Select Git revision
README-selfservice.md
README-sudorule.md 3.95 KiB
Sudorule module
Description
The sudorule (Sudo Rule) module allows to ensure presence and absence of Sudo Rules and host, hostgroups, users, and user groups as members of Sudo Rule.
Features
- Sudo Rule management
Supported FreeIPA Versions
FreeIPA versions 4.4.0 and up are supported by the ipasudorule module.
Requirements
Controller
- Ansible version: 2.8+
Node
- Supported FreeIPA version (see above)
Usage
Example inventory file
[ipaserver]
ipaserver.test.localExample playbook to make sure Sudo Rule is present:
---
- name: Playbook to handle sudorules
hosts: ipaserver
become: true
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1Example playbook to make sure sudocmds are present in Sudo Rule:
---
- name: Playbook to handle sudorules
hosts: ipaserver
become: true
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
allow_sudocmd:
- /sbin/ifconfig
action: memberExample playbook to make sure sudocmds are not present in Sudo Rule:
---
- name: Playbook to handle sudorules
hosts: ipaserver
become: true
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
allow_sudocmd:
- /sbin/ifconfig
action: member
state: absentExample playbook to make sure Sudo Rule is absent:
---
- name: Playbook to handle sudorules
hosts: ipaserver
become: true
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
state: absentVariables
ipasudorule
| Variable | Description | Required |
|---|---|---|
ipaadmin_principal |
The admin principal is a string and defaults to admin
|
no |
ipaadmin_password |
The admin password is a string and is required if there is no admin ticket available on the node | no |
name | cn
|
The list of sudorule name strings. | yes |
description |
The sudorule description string. | no |
usercategory | usercat
|
User category the rule applies to. Choices: ["all", ""] | no |
hostcategory | hostcat
|
Host category the rule applies to. Choices: ["all", ""] | no |
cmdcategory | cmdcat
|
Command category the rule applies to. Choices: ["all", ""] | no |
runasusercategory | rusasusercat
|
RunAs User category the rule applies to. Choices: ["all", ""] | no |
runasgroupcategory | runasgroupcat
|
RunAs Group category the rule applies to. Choices: ["all", ""] | no |
nomembers |
Suppress processing of membership attributes. (bool) | no |
host |
List of host name strings assigned to this sudorule. | no |
hostgroup |
List of host group name strings assigned to this sudorule. | no |
user |
List of user name strings assigned to this sudorule. | no |
group |
List of user group name strings assigned to this sudorule. | no |
allow_sudocmd |
List of sudocmd name strings assigned to the allow group of this sudorule. | no |
deny_sudocmd |
List of sudocmd name strings assigned to the deny group of this sudorule. | no |
allow_sudocmdgroup |
List of sudocmd groups name strings assigned to the allow group of this sudorule. | no |
deny_sudocmdgroup |
List of sudocmd groups name strings assigned to the deny group of this sudorule. | no |
sudooption | option
|
List of options to the sudorule | no |
order |
Integer to order the sudorule | no |
runasuser |
List of users for Sudo to execute as. | no |
runasgroup |
List of groups for Sudo to execute as. | no |
action |
Work on sudorule or member level. It can be on of member or sudorule and defaults to sudorule. |
no |
state |
The state to ensure. It can be one of present, absent, enabled or disabled, default: present. |
no |
Authors
Rafael Jeffman