The permission module allows to ensure presence and absence of permissions and permission members.
FreeIPA versions 4.4.0 and up are supported by the ipapermission module.
Controller * Ansible version: 2.8+
Node * Supported FreeIPA version (see above)
Example inventory file
[ipaserver] ipaserver.test.local
Example playbook to make sure permission "MyPermission" is present:
--- - name: Playbook to create an IPA permission. hosts: ipaserver become: yes tasks: - name: Ensure permission MyPermission is present ipapermission: ipaadmin_password: SomeADMINpassword name: MyPermission object_type: host right: all
Example playbook to make sure permission "MyPermission" member "privilege" with value "User Administrators" is present:
--- - name: Permission add privilege to a permission hosts: ipaserver become: true tasks: - name: Ensure permission MyPermission is present with the User Administrators privilege present ipapermission: ipaadmin_password: SomeADMINpassword name: MyPermission privilege: "User Administrators" action: member
Example playbook to make sure permission "MyPermission" member "privilege" with value "User Administrators" is absent:
--- - name: Permission remove privilege from a permission hosts: ipaserver become: true tasks: - name: Ensure permission MyPermission is present without the User Administrators privilege ipapermission: ipaadmin_password: SomeADMINpassword name: MyPermission privilege: "User Administrators" action: member state: absent
Example playbook to make sure permission "MyPermission" is absent:
--- - name: Playbook to manage IPA permission. hosts: ipaserver become: yes tasks: - ipapermission: ipaadmin_password: SomeADMINpassword name: MyPermission state: absent
Example playbook to make sure permission "MyPermission" is renamed to "MyNewPermission":
--- - name: Playbook to manage IPA permission. hosts: ipaserver become: yes tasks: - ipapermission: ipaadmin_password: SomeADMINpassword name: MyPermission rename: MyNewPermission state: renamed
Variable | Description | Required |
---|---|---|
ipaadmin_principal |
The admin principal is a string and defaults to admin |
no |
ipaadmin_password |
The admin password is a string and is required if there is no admin ticket available on the node | no |
name | cn |
The permission name string. | yes |
right | ipapermright |
Rights to grant. It can be a list of one or more of read , search , compare , write , add , delete , and all default: all |
no |
attrs |
All attributes to which the permission applies | no |
bindtype | ipapermbindruletype |
Bind rule type. It can be one of permission , all , self , or anonymous defaults to permission for new permissions. Bind rule type self can only be used on IPA versions 4.8.7 or up. |
no |
subtree | ipapermlocation |
Subtree to apply permissions to | no |
filter | extratargetfilter |
Extra target filter | no |
rawfilter | ipapermtargetfilter |
All target filters | no |
target | ipapermtarget |
Optional DN to apply the permission to | no |
targetto | ipapermtargetto |
Optional DN subtree where an entry can be moved to | no |
targetfrom | ipapermtargetfrom |
Optional DN subtree from where an entry can be moved | no |
memberof |
Target members of a group (sets memberOf targetfilter) | no |
targetgroup |
User group to apply permissions to (sets target) | no |
object_type |
Type of IPA object (sets subtree and objectClass targetfilter) | no |
no_members |
Suppress processing of membership | no |
rename |
Rename the permission object | no |
privilege |
Member Privilege of Permission | no |
action |
Work on permission or member level. It can be on of member or permission and defaults to permission . |
no |
state |
The state to ensure. It can be one of present , absent , or renamed default: present . |
no |
Seth Kress