Skip to content
Snippets Groups Projects
Unverified Commit 1028f61b authored by Thomas Woerner's avatar Thomas Woerner Committed by GitHub
Browse files

Merge pull request #899 from rjeffman/sudorule_add_runasuser_group 

ipasudorule: Allow setting groups for runasuser.
parents 4321478c 1fde1764
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
README-sudorule.md
+ 20
0
View file @ 1028f61b
...@@ -93,6 +93,26 @@ Example playbook to make sure sudocmds are not present in Sudo Rule: ...@@ -93,6 +93,26 @@ Example playbook to make sure sudocmds are not present in Sudo Rule:
state: absent state: absent
``` ```
Example playbook to ensure a Group of RunAs User is present in sudo rule:
```yaml
---
- name: Playbook to manage sudorule member
hosts: ipaserver
become: no
gather_facts: no
tasks:
- name: Ensure sudorule 'runasuser' has 'ipasuers' group as runas users.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
runasuser_group: ipausers
action: member
```
Example playbook to make sure Sudo Rule is absent: Example playbook to make sure Sudo Rule is absent:
```yaml ```yaml
......
playbooks/sudorule/ensure-sudorule-runasuser-group-is-absent.yml 0 → 100644
+ 14
0
View file @ 1028f61b
---
- name: Playbook to manage sudorule member
hosts: ipaserver
become: no
gather_facts: no
tasks:
- name: Ensure sudorule 'runasuser' do not have 'ipasuers' group as runas users.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
runasuser_group: ipausers
action: member
state: absent
playbooks/sudorule/ensure-sudorule-runasuser-group-is-present.yml 0 → 100644
+ 13
0
View file @ 1028f61b
---
- name: Playbook to manage sudorule member
hosts: ipaserver
become: no
gather_facts: no
tasks:
- name: Ensure sudorule 'runasuser' has 'ipasuers' group as runas users.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
runasuser_group: ipausers
action: member
plugins/modules/ipasudorule.py
+ 46
8
View file @ 1028f61b
...@@ -138,6 +138,11 @@ options: ...@@ -138,6 +138,11 @@ options:
required: false required: false
type: list type: list
elements: str elements: str
runasuser_group:
description: List of groups for Sudo to execute as.
required: false
type: list
elements: str
runasgroup: runasgroup:
description: List of groups for Sudo to execute as. description: List of groups for Sudo to execute as.
required: false required: false
...@@ -214,6 +219,12 @@ EXAMPLES = """ ...@@ -214,6 +219,12 @@ EXAMPLES = """
hostmask: hostmask:
- 192.168.122.1/24 - 192.168.122.1/24
- 192.168.120.1/24 - 192.168.120.1/24
# Ensure sudorule 'runasuser' has 'ipasuers' group as runas users.
- ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
runasuser_group: ipausers
action: member action: member
# Ensure Sudo Rule tesrule1 is absent # Ensure Sudo Rule tesrule1 is absent
...@@ -315,6 +326,8 @@ def main(): ...@@ -315,6 +326,8 @@ def main():
default=None), default=None),
runasgroup=dict(required=False, type="list", elements="str", runasgroup=dict(required=False, type="list", elements="str",
default=None), default=None),
runasuser_group=dict(required=False, type="list", elements="str",
default=None),
order=dict(type="int", required=False, aliases=['sudoorder']), order=dict(type="int", required=False, aliases=['sudoorder']),
sudooption=dict(required=False, type='list', elements="str", sudooption=dict(required=False, type='list', elements="str",
default=None, aliases=["options"]), default=None, aliases=["options"]),
...@@ -362,6 +375,7 @@ def main(): ...@@ -362,6 +375,7 @@ def main():
sudooption = ansible_module.params_get("sudooption") sudooption = ansible_module.params_get("sudooption")
order = ansible_module.params_get("order") order = ansible_module.params_get("order")
runasuser = ansible_module.params_get_lowercase("runasuser") runasuser = ansible_module.params_get_lowercase("runasuser")
runasuser_group = ansible_module.params_get_lowercase("runasuser_group")
runasgroup = ansible_module.params_get_lowercase("runasgroup") runasgroup = ansible_module.params_get_lowercase("runasgroup")
action = ansible_module.params_get("action") action = ansible_module.params_get("action")
...@@ -406,7 +420,8 @@ def main(): ...@@ -406,7 +420,8 @@ def main():
invalid.extend(["host", "hostgroup", "hostmask", "user", "group", invalid.extend(["host", "hostgroup", "hostmask", "user", "group",
"runasuser", "runasgroup", "allow_sudocmd", "runasuser", "runasgroup", "allow_sudocmd",
"allow_sudocmdgroup", "deny_sudocmd", "allow_sudocmdgroup", "deny_sudocmd",
"deny_sudocmdgroup", "sudooption"]) "deny_sudocmdgroup", "sudooption",
"runasuser_group"])
elif state in ["enabled", "disabled"]: elif state in ["enabled", "disabled"]:
if len(names) < 1: if len(names) < 1:
...@@ -420,7 +435,7 @@ def main(): ...@@ -420,7 +435,7 @@ def main():
"nomembers", "nomembers", "host", "hostgroup", "hostmask", "nomembers", "nomembers", "host", "hostgroup", "hostmask",
"user", "group", "allow_sudocmd", "allow_sudocmdgroup", "user", "group", "allow_sudocmd", "allow_sudocmdgroup",
"deny_sudocmd", "deny_sudocmdgroup", "runasuser", "deny_sudocmd", "deny_sudocmdgroup", "runasuser",
"runasgroup", "order", "sudooption"] "runasgroup", "order", "sudooption", "runasuser_group"]
else: else:
ansible_module.fail_json(msg="Invalid state '%s'" % state) ansible_module.fail_json(msg="Invalid state '%s'" % state)
...@@ -453,6 +468,7 @@ def main(): ...@@ -453,6 +468,7 @@ def main():
deny_cmdgroup_add, deny_cmdgroup_del = [], [] deny_cmdgroup_add, deny_cmdgroup_del = [], []
sudooption_add, sudooption_del = [], [] sudooption_add, sudooption_del = [], []
runasuser_add, runasuser_del = [], [] runasuser_add, runasuser_del = [], []
runasuser_group_add, runasuser_group_del = [], []
runasgroup_add, runasgroup_del = [], [] runasgroup_add, runasgroup_del = [], []
for name in names: for name in names:
...@@ -552,6 +568,12 @@ def main(): ...@@ -552,6 +568,12 @@ def main():
+ res_find.get('ipasudorunasextuser', []) + res_find.get('ipasudorunasextuser', [])
) )
) )
runasuser_group_add, runasuser_group_del = (
gen_add_del_lists(
runasuser_group,
res_find.get('ipasudorunas_group', [])
)
)
# runasgroup attribute can be used with both IPA and # runasgroup attribute can be used with both IPA and
# non-IPA (external) groups. IPA will handle the correct # non-IPA (external) groups. IPA will handle the correct
...@@ -623,6 +645,11 @@ def main(): ...@@ -623,6 +645,11 @@ def main():
(list(res_find.get('ipasudorunas_user', [])) (list(res_find.get('ipasudorunas_user', []))
+ list(res_find.get('ipasudorunasextuser', []))) + list(res_find.get('ipasudorunasextuser', [])))
) )
if runasuser_group is not None:
runasuser_group_add = gen_add_list(
runasuser_group,
res_find.get('ipasudorunas_group', [])
)
# runasgroup attribute can be used with both IPA and # runasgroup attribute can be used with both IPA and
# non-IPA (external) groups, so we need to compare # non-IPA (external) groups, so we need to compare
# the provided list against both users and external # the provided list against both users and external
...@@ -703,6 +730,11 @@ def main(): ...@@ -703,6 +730,11 @@ def main():
+ list(res_find.get('ipasudorunasextuser', [])) + list(res_find.get('ipasudorunasextuser', []))
) )
) )
if runasuser_group is not None:
runasuser_group_del = gen_intersection_list(
runasuser_group,
res_find.get('ipasudorunas_group', [])
)
# runasgroup attribute can be used with both IPA and # runasgroup attribute can be used with both IPA and
# non-IPA (external) groups, so we need to compare # non-IPA (external) groups, so we need to compare
# the provided list against both groups and external # the provided list against both groups and external
...@@ -812,13 +844,19 @@ def main(): ...@@ -812,13 +844,19 @@ def main():
} }
]) ])
# Manage RunAS users # Manage RunAS users
if runasuser_add or runasuser_group_add:
# Can't use empty lists with command "sudorule_add_runasuser".
_args = {}
if runasuser_add: if runasuser_add:
_args["user"] = runasuser_add
if runasuser_group_add:
_args["group"] = runasuser_group_add
commands.append([name, "sudorule_add_runasuser", _args])
if runasuser_del or runasuser_group_del:
commands.append([ commands.append([
name, "sudorule_add_runasuser", {"user": runasuser_add} name,
]) "sudorule_remove_runasuser",
if runasuser_del: {"user": runasuser_del, "group": runasuser_group_del}
commands.append([
name, "sudorule_remove_runasuser", {"user": runasuser_del}
]) ])
# Manage RunAS Groups # Manage RunAS Groups
......
tests/sudorule/test_sudorule.yml
+ 117
15
View file @ 1028f61b
...@@ -8,34 +8,26 @@ ...@@ -8,34 +8,26 @@
tasks: tasks:
# setup # setup
- name: Ensure user is absent - name: Ensure test user is present
ipauser: ipauser:
ipaadmin_password: SomeADMINpassword ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}" ipaapi_context: "{{ ipa_context | default(omit) }}"
name: user01 name: user01
state: absent first: user
last: zeroone
- name: Ensure group is absent - name: Ensure group01 is present, with user01 on it.
ipagroup: ipagroup:
ipaadmin_password: SomeADMINpassword ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}" ipaapi_context: "{{ ipa_context | default(omit) }}"
name: group01 name: group01
state: absent user: user01
- name: Ensure user is present
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: user01
first: user
last: zeroone
- name: Ensure group is present, with user01 on it. - name: Ensure group02 is present
ipagroup: ipagroup:
ipaadmin_password: SomeADMINpassword ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}" ipaapi_context: "{{ ipa_context | default(omit) }}"
name: group01 name: group02
user: user01
- name: Ensure sudocmdgroup is absent - name: Ensure sudocmdgroup is absent
ipasudocmdgroup: ipasudocmdgroup:
...@@ -154,6 +146,100 @@ ...@@ -154,6 +146,100 @@
register: result register: result
failed_when: result.changed or result.failed failed_when: result.changed or result.failed
- name: Ensure group01 is on the list of users sudorule execute as.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
runasuser_group:
- group01
action: member
register: result
failed_when: not result.changed or result.failed
- name: Ensure group01 is on the list of users sudorule execute as, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
runasuser_group:
- group01
action: member
register: result
failed_when: result.changed or result.failed
- name: Ensure group01 and group2 are on the list of users sudorule execute as.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
runasuser_group:
- group01
- group02
action: member
register: result
failed_when: not result.changed or result.failed
- name: Ensure group01 and group2 are on the list of users sudorule execute as, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
runasuser_group:
- group01
- group02
action: member
register: result
failed_when: result.changed or result.failed
- name: Check if group02 is on the list of users sudorule execute as.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
runasuser_group:
- group02
action: member
register: result
check_mode: true
failed_when: result.changed or result.failed
- name: Ensure group01 is not on the list of users sudorule execute as.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
runasuser_group:
- group01
action: member
state: absent
register: result
failed_when: not result.changed or result.failed
- name: Ensure group01 is not on the list of users sudorule execute as, again.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
runasuser_group:
- group01
action: member
state: absent
register: result
failed_when: result.changed or result.failed
- name: Check if group02 is on the list of users sudorule execute as.
ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: testrule1
runasuser_group:
- group02
action: member
register: result
check_mode: true
failed_when: result.changed or result.failed
- name: Ensure group01 is on the list of group sudorule execute as. - name: Ensure group01 is on the list of group sudorule execute as.
ipasudorule: ipasudorule:
ipaadmin_password: SomeADMINpassword ipaadmin_password: SomeADMINpassword
...@@ -1155,3 +1241,19 @@ ...@@ -1155,3 +1241,19 @@
ipaapi_context: "{{ ipa_context | default(omit) }}" ipaapi_context: "{{ ipa_context | default(omit) }}"
name: cluster name: cluster
state: absent state: absent
- name: Ensure groups are absent
ipagroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name:
- group01
- group02
state: absent
- name: Ensure user is absent
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: user01
state: absent
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment