mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
VMware: Update vmware_object_role_permission to allow permissions at root folder (#50465)
* Update vmware_object_role_permission to allow permissions at root folder * Add example for adding to root folder
This commit is contained in:
parent
b547376db9
commit
3fb383b1ae
1 changed files with 64 additions and 36 deletions
|
@ -2,6 +2,8 @@
|
||||||
# -*- coding: utf-8 -*-
|
# -*- coding: utf-8 -*-
|
||||||
#
|
#
|
||||||
# Copyright: (c) 2018, Derek Rushing <derek.rushing@geekops.com>
|
# Copyright: (c) 2018, Derek Rushing <derek.rushing@geekops.com>
|
||||||
|
# Copyright: (c) 2018, VMware, Inc.
|
||||||
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||||
|
|
||||||
from __future__ import absolute_import, division, print_function
|
from __future__ import absolute_import, division, print_function
|
||||||
|
@ -22,12 +24,13 @@ description: This module can be used to manage object permissions on the given h
|
||||||
version_added: 2.8
|
version_added: 2.8
|
||||||
author:
|
author:
|
||||||
- Derek Rushing (@kryptsi)
|
- Derek Rushing (@kryptsi)
|
||||||
|
- Joseph Andreatta (@vmwjoseph)
|
||||||
notes:
|
notes:
|
||||||
- Tested on ESXi 6.5
|
- Tested on ESXi 6.5, vSphere 6.7
|
||||||
- Be sure that the ESXi user used for login, has the appropriate rights to administer permissions
|
- Be sure that the ESXi user used for login, has the appropriate rights to administer permissions
|
||||||
requirements:
|
requirements:
|
||||||
- "python >= 2.7"
|
- "python >= 2.7"
|
||||||
- PyVmomi
|
- PyVmomi
|
||||||
options:
|
options:
|
||||||
role:
|
role:
|
||||||
description:
|
description:
|
||||||
|
@ -70,7 +73,7 @@ extends_documentation_fragment: vmware.documentation
|
||||||
EXAMPLES = '''
|
EXAMPLES = '''
|
||||||
- name: Assign user to VM folder
|
- name: Assign user to VM folder
|
||||||
vmware_object_role_permission:
|
vmware_object_role_permission:
|
||||||
role: administrator
|
role: Admin
|
||||||
principal: user_bob
|
principal: user_bob
|
||||||
object_name: services
|
object_name: services
|
||||||
state: present
|
state: present
|
||||||
|
@ -78,7 +81,7 @@ EXAMPLES = '''
|
||||||
|
|
||||||
- name: Remove user from VM folder
|
- name: Remove user from VM folder
|
||||||
vmware_object_role_permission:
|
vmware_object_role_permission:
|
||||||
role: administrator
|
role: Admin
|
||||||
principal: user_bob
|
principal: user_bob
|
||||||
object_name: services
|
object_name: services
|
||||||
state: absent
|
state: absent
|
||||||
|
@ -91,6 +94,14 @@ EXAMPLES = '''
|
||||||
object_name: Accounts
|
object_name: Accounts
|
||||||
state: present
|
state: present
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
|
||||||
|
- name: Assign view_user Read Only permission at root folder
|
||||||
|
vmware_object_role_permission:
|
||||||
|
role: ReadOnly
|
||||||
|
principal: view_user
|
||||||
|
object_name: rootFolder
|
||||||
|
state: present
|
||||||
|
delegate_to: localhost
|
||||||
'''
|
'''
|
||||||
|
|
||||||
RETURN = r'''
|
RETURN = r'''
|
||||||
|
@ -106,6 +117,7 @@ except ImportError:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
from ansible.module_utils.basic import AnsibleModule
|
from ansible.module_utils.basic import AnsibleModule
|
||||||
|
from ansible.module_utils._text import to_native
|
||||||
from ansible.module_utils.vmware import PyVmomi, vmware_argument_spec, find_obj
|
from ansible.module_utils.vmware import PyVmomi, vmware_argument_spec, find_obj
|
||||||
|
|
||||||
|
|
||||||
|
@ -114,6 +126,7 @@ class VMwareObjectRolePermission(PyVmomi):
|
||||||
super(VMwareObjectRolePermission, self).__init__(module)
|
super(VMwareObjectRolePermission, self).__init__(module)
|
||||||
self.module = module
|
self.module = module
|
||||||
self.params = module.params
|
self.params = module.params
|
||||||
|
self.is_group = False
|
||||||
|
|
||||||
if self.params.get('principal', None) is not None:
|
if self.params.get('principal', None) is not None:
|
||||||
self.applied_to = self.params['principal']
|
self.applied_to = self.params['principal']
|
||||||
|
@ -141,7 +154,7 @@ class VMwareObjectRolePermission(PyVmomi):
|
||||||
return 'absent'
|
return 'absent'
|
||||||
|
|
||||||
def process_state(self):
|
def process_state(self):
|
||||||
local_role_manager_states = {
|
local_permission_states = {
|
||||||
'absent': {
|
'absent': {
|
||||||
'present': self.remove_permission,
|
'present': self.remove_permission,
|
||||||
'absent': self.state_exit_unchanged,
|
'absent': self.state_exit_unchanged,
|
||||||
|
@ -152,13 +165,13 @@ class VMwareObjectRolePermission(PyVmomi):
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
try:
|
try:
|
||||||
local_role_manager_states[self.state][self.get_state()]()
|
local_permission_states[self.state][self.get_state()]()
|
||||||
except vmodl.RuntimeFault as runtime_fault:
|
except vmodl.RuntimeFault as runtime_fault:
|
||||||
self.module.fail_json(msg=runtime_fault.msg)
|
self.module.fail_json(msg=to_native(runtime_fault.msg))
|
||||||
except vmodl.MethodFault as method_fault:
|
except vmodl.MethodFault as method_fault:
|
||||||
self.module.fail_json(msg=method_fault.msg)
|
self.module.fail_json(msg=to_native(method_fault.msg))
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
self.module.fail_json(msg=str(e))
|
self.module.fail_json(msg=to_native(e))
|
||||||
|
|
||||||
def state_exit_unchanged(self):
|
def state_exit_unchanged(self):
|
||||||
self.module.exit_json(changed=False)
|
self.module.exit_json(changed=False)
|
||||||
|
@ -173,11 +186,13 @@ class VMwareObjectRolePermission(PyVmomi):
|
||||||
return perm
|
return perm
|
||||||
|
|
||||||
def add_permission(self):
|
def add_permission(self):
|
||||||
self.content.authorizationManager.SetEntityPermissions(self.current_obj, [self.perm])
|
if not self.module.check_mode:
|
||||||
|
self.content.authorizationManager.SetEntityPermissions(self.current_obj, [self.perm])
|
||||||
self.module.exit_json(changed=True)
|
self.module.exit_json(changed=True)
|
||||||
|
|
||||||
def remove_permission(self):
|
def remove_permission(self):
|
||||||
self.content.authorizationManager.RemoveEntityPermission(self.current_obj, self.applied_to, self.is_group)
|
if not self.module.check_mode:
|
||||||
|
self.content.authorizationManager.RemoveEntityPermission(self.current_obj, self.applied_to, self.is_group)
|
||||||
self.module.exit_json(changed=True)
|
self.module.exit_json(changed=True)
|
||||||
|
|
||||||
def get_role(self):
|
def get_role(self):
|
||||||
|
@ -188,46 +203,59 @@ class VMwareObjectRolePermission(PyVmomi):
|
||||||
self.module.fail_json(msg="Specified role (%s) was not found" % self.params['role'])
|
self.module.fail_json(msg="Specified role (%s) was not found" % self.params['role'])
|
||||||
|
|
||||||
def get_object(self):
|
def get_object(self):
|
||||||
|
# find_obj doesn't include rootFolder
|
||||||
|
if self.params['object_type'] == 'Folder' and self.params['object_name'] == 'rootFolder':
|
||||||
|
self.current_obj = self.content.rootFolder
|
||||||
|
return
|
||||||
try:
|
try:
|
||||||
object_type = getattr(vim, self.params['object_type'])
|
object_type = getattr(vim, self.params['object_type'])
|
||||||
except AttributeError:
|
except AttributeError:
|
||||||
self.module.fail_json(msg="Object type %s is not valid." % self.params['object_type'])
|
self.module.fail_json(msg="Object type %s is not valid." % self.params['object_type'])
|
||||||
|
|
||||||
self.current_obj = find_obj(content=self.content,
|
self.current_obj = find_obj(content=self.content,
|
||||||
vimtype=[getattr(vim, self.params['object_type'])],
|
vimtype=[getattr(vim, self.params['object_type'])],
|
||||||
name=self.params['object_name'])
|
name=self.params['object_name'])
|
||||||
|
|
||||||
if self.current_obj is None:
|
if self.current_obj is None:
|
||||||
self.module.fail_json(msg="Specified object %s of type %s was not found." % (self.params['object_name'],
|
self.module.fail_json(
|
||||||
self.params['object_type']))
|
msg="Specified object %s of type %s was not found."
|
||||||
|
% (self.params['object_name'], self.params['object_type'])
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
def main():
|
def main():
|
||||||
argument_spec = vmware_argument_spec()
|
argument_spec = vmware_argument_spec()
|
||||||
argument_spec.update(dict(
|
argument_spec.update(
|
||||||
role=dict(required=True, type='str'),
|
dict(
|
||||||
object_name=dict(required=True, type='str'),
|
role=dict(required=True, type='str'),
|
||||||
object_type=dict(type='str', default='Folder',
|
object_name=dict(required=True, type='str'),
|
||||||
choices=['Folder', 'VirtualMachine', 'Datacenter', 'ResourcePool',
|
object_type=dict(
|
||||||
'Datastore', 'Network', 'HostSystem', 'ComputeResource',
|
type='str',
|
||||||
'ClusterComputeResource', 'DistributedVirtualSwitch']
|
default='Folder',
|
||||||
),
|
choices=[
|
||||||
principal=dict(type='str'),
|
'Folder',
|
||||||
group=dict(type='str'),
|
'VirtualMachine',
|
||||||
recursive=dict(type='bool', default=True),
|
'Datacenter',
|
||||||
state=dict(default='present', choices=['present', 'absent'], type='str')
|
'ResourcePool',
|
||||||
)
|
'Datastore',
|
||||||
|
'Network',
|
||||||
|
'HostSystem',
|
||||||
|
'ComputeResource',
|
||||||
|
'ClusterComputeResource',
|
||||||
|
'DistributedVirtualSwitch',
|
||||||
|
],
|
||||||
|
),
|
||||||
|
principal=dict(type='str'),
|
||||||
|
group=dict(type='str'),
|
||||||
|
recursive=dict(type='bool', default=True),
|
||||||
|
state=dict(default='present', choices=['present', 'absent'], type='str'),
|
||||||
|
)
|
||||||
)
|
)
|
||||||
|
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=argument_spec,
|
argument_spec=argument_spec,
|
||||||
supports_check_mode=False,
|
supports_check_mode=True,
|
||||||
mutually_exclusive=[
|
mutually_exclusive=[['principal', 'group']],
|
||||||
['principal', 'group'],
|
required_one_of=[['principal', 'group']],
|
||||||
],
|
|
||||||
required_one_of=[
|
|
||||||
['principal', 'group'],
|
|
||||||
]
|
|
||||||
)
|
)
|
||||||
|
|
||||||
vmware_object_permission = VMwareObjectRolePermission(module)
|
vmware_object_permission = VMwareObjectRolePermission(module)
|
||||||
|
|
Loading…
Reference in a new issue