mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
ipa_sudorule add support for setting runasextusers (#2031)
* Add support for setting runasextusers * fix formatting * add changelog fragment * Update plugins/modules/identity/ipa/ipa_sudorule.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update changelogs/fragments/2031-ipa_sudorule_add_runasextusers.yml Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: quasd <qquasd@gmail.com> Co-authored-by: Felix Fontein <felix@fontein.de>
This commit is contained in:
parent
f5a9584ae6
commit
ff9f98795e
2 changed files with 37 additions and 4 deletions
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
minor_changes:
|
||||||
|
- ipa_sudorule - add support for setting sudo runasuser (https://github.com/ansible-collections/community.general/pull/2031).
|
|
@ -68,6 +68,12 @@ options:
|
||||||
- Option C(hostcategory) must be omitted to assign host groups.
|
- Option C(hostcategory) must be omitted to assign host groups.
|
||||||
type: list
|
type: list
|
||||||
elements: str
|
elements: str
|
||||||
|
runasextusers:
|
||||||
|
description:
|
||||||
|
- List of external RunAs users
|
||||||
|
type: list
|
||||||
|
elements: str
|
||||||
|
version_added: 2.3.0
|
||||||
runasusercategory:
|
runasusercategory:
|
||||||
description:
|
description:
|
||||||
- RunAs User category the rule applies to.
|
- RunAs User category the rule applies to.
|
||||||
|
@ -143,13 +149,15 @@ EXAMPLES = r'''
|
||||||
ipa_user: admin
|
ipa_user: admin
|
||||||
ipa_pass: topsecret
|
ipa_pass: topsecret
|
||||||
|
|
||||||
- name: Ensure user group operations can run any commands that is part of operations-cmdgroup on any host.
|
- name: Ensure user group operations can run any commands that is part of operations-cmdgroup on any host as user root.
|
||||||
community.general.ipa_sudorule:
|
community.general.ipa_sudorule:
|
||||||
name: sudo_operations_all
|
name: sudo_operations_all
|
||||||
description: Allow operators to run any commands that is part of operations-cmdgroup on any host.
|
description: Allow operators to run any commands that is part of operations-cmdgroup on any host as user root.
|
||||||
cmdgroup:
|
cmdgroup:
|
||||||
- operations-cmdgroup
|
- operations-cmdgroup
|
||||||
hostcategory: all
|
hostcategory: all
|
||||||
|
runasextusers:
|
||||||
|
- root
|
||||||
sudoopt:
|
sudoopt:
|
||||||
- '!authenticate'
|
- '!authenticate'
|
||||||
usergroup:
|
usergroup:
|
||||||
|
@ -183,6 +191,12 @@ class SudoRuleIPAClient(IPAClient):
|
||||||
def sudorule_add(self, name, item):
|
def sudorule_add(self, name, item):
|
||||||
return self._post_json(method='sudorule_add', name=name, item=item)
|
return self._post_json(method='sudorule_add', name=name, item=item)
|
||||||
|
|
||||||
|
def sudorule_add_runasuser(self, name, item):
|
||||||
|
return self._post_json(method='sudorule_add_runasuser', name=name, item={'user': item})
|
||||||
|
|
||||||
|
def sudorule_remove_runasuser(self, name, item):
|
||||||
|
return self._post_json(method='sudorule_remove_runasuser', name=name, item={'user': item})
|
||||||
|
|
||||||
def sudorule_mod(self, name, item):
|
def sudorule_mod(self, name, item):
|
||||||
return self._post_json(method='sudorule_mod', name=name, item=item)
|
return self._post_json(method='sudorule_mod', name=name, item=item)
|
||||||
|
|
||||||
|
@ -287,6 +301,7 @@ def ensure(module, client):
|
||||||
hostgroup = module.params['hostgroup']
|
hostgroup = module.params['hostgroup']
|
||||||
runasusercategory = module.params['runasusercategory']
|
runasusercategory = module.params['runasusercategory']
|
||||||
runasgroupcategory = module.params['runasgroupcategory']
|
runasgroupcategory = module.params['runasgroupcategory']
|
||||||
|
runasextusers = module.params['runasextusers']
|
||||||
|
|
||||||
if state in ['present', 'enabled']:
|
if state in ['present', 'enabled']:
|
||||||
ipaenabledflag = 'TRUE'
|
ipaenabledflag = 'TRUE'
|
||||||
|
@ -371,6 +386,21 @@ def ensure(module, client):
|
||||||
for item in diff:
|
for item in diff:
|
||||||
client.sudorule_add_option_ipasudoopt(name, item)
|
client.sudorule_add_option_ipasudoopt(name, item)
|
||||||
|
|
||||||
|
if runasextusers is not None:
|
||||||
|
ipa_sudorule_run_as_user = ipa_sudorule.get('ipasudorunasextuser', [])
|
||||||
|
diff = list(set(ipa_sudorule_run_as_user) - set(runasextusers))
|
||||||
|
if len(diff) > 0:
|
||||||
|
changed = True
|
||||||
|
if not module.check_mode:
|
||||||
|
for item in diff:
|
||||||
|
client.sudorule_remove_runasuser(name=name, item=item)
|
||||||
|
diff = list(set(runasextusers) - set(ipa_sudorule_run_as_user))
|
||||||
|
if len(diff) > 0:
|
||||||
|
changed = True
|
||||||
|
if not module.check_mode:
|
||||||
|
for item in diff:
|
||||||
|
client.sudorule_add_runasuser(name=name, item=item)
|
||||||
|
|
||||||
if user is not None:
|
if user is not None:
|
||||||
changed = category_changed(module, client, 'usercategory', ipa_sudorule) or changed
|
changed = category_changed(module, client, 'usercategory', ipa_sudorule) or changed
|
||||||
changed = client.modify_if_diff(name, ipa_sudorule.get('memberuser_user', []), user,
|
changed = client.modify_if_diff(name, ipa_sudorule.get('memberuser_user', []), user,
|
||||||
|
@ -406,8 +436,8 @@ def main():
|
||||||
state=dict(type='str', default='present', choices=['present', 'absent', 'enabled', 'disabled']),
|
state=dict(type='str', default='present', choices=['present', 'absent', 'enabled', 'disabled']),
|
||||||
user=dict(type='list', elements='str'),
|
user=dict(type='list', elements='str'),
|
||||||
usercategory=dict(type='str', choices=['all']),
|
usercategory=dict(type='str', choices=['all']),
|
||||||
usergroup=dict(type='list', elements='str'))
|
usergroup=dict(type='list', elements='str'),
|
||||||
|
runasextusers=dict(type='list', elements='str'))
|
||||||
module = AnsibleModule(argument_spec=argument_spec,
|
module = AnsibleModule(argument_spec=argument_spec,
|
||||||
mutually_exclusive=[['cmdcategory', 'cmd'],
|
mutually_exclusive=[['cmdcategory', 'cmd'],
|
||||||
['cmdcategory', 'cmdgroup'],
|
['cmdcategory', 'cmdgroup'],
|
||||||
|
|
Loading…
Reference in a new issue