ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

Added code to support command groups inside sudo rules (#1556)

Browse source 
* Added code to support command groups inside sudo rules

* Added command groups to documentation of ipa_sudorule.py

* Update changelogs/fragments/1555-ipa-sudorule-add-commandgroup.yml

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/identity/ipa/ipa_sudorule.py

Co-authored-by: Felix Fontein <felix@fontein.de>

Co-authored-by: Eric Nothen <eric.nothen@payback.net>
Co-authored-by: Felix Fontein <felix@fontein.de>
This commit is contained in:
enothen 2020-12-29 09:36:45 +01:00 committed by GitHub
parent 2b824f2d7b
commit eb2cb56a55
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 36 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/1555-ipa-sudorule-add-commandgroup.yml Normal file
View file

@ -0,0 +1,2 @@
minor_changes:
- ipa_sudorule - added option to use command groups inside sudo rules (https://github.com/ansible-collections/community.general/issues/1555).

34
plugins/modules/identity/ipa/ipa_sudorule.py
View file

@ -33,6 +33,14 @@ options:
- If option is omitted commands will not be checked or changed. - If option is omitted commands will not be checked or changed.
type: list type: list
elements: str elements: str
cmdgroup:
description:
- List of command groups assigned to the rule.
- If an empty list is passed all command groups will be removed from the rule.
- If option is omitted command groups will not be checked or changed.
type: list
elements: str
version_added: 2.0.0
description: description:
description: description:
- Description of the sudo rule. - Description of the sudo rule.
@ -134,6 +142,21 @@ EXAMPLES = r'''
ipa_host: ipa.example.com ipa_host: ipa.example.com
ipa_user: admin ipa_user: admin
ipa_pass: topsecret ipa_pass: topsecret
- name: Ensure user group operations can run any commands that is part of operations-cmdgroup on any host.
community.general.ipa_sudorule:
name: sudo_operations_all
description: Allow operators to run any commands that is part of operations-cmdgroup on any host.
cmdgroup:
- operations-cmdgroup
hostcategory: all
sudoopt:
- '!authenticate'
usergroup:
- operators
ipa_host: ipa.example.com
ipa_user: admin
ipa_pass: topsecret
''' '''
RETURN = r''' RETURN = r'''
@ -199,6 +222,9 @@ class SudoRuleIPAClient(IPAClient):
def sudorule_add_allow_command(self, name, item): def sudorule_add_allow_command(self, name, item):
return self._post_json(method='sudorule_add_allow_command', name=name, item={'sudocmd': item}) return self._post_json(method='sudorule_add_allow_command', name=name, item={'sudocmd': item})
def sudorule_add_allow_command_group(self, name, item):
return self._post_json(method='sudorule_add_allow_command_group', name=name, item={'sudocmdgroup': item})
def sudorule_remove_allow_command(self, name, item): def sudorule_remove_allow_command(self, name, item):
return self._post_json(method='sudorule_remove_allow_command', name=name, item=item) return self._post_json(method='sudorule_remove_allow_command', name=name, item=item)
@ -254,6 +280,7 @@ def ensure(module, client):
state = module.params['state'] state = module.params['state']
name = module.params['cn'] name = module.params['cn']
cmd = module.params['cmd'] cmd = module.params['cmd']
cmdgroup = module.params['cmdgroup']
cmdcategory = module.params['cmdcategory'] cmdcategory = module.params['cmdcategory']
host = module.params['host'] host = module.params['host']
hostcategory = module.params['hostcategory'] hostcategory = module.params['hostcategory']
@ -305,6 +332,11 @@ def ensure(module, client):
if not module.check_mode: if not module.check_mode:
client.sudorule_add_allow_command(name=name, item=cmd) client.sudorule_add_allow_command(name=name, item=cmd)
if cmdgroup is not None:
changed = category_changed(module, client, 'cmdcategory', ipa_sudorule) or changed
if not module.check_mode:
client.sudorule_add_allow_command_group(name=name, item=cmdgroup)
if runasusercategory is not None: if runasusercategory is not None:
changed = category_changed(module, client, 'iparunasusercategory', ipa_sudorule) or changed changed = category_changed(module, client, 'iparunasusercategory', ipa_sudorule) or changed
@ -361,6 +393,7 @@ def ensure(module, client):
def main(): def main():
argument_spec = ipa_argument_spec() argument_spec = ipa_argument_spec()
argument_spec.update(cmd=dict(type='list', elements='str'), argument_spec.update(cmd=dict(type='list', elements='str'),
cmdgroup=dict(type='list', elements='str'),
cmdcategory=dict(type='str', choices=['all']), cmdcategory=dict(type='str', choices=['all']),
cn=dict(type='str', required=True, aliases=['name']), cn=dict(type='str', required=True, aliases=['name']),
description=dict(type='str'), description=dict(type='str'),
@ -377,6 +410,7 @@ def main():
module = AnsibleModule(argument_spec=argument_spec, module = AnsibleModule(argument_spec=argument_spec,
mutually_exclusive=[['cmdcategory', 'cmd'], mutually_exclusive=[['cmdcategory', 'cmd'],
['cmdcategory', 'cmdgroup'],
['hostcategory', 'host'], ['hostcategory', 'host'],
['hostcategory', 'hostgroup'], ['hostcategory', 'hostgroup'],
['usercategory', 'user'], ['usercategory', 'user'],