
|
|
Packit Service |
0a38ef |
"""
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
RETURN = """
|
|
Packit Service |
0a38ef |
"""
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
from ansible.module_utils.basic import AnsibleModule
|
|
Packit Service |
0a38ef |
from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
|
|
Packit Service |
0a38ef |
temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \
|
|
Packit Service |
0a38ef |
encode_certificate, gen_add_del_lists, module_params_get, to_text, \
|
|
Packit Service |
0a38ef |
api_check_param
|
|
Packit Service |
0a38ef |
import ipalib.errors
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
def find_service(module, name, netbiosname):
|
|
Packit Service |
0a38ef |
_args = {
|
|
Packit Service |
0a38ef |
"all": True,
|
|
Packit Service |
0a38ef |
}
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Search for a SMB/cifs service.
|
|
Packit Service |
0a38ef |
if netbiosname is not None:
|
|
Packit Service |
0a38ef |
_result = api_command(
|
|
Packit Service |
0a38ef |
module, "service_find", to_text(netbiosname), _args)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
for _res_find in _result.get('result', []):
|
|
Packit Service |
0a38ef |
for uid in _res_find.get('uid', []):
|
|
Packit Service |
0a38ef |
if uid.startswith("%s$@" % netbiosname):
|
|
Packit Service |
0a38ef |
return _res_find
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
_result = api_command(module, "service_show", to_text(name), _args)
|
|
Packit Service |
0a38ef |
except ipalib.errors.NotFound:
|
|
Packit Service |
0a38ef |
return None
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if "result" in _result:
|
|
Packit Service |
0a38ef |
_res = _result["result"]
|
|
Packit Service |
0a38ef |
certs = _res.get("usercertificate")
|
|
Packit Service |
0a38ef |
if certs is not None:
|
|
Packit Service |
0a38ef |
_res["usercertificate"] = [encode_certificate(cert) for
|
|
Packit Service |
0a38ef |
cert in certs]
|
|
Packit Service |
0a38ef |
return _res
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
return None
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
def gen_args(pac_type, auth_ind, skip_host_check, force, requires_pre_auth,
|
|
Packit Service |
0a38ef |
ok_as_delegate, ok_to_auth_as_delegate):
|
|
Packit Service |
0a38ef |
_args = {}
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if pac_type is not None:
|
|
Packit Service |
0a38ef |
_args['ipakrbauthzdata'] = pac_type
|
|
Packit Service |
0a38ef |
if auth_ind is not None:
|
|
Packit Service |
0a38ef |
_args['krbprincipalauthind'] = auth_ind
|
|
Packit Service |
0a38ef |
if skip_host_check is not None:
|
|
Packit Service |
0a38ef |
_args['skip_host_check'] = (skip_host_check)
|
|
Packit Service |
0a38ef |
if force is not None:
|
|
Packit Service |
0a38ef |
_args['force'] = (force)
|
|
Packit Service |
0a38ef |
if requires_pre_auth is not None:
|
|
Packit Service |
0a38ef |
_args['ipakrbrequirespreauth'] = (requires_pre_auth)
|
|
Packit Service |
0a38ef |
if ok_as_delegate is not None:
|
|
Packit Service |
0a38ef |
_args['ipakrbokasdelegate'] = (ok_as_delegate)
|
|
Packit Service |
0a38ef |
if ok_to_auth_as_delegate is not None:
|
|
Packit Service |
0a38ef |
_args['ipakrboktoauthasdelegate'] = (ok_to_auth_as_delegate)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
return _args
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
def check_parameters(module, state, action, names, parameters):
|
|
Packit Service |
0a38ef |
assert isinstance(parameters, dict)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# invalid parameters for everything but state 'present', action 'service'.
|
|
Packit Service |
0a38ef |
invalid = ['pac_type', 'auth_ind', 'skip_host_check',
|
|
Packit Service |
0a38ef |
'force', 'requires_pre_auth', 'ok_as_delegate',
|
|
Packit Service |
0a38ef |
'ok_to_auth_as_delegate', 'smb', 'netbiosname']
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# invalid parameters when not handling service members.
|
|
Packit Service |
0a38ef |
invalid_not_member = \
|
|
Packit Service |
0a38ef |
['principal', 'certificate', 'host', 'allow_create_keytab_user',
|
|
Packit Service |
0a38ef |
'allow_create_keytab_group', 'allow_create_keytab_host',
|
|
Packit Service |
0a38ef |
'allow_create_keytab_hostgroup', 'allow_retrieve_keytab_user',
|
|
Packit Service |
0a38ef |
'allow_retrieve_keytab_group', 'allow_retrieve_keytab_host',
|
|
Packit Service |
0a38ef |
'allow_retrieve_keytab_hostgroup']
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if state == 'present':
|
|
Packit Service |
0a38ef |
if len(names) != 1:
|
|
Packit Service |
0a38ef |
module.fail_json(msg="Only one service can be added at a time.")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if action == 'service':
|
|
Packit Service |
0a38ef |
invalid = ['delete_continue']
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if parameters.get('smb', False):
|
|
Packit Service |
0a38ef |
invalid.extend(['force', 'auth_ind', 'skip_host_check',
|
|
Packit Service |
0a38ef |
'requires_pre_auth', 'auth_ind', 'pac_type'])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
for _invalid in invalid:
|
|
Packit Service |
0a38ef |
if parameters.get(_invalid, False):
|
|
Packit Service |
0a38ef |
module.fail_json(
|
|
Packit Service |
0a38ef |
msg="Argument '%s' can not be used with SMB "
|
|
Packit Service |
0a38ef |
"service." % _invalid)
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
invalid.append('delete_continue')
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
elif state == 'absent':
|
|
Packit Service |
0a38ef |
if len(names) < 1:
|
|
Packit Service |
0a38ef |
module.fail_json(msg="No name given.")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if action == "service":
|
|
Packit Service |
0a38ef |
invalid.extend(invalid_not_member)
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
invalid.extend('delete_continue')
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
elif state == 'disabled':
|
|
Packit Service |
0a38ef |
invalid.extend(invalid_not_member)
|
|
Packit Service |
0a38ef |
invalid.append('delete_continue')
|
|
Packit Service |
0a38ef |
if action != "service":
|
|
Packit Service |
0a38ef |
module.fail_json(
|
|
Packit Service |
0a38ef |
msg="Invalid action '%s' for state '%s'" % (action, state))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
module.fail_json(msg="Invalid state '%s'" % (state))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
for _invalid in invalid:
|
|
Packit Service |
0a38ef |
if _invalid in parameters and parameters[_invalid] is not None:
|
|
Packit Service |
0a38ef |
module.fail_json(
|
|
Packit Service |
0a38ef |
msg="Argument '%s' can not be used with state '%s', "
|
|
Packit Service |
0a38ef |
"action '%s'" % (_invalid, state, action))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
def init_ansible_module():
|
|
Packit Service |
0a38ef |
ansible_module = AnsibleModule(
|
|
Packit Service |
0a38ef |
argument_spec=dict(
|
|
Packit Service |
0a38ef |
# general
|
|
Packit Service |
0a38ef |
ipaadmin_principal=dict(type="str", default="admin"),
|
|
Packit Service |
0a38ef |
ipaadmin_password=dict(type="str", required=False, no_log=True),
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
name=dict(type="list", aliases=["service"], default=None,
|
|
Packit Service |
0a38ef |
required=True),
|
|
Packit Service |
0a38ef |
# service attributesstr
|
|
Packit Service |
0a38ef |
certificate=dict(type="list", aliases=['usercertificate'],
|
|
Packit Service |
0a38ef |
default=None, required=False),
|
|
Packit Service |
0a38ef |
principal=dict(type="list", aliases=["krbprincipalname"],
|
|
Packit Service |
0a38ef |
default=None),
|
|
Packit Service |
0a38ef |
smb=dict(type="bool", required=False),
|
|
Packit Service |
0a38ef |
netbiosname=dict(type="str", required=False),
|
|
Packit Service |
0a38ef |
pac_type=dict(type="list", aliases=["ipakrbauthzdata"],
|
|
Packit Service |
0a38ef |
choices=["MS-PAC", "PAD", "NONE"]),
|
|
Packit Service |
0a38ef |
auth_ind=dict(type="list",
|
|
Packit Service |
0a38ef |
aliases=["krbprincipalauthind"],
|
|
Packit Service |
0a38ef |
choices=["otp", "radius", "pkinit", "hardened", ""]),
|
|
Packit Service |
0a38ef |
skip_host_check=dict(type="bool"),
|
|
Packit Service |
0a38ef |
force=dict(type="bool"),
|
|
Packit Service |
0a38ef |
requires_pre_auth=dict(
|
|
Packit Service |
0a38ef |
type="bool", aliases=["ipakrbrequirespreauth"]),
|
|
Packit Service |
0a38ef |
ok_as_delegate=dict(type="bool", aliases=["ipakrbokasdelegate"]),
|
|
Packit Service |
0a38ef |
ok_to_auth_as_delegate=dict(type="bool",
|
|
Packit Service |
0a38ef |
aliases=["ipakrboktoauthasdelegate"]),
|
|
Packit Service |
0a38ef |
host=dict(type="list", aliases=["managedby_host"], required=False),
|
|
Packit Service |
0a38ef |
allow_create_keytab_user=dict(
|
|
Packit Service |
0a38ef |
type="list", required=False,
|
|
Packit Service |
0a38ef |
aliases=['ipaallowedtoperform_write_keys_user']),
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_user=dict(
|
|
Packit Service |
0a38ef |
type="list", required=False,
|
|
Packit Service |
0a38ef |
aliases=['ipaallowedtoperform_read_keys_user']),
|
|
Packit Service |
0a38ef |
allow_create_keytab_group=dict(
|
|
Packit Service |
0a38ef |
type="list", required=False,
|
|
Packit Service |
0a38ef |
aliases=['ipaallowedtoperform_write_keys_group']),
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_group=dict(
|
|
Packit Service |
0a38ef |
type="list", required=False,
|
|
Packit Service |
0a38ef |
aliases=['ipaallowedtoperform_read_keys_group']),
|
|
Packit Service |
0a38ef |
allow_create_keytab_host=dict(
|
|
Packit Service |
0a38ef |
type="list", required=False,
|
|
Packit Service |
0a38ef |
aliases=['ipaallowedtoperform_write_keys_host']),
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_host=dict(
|
|
Packit Service |
0a38ef |
type="list", required=False,
|
|
Packit Service |
0a38ef |
aliases=['ipaallowedtoperform_read_keys_host']),
|
|
Packit Service |
0a38ef |
allow_create_keytab_hostgroup=dict(
|
|
Packit Service |
0a38ef |
type="list", required=False,
|
|
Packit Service |
0a38ef |
aliases=['ipaallowedtoperform_write_keys_hostgroup']),
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_hostgroup=dict(
|
|
Packit Service |
0a38ef |
type="list", required=False,
|
|
Packit Service |
0a38ef |
aliases=['ipaallowedtoperform_read_keys_hostgroup']),
|
|
Packit Service |
0a38ef |
delete_continue=dict(type="bool", required=False,
|
|
Packit Service |
0a38ef |
aliases=['continue']),
|
|
Packit Service |
0a38ef |
# action
|
|
Packit Service |
0a38ef |
action=dict(type="str", default="service",
|
|
Packit Service |
0a38ef |
choices=["member", "service"]),
|
|
Packit Service |
0a38ef |
# state
|
|
Packit Service |
0a38ef |
state=dict(type="str", default="present",
|
|
Packit Service |
0a38ef |
choices=["present", "absent", "disabled"]),
|
|
Packit Service |
0a38ef |
),
|
|
Packit Service |
0a38ef |
supports_check_mode=True,
|
|
Packit Service |
0a38ef |
)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
ansible_module._ansible_debug = True
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
return ansible_module
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
def main():
|
|
Packit Service |
0a38ef |
ansible_module = init_ansible_module()
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Get parameters
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# general
|
|
Packit Service |
0a38ef |
ipaadmin_principal = module_params_get(ansible_module,
|
|
Packit Service |
0a38ef |
"ipaadmin_principal")
|
|
Packit Service |
0a38ef |
ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password")
|
|
Packit Service |
0a38ef |
names = module_params_get(ansible_module, "name")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# service attributes
|
|
Packit Service |
0a38ef |
principal = module_params_get(ansible_module, "principal")
|
|
Packit Service |
0a38ef |
certificate = module_params_get(ansible_module, "certificate")
|
|
Packit Service |
0a38ef |
pac_type = module_params_get(ansible_module, "pac_type")
|
|
Packit Service |
0a38ef |
auth_ind = module_params_get(ansible_module, "auth_ind")
|
|
Packit Service |
0a38ef |
skip_host_check = module_params_get(ansible_module, "skip_host_check")
|
|
Packit Service |
0a38ef |
force = module_params_get(ansible_module, "force")
|
|
Packit Service |
0a38ef |
requires_pre_auth = module_params_get(ansible_module, "requires_pre_auth")
|
|
Packit Service |
0a38ef |
ok_as_delegate = module_params_get(ansible_module, "ok_as_delegate")
|
|
Packit Service |
0a38ef |
ok_to_auth_as_delegate = module_params_get(ansible_module,
|
|
Packit Service |
0a38ef |
"ok_to_auth_as_delegate")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
smb = module_params_get(ansible_module, "smb")
|
|
Packit Service |
0a38ef |
netbiosname = module_params_get(ansible_module, "netbiosname")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
host = module_params_get(ansible_module, "host")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
allow_create_keytab_user = module_params_get(
|
|
Packit Service |
0a38ef |
ansible_module, "allow_create_keytab_user")
|
|
Packit Service |
0a38ef |
allow_create_keytab_group = module_params_get(
|
|
Packit Service |
0a38ef |
ansible_module, "allow_create_keytab_group")
|
|
Packit Service |
0a38ef |
allow_create_keytab_host = module_params_get(
|
|
Packit Service |
0a38ef |
ansible_module, "allow_create_keytab_host")
|
|
Packit Service |
0a38ef |
allow_create_keytab_hostgroup = module_params_get(
|
|
Packit Service |
0a38ef |
ansible_module, "allow_create_keytab_hostgroup")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_user = module_params_get(
|
|
Packit Service |
0a38ef |
ansible_module, "allow_retrieve_keytab_user")
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_group = module_params_get(
|
|
Packit Service |
0a38ef |
ansible_module, "allow_retrieve_keytab_group")
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_host = module_params_get(
|
|
Packit Service |
a166ed |
ansible_module, "allow_retrieve_keytab_host")
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_hostgroup = module_params_get(
|
|
Packit Service |
0a38ef |
ansible_module, "allow_retrieve_keytab_hostgroup")
|
|
Packit Service |
0a38ef |
delete_continue = module_params_get(ansible_module, "delete_continue")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# action
|
|
Packit Service |
0a38ef |
action = module_params_get(ansible_module, "action")
|
|
Packit Service |
0a38ef |
# state
|
|
Packit Service |
0a38ef |
state = module_params_get(ansible_module, "state")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# check parameters
|
|
Packit Service |
0a38ef |
check_parameters(ansible_module, state, action, names, vars())
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Init
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
changed = False
|
|
Packit Service |
0a38ef |
exit_args = {}
|
|
Packit Service |
0a38ef |
ccache_dir = None
|
|
Packit Service |
0a38ef |
ccache_name = None
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
if not valid_creds(ansible_module, ipaadmin_principal):
|
|
Packit Service |
0a38ef |
ccache_dir, ccache_name = temp_kinit(ipaadmin_principal,
|
|
Packit Service |
0a38ef |
ipaadmin_password)
|
|
Packit Service |
0a38ef |
api_connect()
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
has_skip_host_check = api_check_param(
|
|
Packit Service |
0a38ef |
"service_add", "skip_host_check")
|
|
Packit Service |
0a38ef |
if skip_host_check and not has_skip_host_check:
|
|
Packit Service |
0a38ef |
ansible_module.fail_json(
|
|
Packit Service |
0a38ef |
msg="Skipping host check is not supported by your IPA version")
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
commands = []
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
for name in names:
|
|
Packit Service |
0a38ef |
res_find = find_service(ansible_module, name, netbiosname)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if state == "present":
|
|
Packit Service |
0a38ef |
# if service exists, 'smb' cannot be used.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if action == "service":
|
|
Packit Service |
0a38ef |
args = gen_args(
|
|
Packit Service |
0a38ef |
pac_type, auth_ind, skip_host_check, force,
|
|
Packit Service |
0a38ef |
requires_pre_auth, ok_as_delegate,
|
|
Packit Service |
0a38ef |
ok_to_auth_as_delegate)
|
|
Packit Service |
0a38ef |
if not has_skip_host_check and 'skip_host_check' in args:
|
|
Packit Service |
0a38ef |
del args['skip_host_check']
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if res_find is None:
|
|
Packit Service |
0a38ef |
if smb:
|
|
Packit Service |
0a38ef |
if netbiosname is not None:
|
|
Packit Service |
0a38ef |
args['ipantflatname'] = netbiosname
|
|
Packit Service |
0a38ef |
commands.append([name, 'service_add_smb', args])
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
commands.append([name, 'service_add', args])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
certificate_add = certificate or []
|
|
Packit Service |
0a38ef |
certificate_del = []
|
|
Packit Service |
0a38ef |
host_add = host or []
|
|
Packit Service |
0a38ef |
host_del = []
|
|
Packit Service |
0a38ef |
principal_add = principal or []
|
|
Packit Service |
0a38ef |
principal_del = []
|
|
Packit Service |
0a38ef |
allow_create_keytab_user_add = \
|
|
Packit Service |
0a38ef |
allow_create_keytab_user or []
|
|
Packit Service |
0a38ef |
allow_create_keytab_user_del = []
|
|
Packit Service |
0a38ef |
allow_create_keytab_group_add = \
|
|
Packit Service |
0a38ef |
allow_create_keytab_group or []
|
|
Packit Service |
0a38ef |
allow_create_keytab_group_del = []
|
|
Packit Service |
0a38ef |
allow_create_keytab_host_add = \
|
|
Packit Service |
0a38ef |
allow_create_keytab_host or []
|
|
Packit Service |
0a38ef |
allow_create_keytab_host_del = []
|
|
Packit Service |
0a38ef |
allow_create_keytab_hostgroup_add = \
|
|
Packit Service |
0a38ef |
allow_create_keytab_hostgroup or []
|
|
Packit Service |
0a38ef |
allow_create_keytab_hostgroup_del = []
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_user_add = \
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_user or []
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_user_del = []
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_group_add = \
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_group or []
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_group_del = []
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_host_add = \
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_host or []
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_host_del = []
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_hostgroup_add = \
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_hostgroup or []
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_hostgroup_del = []
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
for remove in ['skip_host_check', 'force']:
|
|
Packit Service |
0a38ef |
if remove in args:
|
|
Packit Service |
0a38ef |
del args[remove]
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if not compare_args_ipa(ansible_module, args,
|
|
Packit Service |
0a38ef |
res_find):
|
|
Packit Service |
0a38ef |
commands.append([name, "service_mod", args])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
certificate_add, certificate_del = gen_add_del_lists(
|
|
Packit Service |
0a38ef |
certificate, res_find.get("usercertificate"))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
host_add, host_del = gen_add_del_lists(
|
|
Packit Service |
0a38ef |
host, res_find.get('managedby_host', []))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
principal_add, principal_del = gen_add_del_lists(
|
|
Packit Service |
0a38ef |
principal, res_find.get("principal"))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
(allow_create_keytab_user_add,
|
|
Packit Service |
0a38ef |
allow_create_keytab_user_del) = \
|
|
Packit Service |
0a38ef |
gen_add_del_lists(
|
|
Packit Service |
0a38ef |
allow_create_keytab_user, res_find.get(
|
|
Packit Service |
0a38ef |
'ipaallowedtoperform_write_keys_user',
|
|
Packit Service |
0a38ef |
[]))
|
|
Packit Service |
0a38ef |
(allow_retrieve_keytab_user_add,
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_user_del) = \
|
|
Packit Service |
0a38ef |
gen_add_del_lists(
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_user, res_find.get(
|
|
Packit Service |
0a38ef |
'ipaallowedtoperform_read_keys_user',
|
|
Packit Service |
0a38ef |
[]))
|
|
Packit Service |
0a38ef |
(allow_create_keytab_group_add,
|
|
Packit Service |
0a38ef |
allow_create_keytab_group_del) = \
|
|
Packit Service |
0a38ef |
gen_add_del_lists(
|
|
Packit Service |
0a38ef |
allow_create_keytab_group, res_find.get(
|
|
Packit Service |
0a38ef |
'ipaallowedtoperform_write_keys_group',
|
|
Packit Service |
0a38ef |
[]))
|
|
Packit Service |
0a38ef |
(allow_retrieve_keytab_group_add,
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_group_del) = \
|
|
Packit Service |
0a38ef |
gen_add_del_lists(
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_group,
|
|
Packit Service |
0a38ef |
res_find.get(
|
|
Packit Service |
0a38ef |
'ipaallowedtoperform_read_keys_group',
|
|
Packit Service |
0a38ef |
[]))
|
|
Packit Service |
0a38ef |
(allow_create_keytab_host_add,
|
|
Packit Service |
0a38ef |
allow_create_keytab_host_del) = \
|
|
Packit Service |
0a38ef |
gen_add_del_lists(
|
|
Packit Service |
0a38ef |
allow_create_keytab_host,
|
|
Packit Service |
0a38ef |
res_find.get(
|
|
Packit Service |
0a38ef |
'ipaallowedtoperform_write_keys_host',
|
|
Packit Service |
0a38ef |
[]))
|
|
Packit Service |
0a38ef |
(allow_retrieve_keytab_host_add,
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_host_del) = \
|
|
Packit Service |
0a38ef |
gen_add_del_lists(
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_host,
|
|
Packit Service |
0a38ef |
res_find.get(
|
|
Packit Service |
0a38ef |
'ipaallowedtoperform_read_keys_host',
|
|
Packit Service |
0a38ef |
[]))
|
|
Packit Service |
0a38ef |
(allow_create_keytab_hostgroup_add,
|
|
Packit Service |
0a38ef |
allow_create_keytab_hostgroup_del) = \
|
|
Packit Service |
0a38ef |
gen_add_del_lists(
|
|
Packit Service |
0a38ef |
allow_create_keytab_hostgroup,
|
|
Packit Service |
0a38ef |
res_find.get(
|
|
Packit Service |
0a38ef |
'ipaallowedtoperform_write_keys_hostgroup',
|
|
Packit Service |
0a38ef |
[]))
|
|
Packit Service |
0a38ef |
(allow_retrieve_keytab_hostgroup_add,
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_hostgroup_del) = \
|
|
Packit Service |
0a38ef |
gen_add_del_lists(
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_hostgroup,
|
|
Packit Service |
0a38ef |
res_find.get(
|
|
Packit Service |
0a38ef |
'ipaallowedtoperform_read_keys_hostgroup',
|
|
Packit Service |
0a38ef |
[]))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
elif action == "member":
|
|
Packit Service |
0a38ef |
if res_find is None:
|
|
Packit Service |
0a38ef |
ansible_module.fail_json(msg="No service '%s'" % name)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
existing = res_find.get('usercertificate', [])
|
|
Packit Service |
0a38ef |
if certificate is None:
|
|
Packit Service |
0a38ef |
certificate_add = []
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
certificate_add = [c for c in certificate
|
|
Packit Service |
0a38ef |
if c not in existing]
|
|
Packit Service |
0a38ef |
certificate_del = []
|
|
Packit Service |
0a38ef |
host_add = host or []
|
|
Packit Service |
0a38ef |
host_del = []
|
|
Packit Service |
0a38ef |
principal_add = principal or []
|
|
Packit Service |
0a38ef |
principal_del = []
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
allow_create_keytab_user_add = \
|
|
Packit Service |
0a38ef |
allow_create_keytab_user or []
|
|
Packit Service |
0a38ef |
allow_create_keytab_user_del = []
|
|
Packit Service |
0a38ef |
allow_create_keytab_group_add = \
|
|
Packit Service |
0a38ef |
allow_create_keytab_group or []
|
|
Packit Service |
0a38ef |
allow_create_keytab_group_del = []
|
|
Packit Service |
0a38ef |
allow_create_keytab_host_add = \
|
|
Packit Service |
0a38ef |
allow_create_keytab_host or []
|
|
Packit Service |
0a38ef |
allow_create_keytab_host_del = []
|
|
Packit Service |
0a38ef |
allow_create_keytab_hostgroup_add = \
|
|
Packit Service |
0a38ef |
allow_create_keytab_hostgroup or []
|
|
Packit Service |
0a38ef |
allow_create_keytab_hostgroup_del = []
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_user_add = \
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_user or []
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_user_del = []
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_group_add = \
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_group or []
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_group_del = []
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_host_add = \
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_host or []
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_host_del = []
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_hostgroup_add = \
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_hostgroup or []
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_hostgroup_del = []
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Add principals
|
|
Packit Service |
0a38ef |
for _principal in principal_add:
|
|
Packit Service |
0a38ef |
commands.append([name, "service_add_principal",
|
|
Packit Service |
0a38ef |
{
|
|
Packit Service |
0a38ef |
"krbprincipalname":
|
|
Packit Service |
0a38ef |
_principal,
|
|
Packit Service |
0a38ef |
}])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Remove principals
|
|
Packit Service |
0a38ef |
for _principal in principal_del:
|
|
Packit Service |
0a38ef |
commands.append([name, "service_remove_principal",
|
|
Packit Service |
0a38ef |
{
|
|
Packit Service |
0a38ef |
"krbprincipalname":
|
|
Packit Service |
0a38ef |
_principal,
|
|
Packit Service |
0a38ef |
}])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
for _certificate in certificate_add:
|
|
Packit Service |
0a38ef |
commands.append([name, "service_add_cert",
|
|
Packit Service |
0a38ef |
{
|
|
Packit Service |
0a38ef |
"usercertificate":
|
|
Packit Service |
0a38ef |
_certificate,
|
|
Packit Service |
0a38ef |
}])
|
|
Packit Service |
0a38ef |
# Remove certificates
|
|
Packit Service |
0a38ef |
for _certificate in certificate_del:
|
|
Packit Service |
0a38ef |
commands.append([name, "service_remove_cert",
|
|
Packit Service |
0a38ef |
{
|
|
Packit Service |
0a38ef |
"usercertificate":
|
|
Packit Service |
0a38ef |
_certificate,
|
|
Packit Service |
0a38ef |
}])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Add hosts.
|
|
Packit Service |
0a38ef |
if host is not None and len(host) > 0 and len(host_add) > 0:
|
|
Packit Service |
0a38ef |
commands.append([name, "service_add_host",
|
|
Packit Service |
0a38ef |
{"host": host_add}])
|
|
Packit Service |
0a38ef |
# Remove hosts
|
|
Packit Service |
0a38ef |
if host is not None and len(host) > 0 and len(host_del) > 0:
|
|
Packit Service |
0a38ef |
commands.append([name, "service_remove_host",
|
|
Packit Service |
0a38ef |
{"host": host_del}])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Allow create keytab
|
|
Packit Service |
0a38ef |
if len(allow_create_keytab_user_add) > 0 or \
|
|
Packit Service |
0a38ef |
len(allow_create_keytab_group_add) > 0 or \
|
|
Packit Service |
0a38ef |
len(allow_create_keytab_host_add) > 0 or \
|
|
Packit Service |
0a38ef |
len(allow_create_keytab_hostgroup_add) > 0:
|
|
Packit Service |
0a38ef |
commands.append(
|
|
Packit Service |
0a38ef |
[name, "service_allow_create_keytab",
|
|
Packit Service |
0a38ef |
{'user': allow_create_keytab_user_add,
|
|
Packit Service |
0a38ef |
'group': allow_create_keytab_group_add,
|
|
Packit Service |
0a38ef |
'host': allow_create_keytab_host_add,
|
|
Packit Service |
0a38ef |
'hostgroup': allow_create_keytab_hostgroup_add
|
|
Packit Service |
0a38ef |
}])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Disallow create keytab
|
|
Packit Service |
0a38ef |
if len(allow_create_keytab_user_del) > 0 or \
|
|
Packit Service |
0a38ef |
len(allow_create_keytab_group_del) > 0 or \
|
|
Packit Service |
0a38ef |
len(allow_create_keytab_host_del) > 0 or \
|
|
Packit Service |
0a38ef |
len(allow_create_keytab_hostgroup_del) > 0:
|
|
Packit Service |
0a38ef |
commands.append(
|
|
Packit Service |
0a38ef |
[name, "service_disallow_create_keytab",
|
|
Packit Service |
0a38ef |
{'user': allow_create_keytab_user_del,
|
|
Packit Service |
0a38ef |
'group': allow_create_keytab_group_del,
|
|
Packit Service |
0a38ef |
'host': allow_create_keytab_host_del,
|
|
Packit Service |
0a38ef |
'hostgroup': allow_create_keytab_hostgroup_del
|
|
Packit Service |
0a38ef |
}])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Allow retrieve keytab
|
|
Packit Service |
0a38ef |
if len(allow_retrieve_keytab_user_add) > 0 or \
|
|
Packit Service |
0a38ef |
len(allow_retrieve_keytab_group_add) > 0 or \
|
|
Packit Service |
a166ed |
len(allow_retrieve_keytab_host_add) > 0 or \
|
|
Packit Service |
0a38ef |
len(allow_retrieve_keytab_hostgroup_add) > 0:
|
|
Packit Service |
0a38ef |
commands.append(
|
|
Packit Service |
0a38ef |
[name, "service_allow_retrieve_keytab",
|
|
Packit Service |
0a38ef |
{'user': allow_retrieve_keytab_user_add,
|
|
Packit Service |
0a38ef |
'group': allow_retrieve_keytab_group_add,
|
|
Packit Service |
0a38ef |
'host': allow_retrieve_keytab_host_add,
|
|
Packit Service |
0a38ef |
'hostgroup': allow_retrieve_keytab_hostgroup_add
|
|
Packit Service |
0a38ef |
}])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Disllow retrieve keytab
|
|
Packit Service |
0a38ef |
if len(allow_retrieve_keytab_user_del) > 0 or \
|
|
Packit Service |
0a38ef |
len(allow_retrieve_keytab_group_del) > 0 or \
|
|
Packit Service |
0a38ef |
len(allow_retrieve_keytab_host_del) > 0 or \
|
|
Packit Service |
0a38ef |
len(allow_retrieve_keytab_hostgroup_del) > 0:
|
|
Packit Service |
0a38ef |
commands.append(
|
|
Packit Service |
0a38ef |
[name, "service_disallow_retrieve_keytab",
|
|
Packit Service |
0a38ef |
{'user': allow_retrieve_keytab_user_del,
|
|
Packit Service |
0a38ef |
'group': allow_retrieve_keytab_group_del,
|
|
Packit Service |
0a38ef |
'host': allow_retrieve_keytab_host_del,
|
|
Packit Service |
0a38ef |
'hostgroup': allow_retrieve_keytab_hostgroup_del
|
|
Packit Service |
0a38ef |
}])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
elif state == "absent":
|
|
Packit Service |
0a38ef |
if action == "service":
|
|
Packit Service |
0a38ef |
if res_find is not None:
|
|
Packit Service |
0a38ef |
args = {'continue': True if delete_continue else False}
|
|
Packit Service |
0a38ef |
commands.append([name, 'service_del', args])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
elif action == "member":
|
|
Packit Service |
0a38ef |
if res_find is None:
|
|
Packit Service |
0a38ef |
ansible_module.fail_json(msg="No service '%s'" % name)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Remove principals
|
|
Packit Service |
0a38ef |
if principal is not None:
|
|
Packit Service |
0a38ef |
for _principal in principal:
|
|
Packit Service |
0a38ef |
commands.append([name, "service_remove_principal",
|
|
Packit Service |
0a38ef |
{
|
|
Packit Service |
0a38ef |
"krbprincipalname":
|
|
Packit Service |
0a38ef |
_principal,
|
|
Packit Service |
0a38ef |
}])
|
|
Packit Service |
0a38ef |
# Remove certificates
|
|
Packit Service |
0a38ef |
if certificate is not None:
|
|
Packit Service |
0a38ef |
existing = res_find.get('usercertificate', [])
|
|
Packit Service |
0a38ef |
for _certificate in certificate:
|
|
Packit Service |
0a38ef |
if _certificate in existing:
|
|
Packit Service |
0a38ef |
commands.append([name, "service_remove_cert",
|
|
Packit Service |
0a38ef |
{
|
|
Packit Service |
0a38ef |
"usercertificate":
|
|
Packit Service |
0a38ef |
_certificate,
|
|
Packit Service |
0a38ef |
}])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Add hosts
|
|
Packit Service |
0a38ef |
if host is not None:
|
|
Packit Service |
0a38ef |
commands.append(
|
|
Packit Service |
0a38ef |
[name, "service_remove_host", {"host": host}])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Allow create keytab
|
|
Packit Service |
0a38ef |
if allow_create_keytab_user is not None or \
|
|
Packit Service |
0a38ef |
allow_create_keytab_group is not None or \
|
|
Packit Service |
0a38ef |
allow_create_keytab_host is not None or \
|
|
Packit Service |
0a38ef |
allow_create_keytab_hostgroup is not None:
|
|
Packit Service |
0a38ef |
commands.append(
|
|
Packit Service |
0a38ef |
[name, "service_disallow_create_keytab",
|
|
Packit Service |
0a38ef |
{'user': allow_create_keytab_user,
|
|
Packit Service |
0a38ef |
'group': allow_create_keytab_group,
|
|
Packit Service |
0a38ef |
'host': allow_create_keytab_host,
|
|
Packit Service |
0a38ef |
'hostgroup': allow_create_keytab_hostgroup
|
|
Packit Service |
0a38ef |
}])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Allow retriev keytab
|
|
Packit Service |
0a38ef |
if allow_retrieve_keytab_user is not None or \
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_group is not None or \
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_host is not None or \
|
|
Packit Service |
0a38ef |
allow_retrieve_keytab_hostgroup is not None:
|
|
Packit Service |
0a38ef |
commands.append(
|
|
Packit Service |
0a38ef |
[name, "service_disallow_retrieve_keytab",
|
|
Packit Service |
0a38ef |
{'user': allow_retrieve_keytab_user,
|
|
Packit Service |
0a38ef |
'group': allow_retrieve_keytab_group,
|
|
Packit Service |
0a38ef |
'host': allow_retrieve_keytab_host,
|
|
Packit Service |
0a38ef |
'hostgroup': allow_retrieve_keytab_hostgroup
|
|
Packit Service |
0a38ef |
}])
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
elif state == "disabled":
|
|
Packit Service |
0a38ef |
if action == "service":
|
|
Packit Service |
a166ed |
if res_find is not None:
|
|
Packit Service |
a166ed |
has_cert = bool(res_find.get('usercertificate'))
|
|
Packit Service |
a166ed |
has_keytab = res_find.get('has_keytab', False)
|
|
Packit Service |
a166ed |
if has_cert or has_keytab:
|
|
Packit Service |
a166ed |
commands.append([name, 'service_disable', {}])
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
ansible_module.fail_json(
|
|
Packit Service |
0a38ef |
msg="Invalid action '%s' for state '%s'" %
|
|
Packit Service |
0a38ef |
(action, state))
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
ansible_module.fail_json(msg="Unkown state '%s'" % state)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Execute commands
|
|
Packit Service |
0a38ef |
errors = []
|
|
Packit Service |
0a38ef |
for name, command, args in commands:
|
|
Packit Service |
0a38ef |
try:
|
|
Packit Service |
0a38ef |
result = api_command(ansible_module, command, name, args)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if "completed" in result:
|
|
Packit Service |
0a38ef |
if result["completed"] > 0:
|
|
Packit Service |
0a38ef |
changed = True
|
|
Packit Service |
0a38ef |
else:
|
|
Packit Service |
0a38ef |
changed = True
|
|
Packit Service |
0a38ef |
except Exception as ex:
|
|
Packit Service |
0a38ef |
ansible_module.fail_json(msg="%s: %s: %s" % (command, name,
|
|
Packit Service |
0a38ef |
str(ex)))
|
|
Packit Service |
0a38ef |
# Get all errors
|
|
Packit Service |
0a38ef |
# All "already a member" and "not a member" failures in the
|
|
Packit Service |
0a38ef |
# result are ignored. All others are reported.
|
|
Packit Service |
0a38ef |
if "failed" in result and len(result["failed"]) > 0:
|
|
Packit Service |
0a38ef |
for item in result["failed"]:
|
|
Packit Service |
0a38ef |
failed_item = result["failed"][item]
|
|
Packit Service |
0a38ef |
for member_type in failed_item:
|
|
Packit Service |
0a38ef |
for member, failure in failed_item[member_type]:
|
|
Packit Service |
0a38ef |
if "already a member" in failure \
|
|
Packit Service |
0a38ef |
or "not a member" in failure:
|
|
Packit Service |
0a38ef |
continue
|
|
Packit Service |
0a38ef |
errors.append("%s: %s %s: %s" % (
|
|
Packit Service |
0a38ef |
command, member_type, member, failure))
|
|
Packit Service |
0a38ef |
if len(errors) > 0:
|
|
Packit Service |
0a38ef |
ansible_module.fail_json(msg=", ".join(errors))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
except Exception as ex:
|
|
Packit Service |
0a38ef |
ansible_module.fail_json(msg=str(ex))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
finally:
|
|
Packit Service |
0a38ef |
temp_kdestroy(ccache_dir, ccache_name)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Done
|
|
Packit Service |
0a38ef |
ansible_module.exit_json(changed=changed, **exit_args)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
if __name__ == "__main__":
|
|
Packit Service |
0a38ef |
main()
|