Select Git revision
README-permission.md
-
Thomas Woerner authored
The Variables and also the Return Variables sections contained an extra header with the module name. This is only needed if there are more than one module in the README.
Thomas Woerner authoredThe Variables and also the Return Variables sections contained an extra header with the module name. This is only needed if there are more than one module in the README.
README-permission.md 5.17 KiB
Permission module
Description
The permission module allows to ensure presence and absence of permissions and permission members.
Features
- Permission management
Supported FreeIPA Versions
FreeIPA versions 4.4.0 and up are supported by the ipapermission module.
Requirements
Controller
- Ansible version: 2.8+
Node
- Supported FreeIPA version (see above)
Usage
Example inventory file
[ipaserver]
ipaserver.test.localExample playbook to make sure permission "MyPermission" is present:
---
- name: Playbook to handle IPA permissions
hosts: ipaserver
become: yes
tasks:
- name: Ensure permission MyPermission is present
ipapermission:
ipaadmin_password: SomeADMINpassword
name: MyPermission
object_type: host
right: allExample playbook to ensure permission "MyPermission" is present with attr carlicense:
---
- name: Playbook to handle IPA permissions
hosts: ipaserver
become: yes
tasks:
- name: Ensure permission "MyPermission" is present with attr carlicense
ipapermission:
ipaadmin_password: SomeADMINpassword
name: MyPermission
object_type: host
right: all
attrs:
- carlicenseExample playbook to ensure attr gecos is present in permission "MyPermission":
---
- name: Playbook to handle IPA permissions
hosts: ipaserver
become: yes
tasks:
- name: Ensure attr gecos is present in permission "MyPermission"
ipapermission:
ipaadmin_password: SomeADMINpassword
name: MyPermission
attrs:
- gecos
action: memberExample playbook to ensure attr gecos is absent in permission "MyPermission":
---
- name: Playbook to handle IPA permissions
hosts: ipaserver
become: yes
tasks:
- name: Ensure attr gecos is present in permission "MyPermission"
ipapermission:
ipaadmin_password: SomeADMINpassword
name: MyPermission
attrs:
- gecos
action: member
state: absentExample playbook to make sure permission "MyPermission" is absent:
---
- name: Playbook to handle IPA permissions
hosts: ipaserver
become: yes
tasks:
- name: Ensure permission "MyPermission" is absent
ipapermission:
ipaadmin_password: SomeADMINpassword
name: MyPermission
state: absentExample playbook to make sure permission "MyPermission" is renamed to "MyNewPermission":
---
- name: Playbook to handle IPA permissions
hosts: ipaserver
become: yes
tasks:
- name: Ensure permission "MyPermission" is renamed to "MyNewPermission
ipapermission:
ipaadmin_password: SomeADMINpassword
name: MyPermission
rename: MyNewPermission
state: renamedVariables
| Variable | Description | Required |
|---|---|---|
ipaadmin_principal |
The admin principal is a string and defaults to admin
|
no |
ipaadmin_password |
The admin password is a string and is required if there is no admin ticket available on the node | no |
ipaapi_context |
The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are server and client. |
no |
ipaapi_ldap_cache |
Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no |
name | cn
|
The permission name string. | yes |
right | ipapermright
|
Rights to grant. It can be a list of one or more of read, search, compare, write, add, delete, and all default: all
|
no |
attrs |
All attributes to which the permission applies. | no |
bindtype | ipapermbindruletype
|
Bind rule type. It can be one of permission, all, self, or anonymous defaults to permission for new permissions. Bind rule type self can only be used on IPA versions 4.8.7 or up. |
no |
subtree | ipapermlocation
|
Subtree to apply permissions to | no |
filter | extratargetfilter
|
Extra target filter | no |
rawfilter | ipapermtargetfilter
|
All target filters | no |
target | ipapermtarget
|
Optional DN to apply the permission to | no |
targetto | ipapermtargetto
|
Optional DN subtree where an entry can be moved to | no |
targetfrom | ipapermtargetfrom
|
Optional DN subtree from where an entry can be moved | no |
memberof |
Target members of a group (sets memberOf targetfilter) | no |
targetgroup |
User group to apply permissions to (sets target) | no |
object_type |
Type of IPA object (sets subtree and objectClass targetfilter) | no |
no_members |
Suppress processing of membership | no |
rename | new_name
|
Rename the permission object | no |
action |
Work on permission or member level. It can be on of member or permission and defaults to permission. |
no |
state |
The state to ensure. It can be one of present, absent, or renamed default: present. |
no |
The includedattrs and excludedattrs variables are only usable for managed permisions and are not exposed by the module. Using attrs for managed permissions will result in the automatic generation of includedattrs and excludedattrs in the IPA server.
Authors
Seth Kress