Select Git revision
README-hbacrule.md
-
Rafael Guterres Jeffman authored
This patch allows the removal of option `all` from user, host, and service categories, by allowing an empty string as a valid choice for each option.
Rafael Guterres Jeffman authoredThis patch allows the removal of option `all` from user, host, and service categories, by allowing an empty string as a valid choice for each option.
README-hbacrule.md 3.74 KiB
HBACrule module
Description
The hbacrule (HBAC Rule) module allows to ensure presence and absence of HBAC Rules and host, hostgroups, HBAC Services, HBAC Service Groups, users, and user groups as members of HBAC Rule.
Features
- HBAC Rule management
Supported FreeIPA Versions
FreeIPA versions 4.4.0 and up are supported by the ipahbacrule module.
Requirements
Controller
- Ansible version: 2.8+
Node
- Supported FreeIPA version (see above)
Usage
Example inventory file
[ipaserver]
ipaserver.test.localExample playbook to make sure HBAC Rule login exists:
---
- name: Playbook to handle hbacrules
hbacsvcs: ipaserver
become: true
tasks:
# Ensure HBAC Rule login is present
- ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: loginExample playbook to make sure HBAC Rule login exists with the only HBAC Service sshd:
---
- name: Playbook to handle hbacrules
hbacsvcs: ipaserver
become: true
tasks:
# Ensure HBAC Rule login is present with the only HBAC Service sshd
- ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshdExample playbook to make sure HBAC Service sshd is present in HBAC Rule login:
---
- name: Playbook to handle hbacrules
hbacsvcs: ipaserver
become: true
tasks:
# Ensure HBAC Service sshd is present in HBAC Rule login
- ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
action: memberExample playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
---
- name: Playbook to handle hbacrules
hbacsvcs: ipaserver
become: true
tasks:
# Ensure HBAC Service sshd is present in HBAC Rule login
- ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
action: member
state: absentExample playbook to make sure HBAC Rule login is absent:
---
- name: Playbook to handle hbacrules
hbacsvcs: ipaserver
become: true
tasks:
# Ensure HBAC Rule login is present
- ipahbacrule:
ipaadmin_password: SomeADMINpassword
name: login
state: absentVariables
ipahbacrule
| Variable | Description | Required |
|---|---|---|
ipaadmin_principal |
The admin principal is a string and defaults to admin
|
no |
ipaadmin_password |
The admin password is a string and is required if there is no admin ticket available on the node | no |
name | cn
|
The list of hbacrule name strings. | yes |
description |
The hbacrule description string. | no |
usercategory | usercat
|
User category the rule applies to. Choices: ["all", ""] | no |
hostcategory | hostcat
|
Host category the rule applies to. Choices: ["all", ""] | no |
servicecategory | servicecat
|
HBAC service category the rule applies to. Choices: ["all", ""] | no |
nomembers |
Suppress processing of membership attributes. (bool) | no |
host |
List of host name strings assigned to this hbacrule. | no |
hostgroup |
List of host group name strings assigned to this hbacrule. | no |
hbacsvc |
List of HBAC Service name strings assigned to this hbacrule. | no |
hbacsvcgroup |
List of HBAC Service Group name strings assigned to this hbacrule. | no |
user |
List of user name strings assigned to this hbacrule. | no |
group |
List of user group name strings assigned to this hbacrule. | no |
action |
Work on hbacrule or member level. It can be on of member or hbacrule and defaults to hbacrule. |
no |
state |
The state to ensure. It can be one of present, absent, enabled or disabled, default: present. |
no |
Authors
Thomas Woerner