diff --git a/lib/ansible/modules/identity/ipa/ipa_role.py b/lib/ansible/modules/identity/ipa/ipa_role.py index 3b4c6d6d48..8b7514d6f1 100644 --- a/lib/ansible/modules/identity/ipa/ipa_role.py +++ b/lib/ansible/modules/identity/ipa/ipa_role.py @@ -58,6 +58,14 @@ options: - If option is omitted host groups will not be checked or changed. - If option is passed all assigned hostgroups that are not passed will be unassigned from the role. required: false + privilege: + description: + - List of privileges granted to the role. + - If an empty list is passed all assigned privileges will be removed. + - If option is omitted privileges will not be checked or changed. + - If option is passed all assigned privileges that are not passed will be removed. + required: false + default: None service: description: - List of service names to assign. @@ -129,6 +137,9 @@ EXAMPLES = ''' - host01.example.com hostgroup: - hostgroup01 + privilege: + - Group Administrators + - User Administrators service: - service01 @@ -205,6 +216,12 @@ class RoleIPAClient(IPAClient): def role_remove_user(self, name, item): return self.role_remove_member(name=name, item={'user': item}) + def role_add_privilege(self, name, item): + return self._post_json(method='role_add_privilege', name=name, item={'privilege': item}) + + def role_remove_privilege(self, name, item): + return self._post_json(method='role_remove_privilege', name=name, item={'privilege': item}) + def get_role_dict(description=None): data = {} @@ -223,6 +240,7 @@ def ensure(module, client): group = module.params['group'] host = module.params['host'] hostgroup = module.params['hostgroup'] + privilege = module.params['privilege'] service = module.params['service'] user = module.params['user'] @@ -249,7 +267,6 @@ def ensure(module, client): changed = client.modify_if_diff(name, ipa_role.get('member_group', []), group, client.role_add_group, client.role_remove_group) or changed - if host is not None: changed = client.modify_if_diff(name, ipa_role.get('member_host', []), host, client.role_add_host, @@ -260,6 +277,10 @@ def ensure(module, client): client.role_add_hostgroup, client.role_remove_hostgroup) or changed + if privilege is not None: + changed = client.modify_if_diff(name, ipa_role.get('memberof_privilege', []), privilege, + client.role_add_privilege, + client.role_remove_privilege) or changed if service is not None: changed = client.modify_if_diff(name, ipa_role.get('member_service', []), service, client.role_add_service, @@ -268,6 +289,7 @@ def ensure(module, client): changed = client.modify_if_diff(name, ipa_role.get('member_user', []), user, client.role_add_user, client.role_remove_user) or changed + else: if ipa_role: changed = True @@ -285,6 +307,7 @@ def main(): group=dict(type='list', required=False), host=dict(type='list', required=False), hostgroup=dict(type='list', required=False), + privilege=dict(type='list', required=False), service=dict(type='list', required=False), state=dict(type='str', required=False, default='present', choices=['present', 'absent']), user=dict(type='list', required=False),