From e653a93044bb9b747807cf7c6d8f12160796ee13 Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Fri, 7 Sep 2018 09:33:50 +0530 Subject: [PATCH] VMware: update vmware_local_role_manager with action (#44566) With this fix user can add, remove and set privileges to an existing role with privileges. Fixes: #44391 Signed-off-by: Abhijeet Kasurde --- .../cloud/vmware/vmware_local_role_manager.py | 162 +++++++++++++----- .../vmware_local_role_manager/tasks/main.yml | 138 +++++++++++++-- 2 files changed, 243 insertions(+), 57 deletions(-) diff --git a/lib/ansible/modules/cloud/vmware/vmware_local_role_manager.py b/lib/ansible/modules/cloud/vmware/vmware_local_role_manager.py index e03407daca..0520934033 100644 --- a/lib/ansible/modules/cloud/vmware/vmware_local_role_manager.py +++ b/lib/ansible/modules/cloud/vmware/vmware_local_role_manager.py @@ -20,10 +20,10 @@ DOCUMENTATION = ''' module: vmware_local_role_manager short_description: Manage local roles on an ESXi host description: - - Manage local roles on an ESXi host -version_added: "2.5" + - This module can be used to manage local roles on an ESXi host. +version_added: 2.5 author: -- Abhijeet Kasurde (@Akasurde) +- Abhijeet Kasurde (@Akasurde) notes: - Tested on ESXi 6.5 - Be sure that the ESXi user used for login, has the appropriate rights to create / delete / edit roles @@ -31,31 +31,39 @@ requirements: - "python >= 2.6" - PyVmomi options: - local_role_name: - description: - - The local role name to be managed. - required: True - local_privilege_ids: - description: - - The list of privileges that role needs to have. - - Please see U(https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-ED56F3C4-77D0-49E3-88B6-B99B8B437B62.html) - default: [] - state: - description: - - Indicate desired state of the role. - - If the role already exists when C(state=present), the role info is updated. - choices: ['present', 'absent'] - default: present - force_remove: - description: - - If set to C(False) then prevents the role from being removed if any permissions are using it. - default: False - type: bool + local_role_name: + description: + - The local role name to be managed. + required: True + local_privilege_ids: + description: + - The list of privileges that role needs to have. + - Please see U(https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-ED56F3C4-77D0-49E3-88B6-B99B8B437B62.html) + default: [] + state: + description: + - Indicate desired state of the role. + - If the role already exists when C(state=present), the role info is updated. + choices: ['present', 'absent'] + default: present + force_remove: + description: + - If set to C(False) then prevents the role from being removed if any permissions are using it. + default: False + type: bool + action: + description: + - This parameter is only valid while updating an existing role with privileges. + - C(add) will add the privileges to the existing privilege list. + - C(remove) will remove the privileges from the existing privilege list. + - C(set) will replace the privileges of the existing privileges with user defined list of privileges. + default: set + choices: [ add, remove, set ] + version_added: 2.8 extends_documentation_fragment: vmware.documentation ''' EXAMPLES = ''' -# Example vmware_local_role_manager command from Ansible Playbooks - name: Add local role to ESXi vmware_local_role_manager: hostname: '{{ esxi_hostname }}' @@ -84,6 +92,35 @@ EXAMPLES = ''' state: absent delegate_to: localhost +- name: Add a privilege to an existing local role + vmware_local_role_manager: + hostname: '{{ esxi_hostname }}' + username: '{{ esxi_username }}' + password: '{{ esxi_password }}' + local_role_name: vmware_qa + local_privilege_ids: [ 'Folder.Create' ] + action: add + delegate_to: localhost + +- name: Remove a privilege to an existing local role + vmware_local_role_manager: + hostname: '{{ esxi_hostname }}' + username: '{{ esxi_username }}' + password: '{{ esxi_password }}' + local_role_name: vmware_qa + local_privilege_ids: [ 'Folder.Create' ] + action: remove + delegate_to: localhost + +- name: Set a privilege to an existing local role + vmware_local_role_manager: + hostname: '{{ esxi_hostname }}' + username: '{{ esxi_username }}' + password: '{{ esxi_password }}' + local_role_name: vmware_qa + local_privilege_ids: [ 'Folder.Create' ] + action: set + delegate_to: localhost ''' RETURN = r''' @@ -124,6 +161,7 @@ class VMwareLocalRoleManager(PyVmomi): self.priv_ids = self.params['local_privilege_ids'] self.force = not self.params['force_remove'] self.current_role = None + self.action = self.params['action'] if self.content.authorizationManager is None: self.module.fail_json(msg="Failed to get local authorization manager settings.", @@ -166,6 +204,7 @@ class VMwareLocalRoleManager(PyVmomi): return desired_role def state_create_role(self): + role_id = None try: role_id = self.content.authorizationManager.AddAuthorizationRole(name=self.role_name, privIds=self.priv_ids) @@ -215,25 +254,56 @@ class VMwareLocalRoleManager(PyVmomi): self.module.exit_json(**result) def state_exit_unchanged(self): - self.module.exit_json(changed=False) + role = self.find_authorization_role() + result = dict(changed=False) + + if role: + result['role_id'] = role.roleId + result['local_role_name'] = role.name + result['old_privileges'] = [priv_name for priv_name in role.privilege] + result['new_privileges'] = [priv_name for priv_name in role.privilege] + + self.module.exit_json(**result) def state_update_role(self): - current_privileges = set(self.current_role.privilege) - # Add system-defined privileges, "System.Anonymous", "System.View", and "System.Read". - self.params['local_privilege_ids'].extend(['System.Anonymous', 'System.Read', 'System.View']) - desired_privileges = set(self.params['local_privilege_ids']) + current_privileges = self.current_role.privilege - changed_privileges = current_privileges ^ desired_privileges - changed_privileges = list(changed_privileges) + result = { + 'changed': False, + 'old_privileges': current_privileges, + } - if not changed_privileges: + changed_privileges = [] + changed = False + if self.action == 'add': + # Add to existing privileges + for priv in self.params['local_privilege_ids']: + if priv not in current_privileges: + changed_privileges.append(priv) + changed = True + if changed: + changed_privileges.extend(current_privileges) + elif self.action == 'set': + # Set given privileges + # Add system-defined privileges, "System.Anonymous", "System.View", and "System.Read". + self.params['local_privilege_ids'].extend(['System.Anonymous', 'System.Read', 'System.View']) + changed_privileges = self.params['local_privilege_ids'] + + changes_applied = list(set(current_privileges) ^ set(changed_privileges)) + if changes_applied: + changed = True + elif self.action == 'remove': + # Remove given privileges from existing privileges + for priv in self.params['local_privilege_ids']: + if priv in current_privileges: + changed = True + current_privileges.remove(priv) + if changed: + changed_privileges = current_privileges + + if not changed: self.state_exit_unchanged() - # Delete unwanted privileges that are not required - for priv in changed_privileges: - if priv not in desired_privileges: - changed_privileges.remove(priv) - try: self.content.authorizationManager.UpdateAuthorizationRole(roleId=self.current_role.roleId, newName=self.current_role.name, @@ -256,14 +326,13 @@ class VMwareLocalRoleManager(PyVmomi): self.module.fail_json(msg="Failed to update Role %s as current session does not" " have any privilege to update specified role" % self.role_name, details=e.msg) + role = self.find_authorization_role() - result = { - 'changed': True, - 'role_id': role.roleId, - 'local_role_name': role.name, - 'new_privileges': role.privilege, - 'old_privileges': current_privileges, - } + result['role_id'] = role.roleId, + result['changed'] = changed + result['local_role_name'] = role.name + result['new_privileges'] = [priv_name for priv_name in role.privilege] + self.module.exit_json(**result) @@ -272,6 +341,11 @@ def main(): argument_spec.update(dict(local_role_name=dict(required=True, type='str'), local_privilege_ids=dict(default=[], type='list'), force_remove=dict(default=False, type='bool'), + action=dict(type='str', default='set', choices=[ + 'add', + 'set', + 'remove', + ]), state=dict(default='present', choices=['present', 'absent'], type='str'))) module = AnsibleModule(argument_spec=argument_spec, diff --git a/test/integration/targets/vmware_local_role_manager/tasks/main.yml b/test/integration/targets/vmware_local_role_manager/tasks/main.yml index 5a31df6560..6831a29321 100644 --- a/test/integration/targets/vmware_local_role_manager/tasks/main.yml +++ b/test/integration/targets/vmware_local_role_manager/tasks/main.yml @@ -1,5 +1,5 @@ # Test code for the vmware_local_role_manager module -# Copyright: (c) 2017, Abhijeet Kasurde +# Copyright: (c) 2017-2018, Abhijeet Kasurde # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) - name: store the vcenter container ip @@ -30,7 +30,7 @@ - debug: var=vcsim_instance -- name: Role creation +- name: Create a role without privileges vmware_local_role_manager: hostname: "{{ vcsim }}" username: "{{ vcsim_instance['json']['username'] }}" @@ -40,14 +40,14 @@ state: present register: role_creation_0001 -- name: verify if role is created +- name: Verify if role is created assert: that: - "{{ role_creation_0001.changed == true }}" - "{{ role_creation_0001.role_id is defined }}" - "{{ role_creation_0001.local_role_name is defined }}" -- name: Create role again +- name: Again create a role without privileges vmware_local_role_manager: hostname: "{{ vcsim }}" username: "{{ vcsim_instance['json']['username'] }}" @@ -62,7 +62,7 @@ that: - "{{ role_creation_0001.changed == false }}" -- name: delete role +- name: Delete a role vmware_local_role_manager: hostname: "{{ vcsim }}" username: "{{ vcsim_instance['json']['username'] }}" @@ -72,12 +72,12 @@ state: absent register: role_creation_0001 -- name: verify if role is not present +- name: Verify if role is not present assert: that: - "{{ role_creation_0001.changed == true }}" -- name: delete role again +- name: Delete role again vmware_local_role_manager: hostname: "{{ vcsim }}" username: "{{ vcsim_instance['json']['username'] }}" @@ -87,12 +87,12 @@ state: absent register: role_creation_0001 -- name: verify if role is not present again +- name: Verify if role is absent again assert: that: - "{{ role_creation_0001.changed == false }}" -- name: Create role with privileges +- name: Create a role with privileges vmware_local_role_manager: hostname: "{{ vcsim }}" username: "{{ vcsim_instance['json']['username'] }}" @@ -103,27 +103,139 @@ state: present register: role_creation_0001 -- name: verify if role is created with privileges +- name: Verify if role is created with privileges assert: that: - "{{ role_creation_0001.changed == true }}" - "{{ role_creation_0001.role_id is defined }}" -- name: Create role with privileges additional privileges +- name: Add a privilege to existing privileges vmware_local_role_manager: hostname: "{{ vcsim }}" username: "{{ vcsim_instance['json']['username'] }}" password: "{{ vcsim_instance['json']['password'] }}" local_role_name: SampleRole_0001 validate_certs: no - local_privilege_ids: ['VirtualMachine.State.RenameSnapshot', 'Folder.Create'] + local_privilege_ids: ['Folder.Create'] + action: add state: present register: role_creation_0001 -- name: verify if role is created with updated privileges +- name: Verify if role is updated with updated privileges assert: that: - "{{ role_creation_0001.changed == true }}" - "{{ role_creation_0001.role_id is defined }}" - "{{ role_creation_0001.old_privileges is defined }}" - "{{ role_creation_0001.new_privileges is defined }}" + +- name: Again add a privilege to existing privileges + vmware_local_role_manager: + hostname: "{{ vcsim }}" + username: "{{ vcsim_instance['json']['username'] }}" + password: "{{ vcsim_instance['json']['password'] }}" + local_role_name: SampleRole_0001 + validate_certs: no + local_privilege_ids: ['Folder.Create'] + action: add + state: present + register: role_creation_0001 + +- name: Verify if role is not updated + assert: + that: + - "{{ role_creation_0001.changed == false }}" + - "{{ role_creation_0001.role_id is defined }}" + - "{{ role_creation_0001.old_privileges is defined }}" + - "{{ role_creation_0001.new_privileges is defined }}" + +- name: Remove a privilege from existing privileges + vmware_local_role_manager: + hostname: "{{ vcsim }}" + username: "{{ vcsim_instance['json']['username'] }}" + password: "{{ vcsim_instance['json']['password'] }}" + local_role_name: SampleRole_0001 + validate_certs: no + local_privilege_ids: ['Folder.Create'] + action: remove + register: role_creation_0001 + +- name: verify if role is updated with privileges + assert: + that: + - "{{ role_creation_0001.changed == true }}" + - "{{ role_creation_0001.role_id is defined }}" + - "{{ role_creation_0001.old_privileges is defined }}" + - "{{ role_creation_0001.new_privileges is defined }}" + - "{{ 'Folder.Create' not in role_creation_0001.new_privileges }}" + +- name: Again remove a privilege from existing privileges + vmware_local_role_manager: + hostname: "{{ vcsim }}" + username: "{{ vcsim_instance['json']['username'] }}" + password: "{{ vcsim_instance['json']['password'] }}" + local_role_name: SampleRole_0001 + validate_certs: no + local_privilege_ids: ['Folder.Create'] + action: remove + register: role_creation_0001 + +- name: Verify if role is not updated + assert: + that: + - "{{ role_creation_0001.changed == false }}" + - "{{ role_creation_0001.role_id is defined }}" + - "{{ role_creation_0001.old_privileges is defined }}" + - "{{ role_creation_0001.new_privileges is defined }}" + - "{{ 'Folder.Create' not in role_creation_0001.new_privileges }}" + - "{{ 'Folder.Create' not in role_creation_0001.old_privileges }}" + +- name: Set a privilege to an existing role + vmware_local_role_manager: + hostname: "{{ vcsim }}" + username: "{{ vcsim_instance['json']['username'] }}" + password: "{{ vcsim_instance['json']['password'] }}" + local_role_name: SampleRole_0001 + validate_certs: no + local_privilege_ids: ['Folder.Create'] + action: set + register: role_creation_0001 + +- name: Verify if role is updated with privileges + assert: + that: + - "{{ role_creation_0001.changed == true }}" + - "{{ role_creation_0001.role_id is defined }}" + - "{{ role_creation_0001.old_privileges is defined }}" + - "{{ role_creation_0001.new_privileges is defined }}" + - "{{ 'Folder.Create' in role_creation_0001.new_privileges }}" + - "{{ 'System.Anonymous' in role_creation_0001.new_privileges }}" + - "{{ 'System.Read' in role_creation_0001.new_privileges }}" + - "{{ 'System.View' in role_creation_0001.new_privileges }}" + - "{{ 'System.Anonymous' in role_creation_0001.old_privileges }}" + - "{{ 'System.Read' in role_creation_0001.old_privileges }}" + - "{{ 'System.View' in role_creation_0001.old_privileges }}" + +- name: Again set a privilege to an existing role + vmware_local_role_manager: + hostname: "{{ vcsim }}" + username: "{{ vcsim_instance['json']['username'] }}" + password: "{{ vcsim_instance['json']['password'] }}" + local_role_name: SampleRole_0001 + validate_certs: no + local_privilege_ids: ['Folder.Create'] + action: set + register: role_creation_0001 + +- name: verify if role is not updated + assert: + that: + - "{{ role_creation_0001.changed == false }}" + - "{{ 'Folder.Create' in role_creation_0001.new_privileges }}" + - "{{ 'System.Anonymous' in role_creation_0001.new_privileges }}" + - "{{ 'System.Read' in role_creation_0001.new_privileges }}" + - "{{ 'System.View' in role_creation_0001.new_privileges }}" + - "{{ 'Folder.Create' in role_creation_0001.old_privileges }}" + - "{{ 'System.Anonymous' in role_creation_0001.old_privileges }}" + - "{{ 'System.Read' in role_creation_0001.old_privileges }}" + - "{{ 'System.View' in role_creation_0001.old_privileges }}"