1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

VMware: update vmware_local_role_manager with action (#44566)

With this fix user can add, remove and set privileges to
an existing role with privileges.

Fixes: #44391

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
This commit is contained in:
Abhijeet Kasurde 2018-09-07 09:33:50 +05:30 committed by GitHub
parent 46856b0747
commit e653a93044
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 243 additions and 57 deletions

View file

@ -20,10 +20,10 @@ DOCUMENTATION = '''
module: vmware_local_role_manager module: vmware_local_role_manager
short_description: Manage local roles on an ESXi host short_description: Manage local roles on an ESXi host
description: description:
- Manage local roles on an ESXi host - This module can be used to manage local roles on an ESXi host.
version_added: "2.5" version_added: 2.5
author: author:
- Abhijeet Kasurde (@Akasurde) <akasurde@redhat.com> - Abhijeet Kasurde (@Akasurde)
notes: notes:
- Tested on ESXi 6.5 - Tested on ESXi 6.5
- Be sure that the ESXi user used for login, has the appropriate rights to create / delete / edit roles - Be sure that the ESXi user used for login, has the appropriate rights to create / delete / edit roles
@ -31,31 +31,39 @@ requirements:
- "python >= 2.6" - "python >= 2.6"
- PyVmomi - PyVmomi
options: options:
local_role_name: local_role_name:
description: description:
- The local role name to be managed. - The local role name to be managed.
required: True required: True
local_privilege_ids: local_privilege_ids:
description: description:
- The list of privileges that role needs to have. - The list of privileges that role needs to have.
- Please see U(https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-ED56F3C4-77D0-49E3-88B6-B99B8B437B62.html) - Please see U(https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-ED56F3C4-77D0-49E3-88B6-B99B8B437B62.html)
default: [] default: []
state: state:
description: description:
- Indicate desired state of the role. - Indicate desired state of the role.
- If the role already exists when C(state=present), the role info is updated. - If the role already exists when C(state=present), the role info is updated.
choices: ['present', 'absent'] choices: ['present', 'absent']
default: present default: present
force_remove: force_remove:
description: description:
- If set to C(False) then prevents the role from being removed if any permissions are using it. - If set to C(False) then prevents the role from being removed if any permissions are using it.
default: False default: False
type: bool type: bool
action:
description:
- This parameter is only valid while updating an existing role with privileges.
- C(add) will add the privileges to the existing privilege list.
- C(remove) will remove the privileges from the existing privilege list.
- C(set) will replace the privileges of the existing privileges with user defined list of privileges.
default: set
choices: [ add, remove, set ]
version_added: 2.8
extends_documentation_fragment: vmware.documentation extends_documentation_fragment: vmware.documentation
''' '''
EXAMPLES = ''' EXAMPLES = '''
# Example vmware_local_role_manager command from Ansible Playbooks
- name: Add local role to ESXi - name: Add local role to ESXi
vmware_local_role_manager: vmware_local_role_manager:
hostname: '{{ esxi_hostname }}' hostname: '{{ esxi_hostname }}'
@ -84,6 +92,35 @@ EXAMPLES = '''
state: absent state: absent
delegate_to: localhost delegate_to: localhost
- name: Add a privilege to an existing local role
vmware_local_role_manager:
hostname: '{{ esxi_hostname }}'
username: '{{ esxi_username }}'
password: '{{ esxi_password }}'
local_role_name: vmware_qa
local_privilege_ids: [ 'Folder.Create' ]
action: add
delegate_to: localhost
- name: Remove a privilege to an existing local role
vmware_local_role_manager:
hostname: '{{ esxi_hostname }}'
username: '{{ esxi_username }}'
password: '{{ esxi_password }}'
local_role_name: vmware_qa
local_privilege_ids: [ 'Folder.Create' ]
action: remove
delegate_to: localhost
- name: Set a privilege to an existing local role
vmware_local_role_manager:
hostname: '{{ esxi_hostname }}'
username: '{{ esxi_username }}'
password: '{{ esxi_password }}'
local_role_name: vmware_qa
local_privilege_ids: [ 'Folder.Create' ]
action: set
delegate_to: localhost
''' '''
RETURN = r''' RETURN = r'''
@ -124,6 +161,7 @@ class VMwareLocalRoleManager(PyVmomi):
self.priv_ids = self.params['local_privilege_ids'] self.priv_ids = self.params['local_privilege_ids']
self.force = not self.params['force_remove'] self.force = not self.params['force_remove']
self.current_role = None self.current_role = None
self.action = self.params['action']
if self.content.authorizationManager is None: if self.content.authorizationManager is None:
self.module.fail_json(msg="Failed to get local authorization manager settings.", self.module.fail_json(msg="Failed to get local authorization manager settings.",
@ -166,6 +204,7 @@ class VMwareLocalRoleManager(PyVmomi):
return desired_role return desired_role
def state_create_role(self): def state_create_role(self):
role_id = None
try: try:
role_id = self.content.authorizationManager.AddAuthorizationRole(name=self.role_name, role_id = self.content.authorizationManager.AddAuthorizationRole(name=self.role_name,
privIds=self.priv_ids) privIds=self.priv_ids)
@ -215,25 +254,56 @@ class VMwareLocalRoleManager(PyVmomi):
self.module.exit_json(**result) self.module.exit_json(**result)
def state_exit_unchanged(self): def state_exit_unchanged(self):
self.module.exit_json(changed=False) role = self.find_authorization_role()
result = dict(changed=False)
if role:
result['role_id'] = role.roleId
result['local_role_name'] = role.name
result['old_privileges'] = [priv_name for priv_name in role.privilege]
result['new_privileges'] = [priv_name for priv_name in role.privilege]
self.module.exit_json(**result)
def state_update_role(self): def state_update_role(self):
current_privileges = set(self.current_role.privilege) current_privileges = self.current_role.privilege
# Add system-defined privileges, "System.Anonymous", "System.View", and "System.Read".
self.params['local_privilege_ids'].extend(['System.Anonymous', 'System.Read', 'System.View'])
desired_privileges = set(self.params['local_privilege_ids'])
changed_privileges = current_privileges ^ desired_privileges result = {
changed_privileges = list(changed_privileges) 'changed': False,
'old_privileges': current_privileges,
}
if not changed_privileges: changed_privileges = []
changed = False
if self.action == 'add':
# Add to existing privileges
for priv in self.params['local_privilege_ids']:
if priv not in current_privileges:
changed_privileges.append(priv)
changed = True
if changed:
changed_privileges.extend(current_privileges)
elif self.action == 'set':
# Set given privileges
# Add system-defined privileges, "System.Anonymous", "System.View", and "System.Read".
self.params['local_privilege_ids'].extend(['System.Anonymous', 'System.Read', 'System.View'])
changed_privileges = self.params['local_privilege_ids']
changes_applied = list(set(current_privileges) ^ set(changed_privileges))
if changes_applied:
changed = True
elif self.action == 'remove':
# Remove given privileges from existing privileges
for priv in self.params['local_privilege_ids']:
if priv in current_privileges:
changed = True
current_privileges.remove(priv)
if changed:
changed_privileges = current_privileges
if not changed:
self.state_exit_unchanged() self.state_exit_unchanged()
# Delete unwanted privileges that are not required
for priv in changed_privileges:
if priv not in desired_privileges:
changed_privileges.remove(priv)
try: try:
self.content.authorizationManager.UpdateAuthorizationRole(roleId=self.current_role.roleId, self.content.authorizationManager.UpdateAuthorizationRole(roleId=self.current_role.roleId,
newName=self.current_role.name, newName=self.current_role.name,
@ -256,14 +326,13 @@ class VMwareLocalRoleManager(PyVmomi):
self.module.fail_json(msg="Failed to update Role %s as current session does not" self.module.fail_json(msg="Failed to update Role %s as current session does not"
" have any privilege to update specified role" % self.role_name, " have any privilege to update specified role" % self.role_name,
details=e.msg) details=e.msg)
role = self.find_authorization_role() role = self.find_authorization_role()
result = { result['role_id'] = role.roleId,
'changed': True, result['changed'] = changed
'role_id': role.roleId, result['local_role_name'] = role.name
'local_role_name': role.name, result['new_privileges'] = [priv_name for priv_name in role.privilege]
'new_privileges': role.privilege,
'old_privileges': current_privileges,
}
self.module.exit_json(**result) self.module.exit_json(**result)
@ -272,6 +341,11 @@ def main():
argument_spec.update(dict(local_role_name=dict(required=True, type='str'), argument_spec.update(dict(local_role_name=dict(required=True, type='str'),
local_privilege_ids=dict(default=[], type='list'), local_privilege_ids=dict(default=[], type='list'),
force_remove=dict(default=False, type='bool'), force_remove=dict(default=False, type='bool'),
action=dict(type='str', default='set', choices=[
'add',
'set',
'remove',
]),
state=dict(default='present', choices=['present', 'absent'], type='str'))) state=dict(default='present', choices=['present', 'absent'], type='str')))
module = AnsibleModule(argument_spec=argument_spec, module = AnsibleModule(argument_spec=argument_spec,

View file

@ -1,5 +1,5 @@
# Test code for the vmware_local_role_manager module # Test code for the vmware_local_role_manager module
# Copyright: (c) 2017, Abhijeet Kasurde <akasurde@redhat.com> # Copyright: (c) 2017-2018, Abhijeet Kasurde <akasurde@redhat.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
- name: store the vcenter container ip - name: store the vcenter container ip
@ -30,7 +30,7 @@
- debug: var=vcsim_instance - debug: var=vcsim_instance
- name: Role creation - name: Create a role without privileges
vmware_local_role_manager: vmware_local_role_manager:
hostname: "{{ vcsim }}" hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}" username: "{{ vcsim_instance['json']['username'] }}"
@ -40,14 +40,14 @@
state: present state: present
register: role_creation_0001 register: role_creation_0001
- name: verify if role is created - name: Verify if role is created
assert: assert:
that: that:
- "{{ role_creation_0001.changed == true }}" - "{{ role_creation_0001.changed == true }}"
- "{{ role_creation_0001.role_id is defined }}" - "{{ role_creation_0001.role_id is defined }}"
- "{{ role_creation_0001.local_role_name is defined }}" - "{{ role_creation_0001.local_role_name is defined }}"
- name: Create role again - name: Again create a role without privileges
vmware_local_role_manager: vmware_local_role_manager:
hostname: "{{ vcsim }}" hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}" username: "{{ vcsim_instance['json']['username'] }}"
@ -62,7 +62,7 @@
that: that:
- "{{ role_creation_0001.changed == false }}" - "{{ role_creation_0001.changed == false }}"
- name: delete role - name: Delete a role
vmware_local_role_manager: vmware_local_role_manager:
hostname: "{{ vcsim }}" hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}" username: "{{ vcsim_instance['json']['username'] }}"
@ -72,12 +72,12 @@
state: absent state: absent
register: role_creation_0001 register: role_creation_0001
- name: verify if role is not present - name: Verify if role is not present
assert: assert:
that: that:
- "{{ role_creation_0001.changed == true }}" - "{{ role_creation_0001.changed == true }}"
- name: delete role again - name: Delete role again
vmware_local_role_manager: vmware_local_role_manager:
hostname: "{{ vcsim }}" hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}" username: "{{ vcsim_instance['json']['username'] }}"
@ -87,12 +87,12 @@
state: absent state: absent
register: role_creation_0001 register: role_creation_0001
- name: verify if role is not present again - name: Verify if role is absent again
assert: assert:
that: that:
- "{{ role_creation_0001.changed == false }}" - "{{ role_creation_0001.changed == false }}"
- name: Create role with privileges - name: Create a role with privileges
vmware_local_role_manager: vmware_local_role_manager:
hostname: "{{ vcsim }}" hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}" username: "{{ vcsim_instance['json']['username'] }}"
@ -103,27 +103,139 @@
state: present state: present
register: role_creation_0001 register: role_creation_0001
- name: verify if role is created with privileges - name: Verify if role is created with privileges
assert: assert:
that: that:
- "{{ role_creation_0001.changed == true }}" - "{{ role_creation_0001.changed == true }}"
- "{{ role_creation_0001.role_id is defined }}" - "{{ role_creation_0001.role_id is defined }}"
- name: Create role with privileges additional privileges - name: Add a privilege to existing privileges
vmware_local_role_manager: vmware_local_role_manager:
hostname: "{{ vcsim }}" hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}" username: "{{ vcsim_instance['json']['username'] }}"
password: "{{ vcsim_instance['json']['password'] }}" password: "{{ vcsim_instance['json']['password'] }}"
local_role_name: SampleRole_0001 local_role_name: SampleRole_0001
validate_certs: no validate_certs: no
local_privilege_ids: ['VirtualMachine.State.RenameSnapshot', 'Folder.Create'] local_privilege_ids: ['Folder.Create']
action: add
state: present state: present
register: role_creation_0001 register: role_creation_0001
- name: verify if role is created with updated privileges - name: Verify if role is updated with updated privileges
assert: assert:
that: that:
- "{{ role_creation_0001.changed == true }}" - "{{ role_creation_0001.changed == true }}"
- "{{ role_creation_0001.role_id is defined }}" - "{{ role_creation_0001.role_id is defined }}"
- "{{ role_creation_0001.old_privileges is defined }}" - "{{ role_creation_0001.old_privileges is defined }}"
- "{{ role_creation_0001.new_privileges is defined }}" - "{{ role_creation_0001.new_privileges is defined }}"
- name: Again add a privilege to existing privileges
vmware_local_role_manager:
hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}"
password: "{{ vcsim_instance['json']['password'] }}"
local_role_name: SampleRole_0001
validate_certs: no
local_privilege_ids: ['Folder.Create']
action: add
state: present
register: role_creation_0001
- name: Verify if role is not updated
assert:
that:
- "{{ role_creation_0001.changed == false }}"
- "{{ role_creation_0001.role_id is defined }}"
- "{{ role_creation_0001.old_privileges is defined }}"
- "{{ role_creation_0001.new_privileges is defined }}"
- name: Remove a privilege from existing privileges
vmware_local_role_manager:
hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}"
password: "{{ vcsim_instance['json']['password'] }}"
local_role_name: SampleRole_0001
validate_certs: no
local_privilege_ids: ['Folder.Create']
action: remove
register: role_creation_0001
- name: verify if role is updated with privileges
assert:
that:
- "{{ role_creation_0001.changed == true }}"
- "{{ role_creation_0001.role_id is defined }}"
- "{{ role_creation_0001.old_privileges is defined }}"
- "{{ role_creation_0001.new_privileges is defined }}"
- "{{ 'Folder.Create' not in role_creation_0001.new_privileges }}"
- name: Again remove a privilege from existing privileges
vmware_local_role_manager:
hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}"
password: "{{ vcsim_instance['json']['password'] }}"
local_role_name: SampleRole_0001
validate_certs: no
local_privilege_ids: ['Folder.Create']
action: remove
register: role_creation_0001
- name: Verify if role is not updated
assert:
that:
- "{{ role_creation_0001.changed == false }}"
- "{{ role_creation_0001.role_id is defined }}"
- "{{ role_creation_0001.old_privileges is defined }}"
- "{{ role_creation_0001.new_privileges is defined }}"
- "{{ 'Folder.Create' not in role_creation_0001.new_privileges }}"
- "{{ 'Folder.Create' not in role_creation_0001.old_privileges }}"
- name: Set a privilege to an existing role
vmware_local_role_manager:
hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}"
password: "{{ vcsim_instance['json']['password'] }}"
local_role_name: SampleRole_0001
validate_certs: no
local_privilege_ids: ['Folder.Create']
action: set
register: role_creation_0001
- name: Verify if role is updated with privileges
assert:
that:
- "{{ role_creation_0001.changed == true }}"
- "{{ role_creation_0001.role_id is defined }}"
- "{{ role_creation_0001.old_privileges is defined }}"
- "{{ role_creation_0001.new_privileges is defined }}"
- "{{ 'Folder.Create' in role_creation_0001.new_privileges }}"
- "{{ 'System.Anonymous' in role_creation_0001.new_privileges }}"
- "{{ 'System.Read' in role_creation_0001.new_privileges }}"
- "{{ 'System.View' in role_creation_0001.new_privileges }}"
- "{{ 'System.Anonymous' in role_creation_0001.old_privileges }}"
- "{{ 'System.Read' in role_creation_0001.old_privileges }}"
- "{{ 'System.View' in role_creation_0001.old_privileges }}"
- name: Again set a privilege to an existing role
vmware_local_role_manager:
hostname: "{{ vcsim }}"
username: "{{ vcsim_instance['json']['username'] }}"
password: "{{ vcsim_instance['json']['password'] }}"
local_role_name: SampleRole_0001
validate_certs: no
local_privilege_ids: ['Folder.Create']
action: set
register: role_creation_0001
- name: verify if role is not updated
assert:
that:
- "{{ role_creation_0001.changed == false }}"
- "{{ 'Folder.Create' in role_creation_0001.new_privileges }}"
- "{{ 'System.Anonymous' in role_creation_0001.new_privileges }}"
- "{{ 'System.Read' in role_creation_0001.new_privileges }}"
- "{{ 'System.View' in role_creation_0001.new_privileges }}"
- "{{ 'Folder.Create' in role_creation_0001.old_privileges }}"
- "{{ 'System.Anonymous' in role_creation_0001.old_privileges }}"
- "{{ 'System.Read' in role_creation_0001.old_privileges }}"
- "{{ 'System.View' in role_creation_0001.old_privileges }}"