Skip to content

Latest commit

 

History

History
187 lines (141 loc) · 5.17 KB

README-permission.md

File metadata and controls

187 lines (141 loc) · 5.17 KB
Raw

Permission module

Description

The permission module allows to ensure presence and absence of permissions and permission members.

Features

  • Permission management

Supported FreeIPA Versions

FreeIPA versions 4.4.0 and up are supported by the ipapermission module.

Requirements

Controller

  • Ansible version: 2.14+

Node

  • Supported FreeIPA version (see above)

Usage

Example inventory file

[ipaserver]
ipaserver.test.local

Example playbook to make sure permission "MyPermission" is present:

---
- name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes

  tasks:
  - name: Ensure permission MyPermission is present
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      object_type: host
      right: all

Example playbook to ensure permission "MyPermission" is present with attr carlicense:

---
- name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes

  tasks:
  - name: Ensure permission "MyPermission" is present with attr carlicense
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      object_type: host
      right: all
      attrs:
      - carlicense

Example playbook to ensure attr gecos is present in permission "MyPermission":

---
- name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes

  tasks:
  - name: Ensure attr gecos is present in permission "MyPermission"
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      attrs:
      - gecos
      action: member

Example playbook to ensure attr gecos is absent in permission "MyPermission":

---
- name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes

  tasks:
  - name: Ensure attr gecos is present in permission "MyPermission"
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      attrs:
      - gecos
      action: member
      state: absent

Example playbook to make sure permission "MyPermission" is absent:

---
- name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes

  tasks:
  - name: Ensure permission "MyPermission" is absent
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      state: absent

Example playbook to make sure permission "MyPermission" is renamed to "MyNewPermission":

---
- name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes

  tasks:
  - name: Ensure permission "MyPermission" is renamed to "MyNewPermission
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      rename: MyNewPermission
      state: renamed

Variables

Variable Description Required
ipaadmin_principal The admin principal is a string and defaults to admin no
ipaadmin_password The admin password is a string and is required if there is no admin ticket available on the node no
ipaapi_context The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are server and client. no
ipaapi_ldap_cache Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) no
name | cn The permission name string. yes
right | ipapermright Rights to grant. It can be a list of one or more of read, search, compare, write, add, delete, and all default: all no
attrs All attributes to which the permission applies. no
bindtype | ipapermbindruletype Bind rule type. It can be one of permission, all, self, or anonymous defaults to permission for new permissions. Bind rule type self can only be used on IPA versions 4.8.7 or up. no
subtree | ipapermlocation Subtree to apply permissions to no
filter | extratargetfilter Extra target filter no
rawfilter | ipapermtargetfilter All target filters no
target | ipapermtarget Optional DN to apply the permission to no
targetto | ipapermtargetto Optional DN subtree where an entry can be moved to no
targetfrom | ipapermtargetfrom Optional DN subtree from where an entry can be moved no
memberof Target members of a group (sets memberOf targetfilter) no
targetgroup User group to apply permissions to (sets target) no
object_type Type of IPA object (sets subtree and objectClass targetfilter) no
no_members Suppress processing of membership no
rename | new_name Rename the permission object no
action Work on permission or member level. It can be on of member or permission and defaults to permission. no
state The state to ensure. It can be one of present, absent, or renamed default: present. no

The includedattrs and excludedattrs variables are only usable for managed permisions and are not exposed by the module. Using attrs for managed permissions will result in the automatic generation of includedattrs and excludedattrs in the IPA server.

Authors

Seth Kress