VMware: update vmware_local_role_manager with action (#44566)

With this fix user can add, remove and set privileges to an existing role with privileges. Fixes: #44391 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
2024-09-14 20:13:21 +02:00 · 2018-09-07 09:33:50 +05:30 · 2018-09-07 09:33:50 +05:30 · e653a93044
commit e653a93044
parent 46856b0747
2 changed files with 243 additions and 57 deletions
--- a/lib/ansible/modules/cloud/vmware/vmware_local_role_manager.py
+++ b/lib/ansible/modules/cloud/vmware/vmware_local_role_manager.py
@ -20,10 +20,10 @@ DOCUMENTATION = '''
 module: vmware_local_role_manager
 short_description: Manage local roles on an ESXi host
 description:
-    - Manage local roles on an ESXi host
+    - This module can be used to manage local roles on an ESXi host.
-version_added: "2.5"
+version_added: 2.5
 author:
- Abhijeet Kasurde (@Akasurde) <akasurde@redhat.com>
+- Abhijeet Kasurde (@Akasurde)
 notes:
    - Tested on ESXi 6.5
    - Be sure that the ESXi user used for login, has the appropriate rights to create / delete / edit roles
@ -51,11 +51,19 @@ options:
    - If set to C(False) then prevents the role from being removed if any permissions are using it.
    default: False
    type: bool
  action:
    description:
    - This parameter is only valid while updating an existing role with privileges.
    - C(add) will add the privileges to the existing privilege list.
    - C(remove) will remove the privileges from the existing privilege list.
    - C(set) will replace the privileges of the existing privileges with user defined list of privileges.
    default: set
    choices: [ add, remove, set ]
    version_added: 2.8
 extends_documentation_fragment: vmware.documentation
 '''
 EXAMPLES = '''
 # Example vmware_local_role_manager command from Ansible Playbooks
 - name: Add local role to ESXi
  vmware_local_role_manager:
    hostname: '{{ esxi_hostname }}'
@ -84,6 +92,35 @@ EXAMPLES = '''
    state: absent
  delegate_to: localhost
 - name: Add a privilege to an existing local role
  vmware_local_role_manager:
    hostname: '{{ esxi_hostname }}'
    username: '{{ esxi_username }}'
    password: '{{ esxi_password }}'
    local_role_name: vmware_qa
    local_privilege_ids: [ 'Folder.Create' ]
    action: add
  delegate_to: localhost
 - name: Remove a privilege to an existing local role
  vmware_local_role_manager:
    hostname: '{{ esxi_hostname }}'
    username: '{{ esxi_username }}'
    password: '{{ esxi_password }}'
    local_role_name: vmware_qa
    local_privilege_ids: [ 'Folder.Create' ]
    action: remove
  delegate_to: localhost
 - name: Set a privilege to an existing local role
  vmware_local_role_manager:
    hostname: '{{ esxi_hostname }}'
    username: '{{ esxi_username }}'
    password: '{{ esxi_password }}'
    local_role_name: vmware_qa
    local_privilege_ids: [ 'Folder.Create' ]
    action: set
  delegate_to: localhost
 '''
 RETURN = r'''
@ -124,6 +161,7 @@ class VMwareLocalRoleManager(PyVmomi):
        self.priv_ids = self.params['local_privilege_ids']
        self.force = not self.params['force_remove']
        self.current_role = None
        self.action = self.params['action']
        if self.content.authorizationManager is None:
            self.module.fail_json(msg="Failed to get local authorization manager settings.",
@ -166,6 +204,7 @@ class VMwareLocalRoleManager(PyVmomi):
        return desired_role
    def state_create_role(self):
        role_id = None
        try:
            role_id = self.content.authorizationManager.AddAuthorizationRole(name=self.role_name,
                                                                             privIds=self.priv_ids)
@ -215,25 +254,56 @@ class VMwareLocalRoleManager(PyVmomi):
        self.module.exit_json(**result)
    def state_exit_unchanged(self):
-        self.module.exit_json(changed=False)
+        role = self.find_authorization_role()
        result = dict(changed=False)
        if role:
            result['role_id'] = role.roleId
            result['local_role_name'] = role.name
            result['old_privileges'] = [priv_name for priv_name in role.privilege]
            result['new_privileges'] = [priv_name for priv_name in role.privilege]
        self.module.exit_json(**result)
    def state_update_role(self):
-        current_privileges = set(self.current_role.privilege)
+        current_privileges = self.current_role.privilege
        result = {
            'changed': False,
            'old_privileges': current_privileges,
        }
        changed_privileges = []
        changed = False
        if self.action == 'add':
            # Add to existing privileges
            for priv in self.params['local_privilege_ids']:
                if priv not in current_privileges:
                    changed_privileges.append(priv)
                    changed = True
            if changed:
                changed_privileges.extend(current_privileges)
        elif self.action == 'set':
            # Set given privileges
            # Add system-defined privileges, "System.Anonymous", "System.View", and "System.Read".
            self.params['local_privilege_ids'].extend(['System.Anonymous', 'System.Read', 'System.View'])
-        desired_privileges = set(self.params['local_privilege_ids'])
+            changed_privileges = self.params['local_privilege_ids']
-        changed_privileges = current_privileges ^ desired_privileges
+            changes_applied = list(set(current_privileges) ^ set(changed_privileges))
-        changed_privileges = list(changed_privileges)
+            if changes_applied:
                changed = True
        elif self.action == 'remove':
            # Remove given privileges from existing privileges
            for priv in self.params['local_privilege_ids']:
                if priv in current_privileges:
                    changed = True
                    current_privileges.remove(priv)
            if changed:
                changed_privileges = current_privileges
-        if not changed_privileges:
+        if not changed:
            self.state_exit_unchanged()
        # Delete unwanted privileges that are not required
        for priv in changed_privileges:
            if priv not in desired_privileges:
                changed_privileges.remove(priv)
        try:
            self.content.authorizationManager.UpdateAuthorizationRole(roleId=self.current_role.roleId,
                                                                      newName=self.current_role.name,
@ -256,14 +326,13 @@ class VMwareLocalRoleManager(PyVmomi):
            self.module.fail_json(msg="Failed to update Role %s as current session does not"
                                      " have any privilege to update specified role" % self.role_name,
                                  details=e.msg)
        role = self.find_authorization_role()
-        result = {
+        result['role_id'] = role.roleId,
-            'changed': True,
+        result['changed'] = changed
-            'role_id': role.roleId,
+        result['local_role_name'] = role.name
-            'local_role_name': role.name,
+        result['new_privileges'] = [priv_name for priv_name in role.privilege]
-            'new_privileges': role.privilege,
+
            'old_privileges': current_privileges,
        }
        self.module.exit_json(**result)
@ -272,6 +341,11 @@ def main():
    argument_spec.update(dict(local_role_name=dict(required=True, type='str'),
                              local_privilege_ids=dict(default=[], type='list'),
                              force_remove=dict(default=False, type='bool'),
                              action=dict(type='str', default='set', choices=[
                                  'add',
                                  'set',
                                  'remove',
                              ]),
                              state=dict(default='present', choices=['present', 'absent'], type='str')))
    module = AnsibleModule(argument_spec=argument_spec,
--- a/test/integration/targets/vmware_local_role_manager/tasks/main.yml
+++ b/test/integration/targets/vmware_local_role_manager/tasks/main.yml
@ -1,5 +1,5 @@
 # Test code for the vmware_local_role_manager module
-# Copyright: (c) 2017, Abhijeet Kasurde <akasurde@redhat.com>
+# Copyright: (c) 2017-2018, Abhijeet Kasurde <akasurde@redhat.com>
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 - name: store the vcenter container ip
@ -30,7 +30,7 @@
 - debug: var=vcsim_instance
- name: Role creation
+- name: Create a role without privileges
  vmware_local_role_manager:
    hostname: "{{ vcsim }}"
    username: "{{ vcsim_instance['json']['username'] }}"
@ -40,14 +40,14 @@
    state: present
  register: role_creation_0001
- name: verify if role is created
+- name: Verify if role is created
  assert:
    that:
      - "{{ role_creation_0001.changed == true }}"
      - "{{ role_creation_0001.role_id is defined }}"
      - "{{ role_creation_0001.local_role_name is defined }}"
- name: Create role again
+- name: Again create a role without privileges
  vmware_local_role_manager:
    hostname: "{{ vcsim }}"
    username: "{{ vcsim_instance['json']['username'] }}"
@ -62,7 +62,7 @@
    that:
      - "{{ role_creation_0001.changed == false }}"
- name: delete role
+- name: Delete a role
  vmware_local_role_manager:
    hostname: "{{ vcsim }}"
    username: "{{ vcsim_instance['json']['username'] }}"
@ -72,12 +72,12 @@
    state: absent
  register: role_creation_0001
- name: verify if role is not present
+- name: Verify if role is not present
  assert:
    that:
      - "{{ role_creation_0001.changed == true }}"
- name: delete role again
+- name: Delete role again
  vmware_local_role_manager:
    hostname: "{{ vcsim }}"
    username: "{{ vcsim_instance['json']['username'] }}"
@ -87,12 +87,12 @@
    state: absent
  register: role_creation_0001
- name: verify if role is not present again
+- name: Verify if role is absent again
  assert:
    that:
      - "{{ role_creation_0001.changed == false }}"
- name: Create role with privileges
+- name: Create a role with privileges
  vmware_local_role_manager:
    hostname: "{{ vcsim }}"
    username: "{{ vcsim_instance['json']['username'] }}"
@ -103,27 +103,139 @@
    state: present
  register: role_creation_0001
- name: verify if role is created with privileges
+- name: Verify if role is created with privileges
  assert:
    that:
      - "{{ role_creation_0001.changed == true }}"
      - "{{ role_creation_0001.role_id is defined }}"
- name: Create role with privileges additional privileges
+- name: Add a privilege to existing privileges
  vmware_local_role_manager:
    hostname: "{{ vcsim }}"
    username: "{{ vcsim_instance['json']['username'] }}"
    password: "{{ vcsim_instance['json']['password'] }}"
    local_role_name: SampleRole_0001
    validate_certs: no
-    local_privilege_ids: ['VirtualMachine.State.RenameSnapshot', 'Folder.Create']
+    local_privilege_ids: ['Folder.Create']
    action: add
    state: present
  register: role_creation_0001
- name: verify if role is created with updated privileges
+- name: Verify if role is updated with updated privileges
  assert:
    that:
      - "{{ role_creation_0001.changed == true }}"
      - "{{ role_creation_0001.role_id is defined }}"
      - "{{ role_creation_0001.old_privileges is defined }}"
      - "{{ role_creation_0001.new_privileges is defined }}"
 - name: Again add a privilege to existing privileges
  vmware_local_role_manager:
    hostname: "{{ vcsim }}"
    username: "{{ vcsim_instance['json']['username'] }}"
    password: "{{ vcsim_instance['json']['password'] }}"
    local_role_name: SampleRole_0001
    validate_certs: no
    local_privilege_ids: ['Folder.Create']
    action: add
    state: present
  register: role_creation_0001
 - name: Verify if role is not updated
  assert:
    that:
      - "{{ role_creation_0001.changed == false }}"
      - "{{ role_creation_0001.role_id is defined }}"
      - "{{ role_creation_0001.old_privileges is defined }}"
      - "{{ role_creation_0001.new_privileges is defined }}"
 - name: Remove a privilege from existing privileges
  vmware_local_role_manager:
    hostname: "{{ vcsim }}"
    username: "{{ vcsim_instance['json']['username'] }}"
    password: "{{ vcsim_instance['json']['password'] }}"
    local_role_name: SampleRole_0001
    validate_certs: no
    local_privilege_ids: ['Folder.Create']
    action: remove
  register: role_creation_0001
 - name: verify if role is updated with privileges
  assert:
    that:
      - "{{ role_creation_0001.changed == true }}"
      - "{{ role_creation_0001.role_id is defined }}"
      - "{{ role_creation_0001.old_privileges is defined }}"
      - "{{ role_creation_0001.new_privileges is defined }}"
      - "{{ 'Folder.Create' not in role_creation_0001.new_privileges }}"
 - name: Again remove a privilege from existing privileges
  vmware_local_role_manager:
    hostname: "{{ vcsim }}"
    username: "{{ vcsim_instance['json']['username'] }}"
    password: "{{ vcsim_instance['json']['password'] }}"
    local_role_name: SampleRole_0001
    validate_certs: no
    local_privilege_ids: ['Folder.Create']
    action: remove
  register: role_creation_0001
 - name: Verify if role is not updated
  assert:
    that:
      - "{{ role_creation_0001.changed == false }}"
      - "{{ role_creation_0001.role_id is defined }}"
      - "{{ role_creation_0001.old_privileges is defined }}"
      - "{{ role_creation_0001.new_privileges is defined }}"
      - "{{ 'Folder.Create' not in role_creation_0001.new_privileges }}"
      - "{{ 'Folder.Create' not in role_creation_0001.old_privileges }}"
 - name: Set a privilege to an existing role
  vmware_local_role_manager:
    hostname: "{{ vcsim }}"
    username: "{{ vcsim_instance['json']['username'] }}"
    password: "{{ vcsim_instance['json']['password'] }}"
    local_role_name: SampleRole_0001
    validate_certs: no
    local_privilege_ids: ['Folder.Create']
    action: set
  register: role_creation_0001
 - name: Verify if role is updated with privileges
  assert:
    that:
      - "{{ role_creation_0001.changed == true }}"
      - "{{ role_creation_0001.role_id is defined }}"
      - "{{ role_creation_0001.old_privileges is defined }}"
      - "{{ role_creation_0001.new_privileges is defined }}"
      - "{{ 'Folder.Create' in role_creation_0001.new_privileges }}"
      - "{{ 'System.Anonymous' in role_creation_0001.new_privileges }}"
      - "{{ 'System.Read' in role_creation_0001.new_privileges }}"
      - "{{ 'System.View' in role_creation_0001.new_privileges }}"
      - "{{ 'System.Anonymous' in role_creation_0001.old_privileges }}"
      - "{{ 'System.Read' in role_creation_0001.old_privileges }}"
      - "{{ 'System.View' in role_creation_0001.old_privileges }}"
 - name: Again set a privilege to an existing role
  vmware_local_role_manager:
    hostname: "{{ vcsim }}"
    username: "{{ vcsim_instance['json']['username'] }}"
    password: "{{ vcsim_instance['json']['password'] }}"
    local_role_name: SampleRole_0001
    validate_certs: no
    local_privilege_ids: ['Folder.Create']
    action: set
  register: role_creation_0001
 - name: verify if role is not updated
  assert:
    that:
      - "{{ role_creation_0001.changed == false }}"
      - "{{ 'Folder.Create' in role_creation_0001.new_privileges }}"
      - "{{ 'System.Anonymous' in role_creation_0001.new_privileges }}"
      - "{{ 'System.Read' in role_creation_0001.new_privileges }}"
      - "{{ 'System.View' in role_creation_0001.new_privileges }}"
      - "{{ 'Folder.Create' in role_creation_0001.old_privileges }}"
      - "{{ 'System.Anonymous' in role_creation_0001.old_privileges }}"
      - "{{ 'System.Read' in role_creation_0001.old_privileges }}"
      - "{{ 'System.View' in role_creation_0001.old_privileges }}"