mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
VMware: update vmware_local_role_manager with action (#44566)
With this fix user can add, remove and set privileges to an existing role with privileges. Fixes: #44391 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
This commit is contained in:
parent
46856b0747
commit
e653a93044
2 changed files with 243 additions and 57 deletions
|
@ -20,10 +20,10 @@ DOCUMENTATION = '''
|
|||
module: vmware_local_role_manager
|
||||
short_description: Manage local roles on an ESXi host
|
||||
description:
|
||||
- Manage local roles on an ESXi host
|
||||
version_added: "2.5"
|
||||
- This module can be used to manage local roles on an ESXi host.
|
||||
version_added: 2.5
|
||||
author:
|
||||
- Abhijeet Kasurde (@Akasurde) <akasurde@redhat.com>
|
||||
- Abhijeet Kasurde (@Akasurde)
|
||||
notes:
|
||||
- Tested on ESXi 6.5
|
||||
- Be sure that the ESXi user used for login, has the appropriate rights to create / delete / edit roles
|
||||
|
@ -31,31 +31,39 @@ requirements:
|
|||
- "python >= 2.6"
|
||||
- PyVmomi
|
||||
options:
|
||||
local_role_name:
|
||||
description:
|
||||
- The local role name to be managed.
|
||||
required: True
|
||||
local_privilege_ids:
|
||||
description:
|
||||
- The list of privileges that role needs to have.
|
||||
- Please see U(https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-ED56F3C4-77D0-49E3-88B6-B99B8B437B62.html)
|
||||
default: []
|
||||
state:
|
||||
description:
|
||||
- Indicate desired state of the role.
|
||||
- If the role already exists when C(state=present), the role info is updated.
|
||||
choices: ['present', 'absent']
|
||||
default: present
|
||||
force_remove:
|
||||
description:
|
||||
- If set to C(False) then prevents the role from being removed if any permissions are using it.
|
||||
default: False
|
||||
type: bool
|
||||
local_role_name:
|
||||
description:
|
||||
- The local role name to be managed.
|
||||
required: True
|
||||
local_privilege_ids:
|
||||
description:
|
||||
- The list of privileges that role needs to have.
|
||||
- Please see U(https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-ED56F3C4-77D0-49E3-88B6-B99B8B437B62.html)
|
||||
default: []
|
||||
state:
|
||||
description:
|
||||
- Indicate desired state of the role.
|
||||
- If the role already exists when C(state=present), the role info is updated.
|
||||
choices: ['present', 'absent']
|
||||
default: present
|
||||
force_remove:
|
||||
description:
|
||||
- If set to C(False) then prevents the role from being removed if any permissions are using it.
|
||||
default: False
|
||||
type: bool
|
||||
action:
|
||||
description:
|
||||
- This parameter is only valid while updating an existing role with privileges.
|
||||
- C(add) will add the privileges to the existing privilege list.
|
||||
- C(remove) will remove the privileges from the existing privilege list.
|
||||
- C(set) will replace the privileges of the existing privileges with user defined list of privileges.
|
||||
default: set
|
||||
choices: [ add, remove, set ]
|
||||
version_added: 2.8
|
||||
extends_documentation_fragment: vmware.documentation
|
||||
'''
|
||||
|
||||
EXAMPLES = '''
|
||||
# Example vmware_local_role_manager command from Ansible Playbooks
|
||||
- name: Add local role to ESXi
|
||||
vmware_local_role_manager:
|
||||
hostname: '{{ esxi_hostname }}'
|
||||
|
@ -84,6 +92,35 @@ EXAMPLES = '''
|
|||
state: absent
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Add a privilege to an existing local role
|
||||
vmware_local_role_manager:
|
||||
hostname: '{{ esxi_hostname }}'
|
||||
username: '{{ esxi_username }}'
|
||||
password: '{{ esxi_password }}'
|
||||
local_role_name: vmware_qa
|
||||
local_privilege_ids: [ 'Folder.Create' ]
|
||||
action: add
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Remove a privilege to an existing local role
|
||||
vmware_local_role_manager:
|
||||
hostname: '{{ esxi_hostname }}'
|
||||
username: '{{ esxi_username }}'
|
||||
password: '{{ esxi_password }}'
|
||||
local_role_name: vmware_qa
|
||||
local_privilege_ids: [ 'Folder.Create' ]
|
||||
action: remove
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Set a privilege to an existing local role
|
||||
vmware_local_role_manager:
|
||||
hostname: '{{ esxi_hostname }}'
|
||||
username: '{{ esxi_username }}'
|
||||
password: '{{ esxi_password }}'
|
||||
local_role_name: vmware_qa
|
||||
local_privilege_ids: [ 'Folder.Create' ]
|
||||
action: set
|
||||
delegate_to: localhost
|
||||
'''
|
||||
|
||||
RETURN = r'''
|
||||
|
@ -124,6 +161,7 @@ class VMwareLocalRoleManager(PyVmomi):
|
|||
self.priv_ids = self.params['local_privilege_ids']
|
||||
self.force = not self.params['force_remove']
|
||||
self.current_role = None
|
||||
self.action = self.params['action']
|
||||
|
||||
if self.content.authorizationManager is None:
|
||||
self.module.fail_json(msg="Failed to get local authorization manager settings.",
|
||||
|
@ -166,6 +204,7 @@ class VMwareLocalRoleManager(PyVmomi):
|
|||
return desired_role
|
||||
|
||||
def state_create_role(self):
|
||||
role_id = None
|
||||
try:
|
||||
role_id = self.content.authorizationManager.AddAuthorizationRole(name=self.role_name,
|
||||
privIds=self.priv_ids)
|
||||
|
@ -215,25 +254,56 @@ class VMwareLocalRoleManager(PyVmomi):
|
|||
self.module.exit_json(**result)
|
||||
|
||||
def state_exit_unchanged(self):
|
||||
self.module.exit_json(changed=False)
|
||||
role = self.find_authorization_role()
|
||||
result = dict(changed=False)
|
||||
|
||||
if role:
|
||||
result['role_id'] = role.roleId
|
||||
result['local_role_name'] = role.name
|
||||
result['old_privileges'] = [priv_name for priv_name in role.privilege]
|
||||
result['new_privileges'] = [priv_name for priv_name in role.privilege]
|
||||
|
||||
self.module.exit_json(**result)
|
||||
|
||||
def state_update_role(self):
|
||||
current_privileges = set(self.current_role.privilege)
|
||||
# Add system-defined privileges, "System.Anonymous", "System.View", and "System.Read".
|
||||
self.params['local_privilege_ids'].extend(['System.Anonymous', 'System.Read', 'System.View'])
|
||||
desired_privileges = set(self.params['local_privilege_ids'])
|
||||
current_privileges = self.current_role.privilege
|
||||
|
||||
changed_privileges = current_privileges ^ desired_privileges
|
||||
changed_privileges = list(changed_privileges)
|
||||
result = {
|
||||
'changed': False,
|
||||
'old_privileges': current_privileges,
|
||||
}
|
||||
|
||||
if not changed_privileges:
|
||||
changed_privileges = []
|
||||
changed = False
|
||||
if self.action == 'add':
|
||||
# Add to existing privileges
|
||||
for priv in self.params['local_privilege_ids']:
|
||||
if priv not in current_privileges:
|
||||
changed_privileges.append(priv)
|
||||
changed = True
|
||||
if changed:
|
||||
changed_privileges.extend(current_privileges)
|
||||
elif self.action == 'set':
|
||||
# Set given privileges
|
||||
# Add system-defined privileges, "System.Anonymous", "System.View", and "System.Read".
|
||||
self.params['local_privilege_ids'].extend(['System.Anonymous', 'System.Read', 'System.View'])
|
||||
changed_privileges = self.params['local_privilege_ids']
|
||||
|
||||
changes_applied = list(set(current_privileges) ^ set(changed_privileges))
|
||||
if changes_applied:
|
||||
changed = True
|
||||
elif self.action == 'remove':
|
||||
# Remove given privileges from existing privileges
|
||||
for priv in self.params['local_privilege_ids']:
|
||||
if priv in current_privileges:
|
||||
changed = True
|
||||
current_privileges.remove(priv)
|
||||
if changed:
|
||||
changed_privileges = current_privileges
|
||||
|
||||
if not changed:
|
||||
self.state_exit_unchanged()
|
||||
|
||||
# Delete unwanted privileges that are not required
|
||||
for priv in changed_privileges:
|
||||
if priv not in desired_privileges:
|
||||
changed_privileges.remove(priv)
|
||||
|
||||
try:
|
||||
self.content.authorizationManager.UpdateAuthorizationRole(roleId=self.current_role.roleId,
|
||||
newName=self.current_role.name,
|
||||
|
@ -256,14 +326,13 @@ class VMwareLocalRoleManager(PyVmomi):
|
|||
self.module.fail_json(msg="Failed to update Role %s as current session does not"
|
||||
" have any privilege to update specified role" % self.role_name,
|
||||
details=e.msg)
|
||||
|
||||
role = self.find_authorization_role()
|
||||
result = {
|
||||
'changed': True,
|
||||
'role_id': role.roleId,
|
||||
'local_role_name': role.name,
|
||||
'new_privileges': role.privilege,
|
||||
'old_privileges': current_privileges,
|
||||
}
|
||||
result['role_id'] = role.roleId,
|
||||
result['changed'] = changed
|
||||
result['local_role_name'] = role.name
|
||||
result['new_privileges'] = [priv_name for priv_name in role.privilege]
|
||||
|
||||
self.module.exit_json(**result)
|
||||
|
||||
|
||||
|
@ -272,6 +341,11 @@ def main():
|
|||
argument_spec.update(dict(local_role_name=dict(required=True, type='str'),
|
||||
local_privilege_ids=dict(default=[], type='list'),
|
||||
force_remove=dict(default=False, type='bool'),
|
||||
action=dict(type='str', default='set', choices=[
|
||||
'add',
|
||||
'set',
|
||||
'remove',
|
||||
]),
|
||||
state=dict(default='present', choices=['present', 'absent'], type='str')))
|
||||
|
||||
module = AnsibleModule(argument_spec=argument_spec,
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# Test code for the vmware_local_role_manager module
|
||||
# Copyright: (c) 2017, Abhijeet Kasurde <akasurde@redhat.com>
|
||||
# Copyright: (c) 2017-2018, Abhijeet Kasurde <akasurde@redhat.com>
|
||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
|
||||
- name: store the vcenter container ip
|
||||
|
@ -30,7 +30,7 @@
|
|||
|
||||
- debug: var=vcsim_instance
|
||||
|
||||
- name: Role creation
|
||||
- name: Create a role without privileges
|
||||
vmware_local_role_manager:
|
||||
hostname: "{{ vcsim }}"
|
||||
username: "{{ vcsim_instance['json']['username'] }}"
|
||||
|
@ -40,14 +40,14 @@
|
|||
state: present
|
||||
register: role_creation_0001
|
||||
|
||||
- name: verify if role is created
|
||||
- name: Verify if role is created
|
||||
assert:
|
||||
that:
|
||||
- "{{ role_creation_0001.changed == true }}"
|
||||
- "{{ role_creation_0001.role_id is defined }}"
|
||||
- "{{ role_creation_0001.local_role_name is defined }}"
|
||||
|
||||
- name: Create role again
|
||||
- name: Again create a role without privileges
|
||||
vmware_local_role_manager:
|
||||
hostname: "{{ vcsim }}"
|
||||
username: "{{ vcsim_instance['json']['username'] }}"
|
||||
|
@ -62,7 +62,7 @@
|
|||
that:
|
||||
- "{{ role_creation_0001.changed == false }}"
|
||||
|
||||
- name: delete role
|
||||
- name: Delete a role
|
||||
vmware_local_role_manager:
|
||||
hostname: "{{ vcsim }}"
|
||||
username: "{{ vcsim_instance['json']['username'] }}"
|
||||
|
@ -72,12 +72,12 @@
|
|||
state: absent
|
||||
register: role_creation_0001
|
||||
|
||||
- name: verify if role is not present
|
||||
- name: Verify if role is not present
|
||||
assert:
|
||||
that:
|
||||
- "{{ role_creation_0001.changed == true }}"
|
||||
|
||||
- name: delete role again
|
||||
- name: Delete role again
|
||||
vmware_local_role_manager:
|
||||
hostname: "{{ vcsim }}"
|
||||
username: "{{ vcsim_instance['json']['username'] }}"
|
||||
|
@ -87,12 +87,12 @@
|
|||
state: absent
|
||||
register: role_creation_0001
|
||||
|
||||
- name: verify if role is not present again
|
||||
- name: Verify if role is absent again
|
||||
assert:
|
||||
that:
|
||||
- "{{ role_creation_0001.changed == false }}"
|
||||
|
||||
- name: Create role with privileges
|
||||
- name: Create a role with privileges
|
||||
vmware_local_role_manager:
|
||||
hostname: "{{ vcsim }}"
|
||||
username: "{{ vcsim_instance['json']['username'] }}"
|
||||
|
@ -103,27 +103,139 @@
|
|||
state: present
|
||||
register: role_creation_0001
|
||||
|
||||
- name: verify if role is created with privileges
|
||||
- name: Verify if role is created with privileges
|
||||
assert:
|
||||
that:
|
||||
- "{{ role_creation_0001.changed == true }}"
|
||||
- "{{ role_creation_0001.role_id is defined }}"
|
||||
|
||||
- name: Create role with privileges additional privileges
|
||||
- name: Add a privilege to existing privileges
|
||||
vmware_local_role_manager:
|
||||
hostname: "{{ vcsim }}"
|
||||
username: "{{ vcsim_instance['json']['username'] }}"
|
||||
password: "{{ vcsim_instance['json']['password'] }}"
|
||||
local_role_name: SampleRole_0001
|
||||
validate_certs: no
|
||||
local_privilege_ids: ['VirtualMachine.State.RenameSnapshot', 'Folder.Create']
|
||||
local_privilege_ids: ['Folder.Create']
|
||||
action: add
|
||||
state: present
|
||||
register: role_creation_0001
|
||||
|
||||
- name: verify if role is created with updated privileges
|
||||
- name: Verify if role is updated with updated privileges
|
||||
assert:
|
||||
that:
|
||||
- "{{ role_creation_0001.changed == true }}"
|
||||
- "{{ role_creation_0001.role_id is defined }}"
|
||||
- "{{ role_creation_0001.old_privileges is defined }}"
|
||||
- "{{ role_creation_0001.new_privileges is defined }}"
|
||||
|
||||
- name: Again add a privilege to existing privileges
|
||||
vmware_local_role_manager:
|
||||
hostname: "{{ vcsim }}"
|
||||
username: "{{ vcsim_instance['json']['username'] }}"
|
||||
password: "{{ vcsim_instance['json']['password'] }}"
|
||||
local_role_name: SampleRole_0001
|
||||
validate_certs: no
|
||||
local_privilege_ids: ['Folder.Create']
|
||||
action: add
|
||||
state: present
|
||||
register: role_creation_0001
|
||||
|
||||
- name: Verify if role is not updated
|
||||
assert:
|
||||
that:
|
||||
- "{{ role_creation_0001.changed == false }}"
|
||||
- "{{ role_creation_0001.role_id is defined }}"
|
||||
- "{{ role_creation_0001.old_privileges is defined }}"
|
||||
- "{{ role_creation_0001.new_privileges is defined }}"
|
||||
|
||||
- name: Remove a privilege from existing privileges
|
||||
vmware_local_role_manager:
|
||||
hostname: "{{ vcsim }}"
|
||||
username: "{{ vcsim_instance['json']['username'] }}"
|
||||
password: "{{ vcsim_instance['json']['password'] }}"
|
||||
local_role_name: SampleRole_0001
|
||||
validate_certs: no
|
||||
local_privilege_ids: ['Folder.Create']
|
||||
action: remove
|
||||
register: role_creation_0001
|
||||
|
||||
- name: verify if role is updated with privileges
|
||||
assert:
|
||||
that:
|
||||
- "{{ role_creation_0001.changed == true }}"
|
||||
- "{{ role_creation_0001.role_id is defined }}"
|
||||
- "{{ role_creation_0001.old_privileges is defined }}"
|
||||
- "{{ role_creation_0001.new_privileges is defined }}"
|
||||
- "{{ 'Folder.Create' not in role_creation_0001.new_privileges }}"
|
||||
|
||||
- name: Again remove a privilege from existing privileges
|
||||
vmware_local_role_manager:
|
||||
hostname: "{{ vcsim }}"
|
||||
username: "{{ vcsim_instance['json']['username'] }}"
|
||||
password: "{{ vcsim_instance['json']['password'] }}"
|
||||
local_role_name: SampleRole_0001
|
||||
validate_certs: no
|
||||
local_privilege_ids: ['Folder.Create']
|
||||
action: remove
|
||||
register: role_creation_0001
|
||||
|
||||
- name: Verify if role is not updated
|
||||
assert:
|
||||
that:
|
||||
- "{{ role_creation_0001.changed == false }}"
|
||||
- "{{ role_creation_0001.role_id is defined }}"
|
||||
- "{{ role_creation_0001.old_privileges is defined }}"
|
||||
- "{{ role_creation_0001.new_privileges is defined }}"
|
||||
- "{{ 'Folder.Create' not in role_creation_0001.new_privileges }}"
|
||||
- "{{ 'Folder.Create' not in role_creation_0001.old_privileges }}"
|
||||
|
||||
- name: Set a privilege to an existing role
|
||||
vmware_local_role_manager:
|
||||
hostname: "{{ vcsim }}"
|
||||
username: "{{ vcsim_instance['json']['username'] }}"
|
||||
password: "{{ vcsim_instance['json']['password'] }}"
|
||||
local_role_name: SampleRole_0001
|
||||
validate_certs: no
|
||||
local_privilege_ids: ['Folder.Create']
|
||||
action: set
|
||||
register: role_creation_0001
|
||||
|
||||
- name: Verify if role is updated with privileges
|
||||
assert:
|
||||
that:
|
||||
- "{{ role_creation_0001.changed == true }}"
|
||||
- "{{ role_creation_0001.role_id is defined }}"
|
||||
- "{{ role_creation_0001.old_privileges is defined }}"
|
||||
- "{{ role_creation_0001.new_privileges is defined }}"
|
||||
- "{{ 'Folder.Create' in role_creation_0001.new_privileges }}"
|
||||
- "{{ 'System.Anonymous' in role_creation_0001.new_privileges }}"
|
||||
- "{{ 'System.Read' in role_creation_0001.new_privileges }}"
|
||||
- "{{ 'System.View' in role_creation_0001.new_privileges }}"
|
||||
- "{{ 'System.Anonymous' in role_creation_0001.old_privileges }}"
|
||||
- "{{ 'System.Read' in role_creation_0001.old_privileges }}"
|
||||
- "{{ 'System.View' in role_creation_0001.old_privileges }}"
|
||||
|
||||
- name: Again set a privilege to an existing role
|
||||
vmware_local_role_manager:
|
||||
hostname: "{{ vcsim }}"
|
||||
username: "{{ vcsim_instance['json']['username'] }}"
|
||||
password: "{{ vcsim_instance['json']['password'] }}"
|
||||
local_role_name: SampleRole_0001
|
||||
validate_certs: no
|
||||
local_privilege_ids: ['Folder.Create']
|
||||
action: set
|
||||
register: role_creation_0001
|
||||
|
||||
- name: verify if role is not updated
|
||||
assert:
|
||||
that:
|
||||
- "{{ role_creation_0001.changed == false }}"
|
||||
- "{{ 'Folder.Create' in role_creation_0001.new_privileges }}"
|
||||
- "{{ 'System.Anonymous' in role_creation_0001.new_privileges }}"
|
||||
- "{{ 'System.Read' in role_creation_0001.new_privileges }}"
|
||||
- "{{ 'System.View' in role_creation_0001.new_privileges }}"
|
||||
- "{{ 'Folder.Create' in role_creation_0001.old_privileges }}"
|
||||
- "{{ 'System.Anonymous' in role_creation_0001.old_privileges }}"
|
||||
- "{{ 'System.Read' in role_creation_0001.old_privileges }}"
|
||||
- "{{ 'System.View' in role_creation_0001.old_privileges }}"
|
||||
|
|
Loading…
Reference in a new issue