Skip to content
Snippets Groups Projects
Select Git revision
  • e16c3ffdd4c4288b6df5cdb2a6171ef7c8d092ce
  • master default protected
  • v1.14.7
  • v1.14.6
  • v1.14.5
  • v1.14.4
  • v1.14.3
  • v1.14.2
  • v1.14.1
  • v1.14.0
  • v1.13.2
  • v1.13.1
  • v1.13.0
  • v1.12.1
  • v1.12.0
  • v1.11.1
  • v1.11.0
  • v1.10.0
  • v1.9.2
  • v1.9.1
  • v1.9.0
  • v1.8.4
22 results

README-permission.md

Blame
  • user avatar
    Rafael Guterres Jeffman authored
    FreeIPA 4.8.7 has introduced bind type 'self' as a valid value, and
    this PR adds checks so the module fails early if the value is used
    with an unsupported version.
    
    Tests and documentation have been updated to reflect the changes.
    b6cf3e5f
    History

    Permission module

    Description

    The permission module allows to ensure presence and absence of permissions and permission members.

    Features

    • Permission management

    Supported FreeIPA Versions

    FreeIPA versions 4.4.0 and up are supported by the ipapermission module.

    Requirements

    Controller

    • Ansible version: 2.8+

    Node

    • Supported FreeIPA version (see above)

    Usage

    Example inventory file

    [ipaserver]
    ipaserver.test.local

    Example playbook to make sure permission "MyPermission" is present:

    ---
    - name: Playbook to create an IPA permission.
      hosts: ipaserver
      become: yes
    
      tasks:
      - name: Ensure permission MyPermission is present
        ipapermission:
          ipaadmin_password: SomeADMINpassword
          name: MyPermission
          object_type: host
          right: all

    Example playbook to make sure permission "MyPermission" member "privilege" with value "User Administrators" is present:

    ---
    - name: Permission add privilege to a permission
      hosts: ipaserver
      become: true
    
      tasks:
      - name: Ensure permission MyPermission is present with the User Administrators privilege present
        ipapermission:
          ipaadmin_password: SomeADMINpassword
          name: MyPermission
          privilege: "User Administrators"
          action: member

    Example playbook to make sure permission "MyPermission" member "privilege" with value "User Administrators" is absent:

    ---
    - name: Permission remove privilege from a permission
      hosts: ipaserver
      become: true
    
      tasks:
      - name: Ensure permission MyPermission is present without the User Administrators privilege
        ipapermission:
          ipaadmin_password: SomeADMINpassword
          name: MyPermission
          privilege: "User Administrators"
          action: member
          state: absent

    Example playbook to make sure permission "MyPermission" is absent:

    ---
    - name: Playbook to manage IPA permission.
      hosts: ipaserver
      become: yes
    
      tasks:
      - ipapermission:
          ipaadmin_password: SomeADMINpassword
          name: MyPermission
          state: absent

    Example playbook to make sure permission "MyPermission" is renamed to "MyNewPermission":

    ---
    - name: Playbook to manage IPA permission.
      hosts: ipaserver
      become: yes
    
      tasks:
      - ipapermission:
          ipaadmin_password: SomeADMINpassword
          name: MyPermission
          rename: MyNewPermission
          state: renamed

    Variables

    ipapermission

    Variable Description Required
    ipaadmin_principal The admin principal is a string and defaults to admin no
    ipaadmin_password The admin password is a string and is required if there is no admin ticket available on the node no
    name | cn The permission name string. yes
    right | ipapermright Rights to grant. It can be a list of one or more of read, search, compare, write, add, delete, and all default: all no
    attrs All attributes to which the permission applies no
    bindtype | ipapermbindruletype Bind rule type. It can be one of permission, all, self, or anonymous defaults to permission for new permissions. Bind rule type self can only be used on IPA versions 4.8.7 or up. no
    subtree | ipapermlocation Subtree to apply permissions to no
    filter | extratargetfilter Extra target filter no
    rawfilter | ipapermtargetfilter All target filters no
    target | ipapermtarget Optional DN to apply the permission to no
    targetto | ipapermtargetto Optional DN subtree where an entry can be moved to no
    targetfrom | ipapermtargetfrom Optional DN subtree from where an entry can be moved no
    memberof Target members of a group (sets memberOf targetfilter) no
    targetgroup User group to apply permissions to (sets target) no
    object_type Type of IPA object (sets subtree and objectClass targetfilter) no
    no_members Suppress processing of membership no
    rename Rename the permission object no
    privilege Member Privilege of Permission no
    action Work on permission or member level. It can be on of member or permission and defaults to permission. no
    state The state to ensure. It can be one of present, absent, or renamed default: present. no

    Authors

    Seth Kress