1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

VMware: update vmware_local_role_manager with action (#44566)

With this fix user can add, remove and set privileges to
an existing role with privileges.

Fixes: #44391

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
This commit is contained in:
Abhijeet Kasurde 2018-09-07 09:33:50 +05:30 committed by GitHub
parent 46856b0747
commit e653a93044
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 243 additions and 57 deletions

View file

@ -20,10 +20,10 @@ DOCUMENTATION = '''
module: vmware_local_role_manager
short_description: Manage local roles on an ESXi host
description:
- Manage local roles on an ESXi host
version_added: "2.5"
- This module can be used to manage local roles on an ESXi host.
version_added: 2.5
author:
- Abhijeet Kasurde (@Akasurde) <akasurde@redhat.com>
- Abhijeet Kasurde (@Akasurde)
notes:
- Tested on ESXi 6.5
- Be sure that the ESXi user used for login, has the appropriate rights to create / delete / edit roles
@ -31,31 +31,39 @@ requirements:
- "python >= 2.6"
- PyVmomi
options:
local_role_name:
description:
- The local role name to be managed.
required: True
local_privilege_ids:
description:
- The list of privileges that role needs to have.
- Please see U(https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-ED56F3C4-77D0-49E3-88B6-B99B8B437B62.html)
default: []
state:
description:
- Indicate desired state of the role.
- If the role already exists when C(state=present), the role info is updated.
choices: ['present', 'absent']
default: present
force_remove:
description:
- If set to C(False) then prevents the role from being removed if any permissions are using it.
default: False
type: bool
local_role_name:
description:
- The local role name to be managed.
required: True
local_privilege_ids:
description:
- The list of privileges that role needs to have.
- Please see U(https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-ED56F3C4-77D0-49E3-88B6-B99B8B437B62.html)
default: []
state:
description:
- Indicate desired state of the role.
- If the role already exists when C(state=present), the role info is updated.
choices: ['present', 'absent']
default: present
force_remove:
description:
- If set to C(False) then prevents the role from being removed if any permissions are using it.
default: False
type: bool
action:
description:
- This parameter is only valid while updating an existing role with privileges.
- C(add) will add the privileges to the existing privilege list.
- C(remove) will remove the privileges from the existing privilege list.
- C(set) will replace the privileges of the existing privileges with user defined list of privileges.
default: set
choices: [ add, remove, set ]
version_added: 2.8
extends_documentation_fragment: vmware.documentation
'''
EXAMPLES = '''
# Example vmware_local_role_manager command from Ansible Playbooks
- name: Add local role to ESXi
vmware_local_role_manager:
hostname: '{{ esxi_hostname }}'
@ -84,6 +92,35 @@ EXAMPLES = '''
state: absent
delegate_to: localhost
- name: Add a privilege to an existing local role
vmware_local_role_manager:
hostname: '{{ esxi_hostname }}'
username: '{{ esxi_username }}'
password: '{{ esxi_password }}'
local_role_name: vmware_qa
local_privilege_ids: [ 'Folder.Create' ]
action: add
delegate_to: localhost
- name: Remove a privilege to an existing local role
vmware_local_role_manager:
hostname: '{{ esxi_hostname }}'
username: '{{ esxi_username }}'
password: '{{ esxi_password }}'
local_role_name: vmware_qa
local_privilege_ids: [ 'Folder.Create' ]
action: remove
delegate_to: localhost
- name: Set a privilege to an existing local role
vmware_local_role_manager:
hostname: '{{ esxi_hostname }}'
username: '{{ esxi_username }}'
password: '{{ esxi_password }}'
local_role_name: vmware_qa
local_privilege_ids: [ 'Folder.Create' ]
action: set
delegate_to: localhost
'''
RETURN = r'''
@ -124,6 +161,7 @@ class VMwareLocalRoleManager(PyVmomi):
self.priv_ids = self.params['local_privilege_ids']
self.force = not self.params['force_remove']
self.current_role = None
self.action = self.params['action']
if self.content.authorizationManager is None:
self.module.fail_json(msg="Failed to get local authorization manager settings.",
@ -166,6 +204,7 @@ class VMwareLocalRoleManager(PyVmomi):
return desired_role
def state_create_role(self):
role_id = None
try:
role_id = self.content.authorizationManager.AddAuthorizationRole(name=self.role_name,
privIds=self.priv_ids)
@ -215,25 +254,56 @@ class VMwareLocalRoleManager(PyVmomi):
self.module.exit_json(**result)
def state_exit_unchanged(self):
self.module.exit_json(changed=False)
role = self.find_authorization_role()
result = dict(changed=False)
if role:
result['role_id'] = role.roleId
result['local_role_name'] = role.name
result['old_privileges'] = [priv_name for priv_name in role.privilege]
result['new_privileges'] = [priv_name for priv_name in role.privilege]
self.module.exit_json(**result)
def state_update_role(self):
current_privileges = set(self.current_role.privilege)
# Add system-defined privileges, "System.Anonymous", "System.View", and "System.Read".
self.params['local_privilege_ids'].extend(['System.Anonymous', 'System.Read', 'System.View'])
desired_privileges = set(self.params['local_privilege_ids'])
current_privileges = self.current_role.privilege
changed_privileges = current_privileges ^ desired_privileges
changed_privileges = list(changed_privileges)
result = {
'changed': False,
'old_privileges': current_privileges,
}
if not changed_privileges:
changed_privileges = []
changed = False
if self.action == 'add':
# Add to existing privileges
for priv in self.params['local_privilege_ids']:
if priv not in current_privileges:
changed_privileges.append(priv)
changed = True
if changed:
changed_privileges.extend(current_privileges)
elif self.action == 'set':
# Set given privileges
# Add system-defined privileges, "System.Anonymous", "System.View", and "System.Read".
self.params['local_privilege_ids'].extend(['System.Anonymous', 'System.Read', 'System.View'])
changed_privileges = self.params['local_privilege_ids']
changes_applied = list(set(current_privileges) ^ set(changed_privileges))
if changes_applied:
changed = True
elif self.action == 'remove':
# Remove given privileges from existing privileges
for priv in self.params['local_privilege_ids']:
if priv in current_privileges:
changed = True
current_privileges.remove(priv)
if changed:
changed_privileges = current_privileges
if not changed:
self.state_exit_unchanged()
# Delete unwanted privileges that are not required
for priv in changed_privileges:
if priv not in desired_privileges:
changed_privileges.remove(priv)
try:
self.content.authorizationManager.UpdateAuthorizationRole(roleId=self.current_role.roleId,
newName=self.current_role.name,
@ -256,14 +326,13 @@ class VMwareLocalRoleManager(PyVmomi):
self.module.fail_json(msg="Failed to update Role %s as current session does not"
" have any privilege to update specified role" % self.role_name,
details=e.msg)
role = self.find_authorization_role()
result = {
'changed': True,
'role_id': role.roleId,
'local_role_name': role.name,
'new_privileges': role.privilege,
'old_privileges': current_privileges,
}
result['role_id'] = role.roleId,
result['changed'] = changed
result['local_role_name'] = role.name
result['new_privileges'] = [priv_name for priv_name in role.privilege]
self.module.exit_json(**result)
@ -272,6 +341,11 @@ def main():
argument_spec.update(dict(local_role_name=dict(required=True, type='str'),
local_privilege_ids=dict(default=[], type='list'),
force_remove=dict(default=False, type='bool'),
action=dict(type='str', default='set', choices=[
'add',
'set',
'remove',
]),
state=dict(default='present', choices=['present', 'absent'], type='str')))
module = AnsibleModule(argument_spec=argument_spec,

View file

@ -1,5 +1,5 @@
# Test code for the vmware_local_role_manager module
# Copyright: (c) 2017, Abhijeet Kasurde <akasurde@redhat.com>
# Copyright: (c) 2017-2018, Abhijeet Kasurde <akasurde@redhat.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
- name: store the vcenter container ip
@ -30,7 +30,7 @@
- debug: var=vcsim_instance
- name: Role creation
- name: Create a role without privileges
vmware_local_role_manager:
hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}"
@ -40,14 +40,14 @@
state: present
register: role_creation_0001
- name: verify if role is created
- name: Verify if role is created
assert:
that:
- "{{ role_creation_0001.changed == true }}"
- "{{ role_creation_0001.role_id is defined }}"
- "{{ role_creation_0001.local_role_name is defined }}"
- name: Create role again
- name: Again create a role without privileges
vmware_local_role_manager:
hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}"
@ -62,7 +62,7 @@
that:
- "{{ role_creation_0001.changed == false }}"
- name: delete role
- name: Delete a role
vmware_local_role_manager:
hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}"
@ -72,12 +72,12 @@
state: absent
register: role_creation_0001
- name: verify if role is not present
- name: Verify if role is not present
assert:
that:
- "{{ role_creation_0001.changed == true }}"
- name: delete role again
- name: Delete role again
vmware_local_role_manager:
hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}"
@ -87,12 +87,12 @@
state: absent
register: role_creation_0001
- name: verify if role is not present again
- name: Verify if role is absent again
assert:
that:
- "{{ role_creation_0001.changed == false }}"
- name: Create role with privileges
- name: Create a role with privileges
vmware_local_role_manager:
hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}"
@ -103,27 +103,139 @@
state: present
register: role_creation_0001
- name: verify if role is created with privileges
- name: Verify if role is created with privileges
assert:
that:
- "{{ role_creation_0001.changed == true }}"
- "{{ role_creation_0001.role_id is defined }}"
- name: Create role with privileges additional privileges
- name: Add a privilege to existing privileges
vmware_local_role_manager:
hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}"
password: "{{ vcsim_instance['json']['password'] }}"
local_role_name: SampleRole_0001
validate_certs: no
local_privilege_ids: ['VirtualMachine.State.RenameSnapshot', 'Folder.Create']
local_privilege_ids: ['Folder.Create']
action: add
state: present
register: role_creation_0001
- name: verify if role is created with updated privileges
- name: Verify if role is updated with updated privileges
assert:
that:
- "{{ role_creation_0001.changed == true }}"
- "{{ role_creation_0001.role_id is defined }}"
- "{{ role_creation_0001.old_privileges is defined }}"
- "{{ role_creation_0001.new_privileges is defined }}"
- name: Again add a privilege to existing privileges
vmware_local_role_manager:
hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}"
password: "{{ vcsim_instance['json']['password'] }}"
local_role_name: SampleRole_0001
validate_certs: no
local_privilege_ids: ['Folder.Create']
action: add
state: present
register: role_creation_0001
- name: Verify if role is not updated
assert:
that:
- "{{ role_creation_0001.changed == false }}"
- "{{ role_creation_0001.role_id is defined }}"
- "{{ role_creation_0001.old_privileges is defined }}"
- "{{ role_creation_0001.new_privileges is defined }}"
- name: Remove a privilege from existing privileges
vmware_local_role_manager:
hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}"
password: "{{ vcsim_instance['json']['password'] }}"
local_role_name: SampleRole_0001
validate_certs: no
local_privilege_ids: ['Folder.Create']
action: remove
register: role_creation_0001
- name: verify if role is updated with privileges
assert:
that:
- "{{ role_creation_0001.changed == true }}"
- "{{ role_creation_0001.role_id is defined }}"
- "{{ role_creation_0001.old_privileges is defined }}"
- "{{ role_creation_0001.new_privileges is defined }}"
- "{{ 'Folder.Create' not in role_creation_0001.new_privileges }}"
- name: Again remove a privilege from existing privileges
vmware_local_role_manager:
hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}"
password: "{{ vcsim_instance['json']['password'] }}"
local_role_name: SampleRole_0001
validate_certs: no
local_privilege_ids: ['Folder.Create']
action: remove
register: role_creation_0001
- name: Verify if role is not updated
assert:
that:
- "{{ role_creation_0001.changed == false }}"
- "{{ role_creation_0001.role_id is defined }}"
- "{{ role_creation_0001.old_privileges is defined }}"
- "{{ role_creation_0001.new_privileges is defined }}"
- "{{ 'Folder.Create' not in role_creation_0001.new_privileges }}"
- "{{ 'Folder.Create' not in role_creation_0001.old_privileges }}"
- name: Set a privilege to an existing role
vmware_local_role_manager:
hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}"
password: "{{ vcsim_instance['json']['password'] }}"
local_role_name: SampleRole_0001
validate_certs: no
local_privilege_ids: ['Folder.Create']
action: set
register: role_creation_0001
- name: Verify if role is updated with privileges
assert:
that:
- "{{ role_creation_0001.changed == true }}"
- "{{ role_creation_0001.role_id is defined }}"
- "{{ role_creation_0001.old_privileges is defined }}"
- "{{ role_creation_0001.new_privileges is defined }}"
- "{{ 'Folder.Create' in role_creation_0001.new_privileges }}"
- "{{ 'System.Anonymous' in role_creation_0001.new_privileges }}"
- "{{ 'System.Read' in role_creation_0001.new_privileges }}"
- "{{ 'System.View' in role_creation_0001.new_privileges }}"
- "{{ 'System.Anonymous' in role_creation_0001.old_privileges }}"
- "{{ 'System.Read' in role_creation_0001.old_privileges }}"
- "{{ 'System.View' in role_creation_0001.old_privileges }}"
- name: Again set a privilege to an existing role
vmware_local_role_manager:
hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}"
password: "{{ vcsim_instance['json']['password'] }}"
local_role_name: SampleRole_0001
validate_certs: no
local_privilege_ids: ['Folder.Create']
action: set
register: role_creation_0001
- name: verify if role is not updated
assert:
that:
- "{{ role_creation_0001.changed == false }}"
- "{{ 'Folder.Create' in role_creation_0001.new_privileges }}"
- "{{ 'System.Anonymous' in role_creation_0001.new_privileges }}"
- "{{ 'System.Read' in role_creation_0001.new_privileges }}"
- "{{ 'System.View' in role_creation_0001.new_privileges }}"
- "{{ 'Folder.Create' in role_creation_0001.old_privileges }}"
- "{{ 'System.Anonymous' in role_creation_0001.old_privileges }}"
- "{{ 'System.Read' in role_creation_0001.old_privileges }}"
- "{{ 'System.View' in role_creation_0001.old_privileges }}"