diff --git a/README-sudorule.md b/README-sudorule.md
index c66ccd6a7b9fff5e07e748005fd9c1ee8f01cf99..62c2d57103d68d237885b188f43918aa9f6030fd 100644
--- a/README-sudorule.md
+++ b/README-sudorule.md
@@ -93,6 +93,26 @@ Example playbook to make sure sudocmds are not present in Sudo Rule:
state: absent
```
+
+Example playbook to ensure a Group of RunAs User is present in sudo rule:
+
+```yaml
+---
+- name: Playbook to manage sudorule member
+ hosts: ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Ensure sudorule 'runasuser' has 'ipasuers' group as runas users.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ runasuser_group: ipausers
+ action: member
+```
+
+
Example playbook to make sure Sudo Rule is absent:
```yaml
diff --git a/playbooks/sudorule/ensure-sudorule-runasuser-group-is-absent.yml b/playbooks/sudorule/ensure-sudorule-runasuser-group-is-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3dc3585db5425b4e8122cc1050e0fb6aabcd3aeb
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-runasuser-group-is-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage sudorule member
+ hosts: ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Ensure sudorule 'runasuser' do not have 'ipasuers' group as runas users.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ runasuser_group: ipausers
+ action: member
+ state: absent
diff --git a/playbooks/sudorule/ensure-sudorule-runasuser-group-is-present.yml b/playbooks/sudorule/ensure-sudorule-runasuser-group-is-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6157d57044117efe91a9b1ce854b1769f073617c
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-runasuser-group-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage sudorule member
+ hosts: ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Ensure sudorule 'runasuser' has 'ipasuers' group as runas users.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ runasuser_group: ipausers
+ action: member
diff --git a/plugins/modules/ipasudorule.py b/plugins/modules/ipasudorule.py
index 2be49c224450eb0c0bac8b090cb2c156e2ad1913..a4d5571fe81052a4fe09675bf94b4ee437185ab8 100644
--- a/plugins/modules/ipasudorule.py
+++ b/plugins/modules/ipasudorule.py
@@ -138,6 +138,11 @@ options:
required: false
type: list
elements: str
+ runasuser_group:
+ description: List of groups for Sudo to execute as.
+ required: false
+ type: list
+ elements: str
runasgroup:
description: List of groups for Sudo to execute as.
required: false
@@ -214,6 +219,12 @@ EXAMPLES = """
hostmask:
- 192.168.122.1/24
- 192.168.120.1/24
+
+# Ensure sudorule 'runasuser' has 'ipasuers' group as runas users.
+- ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ runasuser_group: ipausers
action: member
# Ensure Sudo Rule tesrule1 is absent
@@ -315,6 +326,8 @@ def main():
default=None),
runasgroup=dict(required=False, type="list", elements="str",
default=None),
+ runasuser_group=dict(required=False, type="list", elements="str",
+ default=None),
order=dict(type="int", required=False, aliases=['sudoorder']),
sudooption=dict(required=False, type='list', elements="str",
default=None, aliases=["options"]),
@@ -362,6 +375,7 @@ def main():
sudooption = ansible_module.params_get("sudooption")
order = ansible_module.params_get("order")
runasuser = ansible_module.params_get_lowercase("runasuser")
+ runasuser_group = ansible_module.params_get_lowercase("runasuser_group")
runasgroup = ansible_module.params_get_lowercase("runasgroup")
action = ansible_module.params_get("action")
@@ -406,7 +420,8 @@ def main():
invalid.extend(["host", "hostgroup", "hostmask", "user", "group",
"runasuser", "runasgroup", "allow_sudocmd",
"allow_sudocmdgroup", "deny_sudocmd",
- "deny_sudocmdgroup", "sudooption"])
+ "deny_sudocmdgroup", "sudooption",
+ "runasuser_group"])
elif state in ["enabled", "disabled"]:
if len(names) < 1:
@@ -420,7 +435,7 @@ def main():
"nomembers", "nomembers", "host", "hostgroup", "hostmask",
"user", "group", "allow_sudocmd", "allow_sudocmdgroup",
"deny_sudocmd", "deny_sudocmdgroup", "runasuser",
- "runasgroup", "order", "sudooption"]
+ "runasgroup", "order", "sudooption", "runasuser_group"]
else:
ansible_module.fail_json(msg="Invalid state '%s'" % state)
@@ -453,6 +468,7 @@ def main():
deny_cmdgroup_add, deny_cmdgroup_del = [], []
sudooption_add, sudooption_del = [], []
runasuser_add, runasuser_del = [], []
+ runasuser_group_add, runasuser_group_del = [], []
runasgroup_add, runasgroup_del = [], []
for name in names:
@@ -552,6 +568,12 @@ def main():
+ res_find.get('ipasudorunasextuser', [])
)
)
+ runasuser_group_add, runasuser_group_del = (
+ gen_add_del_lists(
+ runasuser_group,
+ res_find.get('ipasudorunas_group', [])
+ )
+ )
# runasgroup attribute can be used with both IPA and
# non-IPA (external) groups. IPA will handle the correct
@@ -623,6 +645,11 @@ def main():
(list(res_find.get('ipasudorunas_user', []))
+ list(res_find.get('ipasudorunasextuser', [])))
)
+ if runasuser_group is not None:
+ runasuser_group_add = gen_add_list(
+ runasuser_group,
+ res_find.get('ipasudorunas_group', [])
+ )
# runasgroup attribute can be used with both IPA and
# non-IPA (external) groups, so we need to compare
# the provided list against both users and external
@@ -703,6 +730,11 @@ def main():
+ list(res_find.get('ipasudorunasextuser', []))
)
)
+ if runasuser_group is not None:
+ runasuser_group_del = gen_intersection_list(
+ runasuser_group,
+ res_find.get('ipasudorunas_group', [])
+ )
# runasgroup attribute can be used with both IPA and
# non-IPA (external) groups, so we need to compare
# the provided list against both groups and external
@@ -812,13 +844,19 @@ def main():
}
])
# Manage RunAS users
- if runasuser_add:
- commands.append([
- name, "sudorule_add_runasuser", {"user": runasuser_add}
- ])
- if runasuser_del:
+ if runasuser_add or runasuser_group_add:
+ # Can't use empty lists with command "sudorule_add_runasuser".
+ _args = {}
+ if runasuser_add:
+ _args["user"] = runasuser_add
+ if runasuser_group_add:
+ _args["group"] = runasuser_group_add
+ commands.append([name, "sudorule_add_runasuser", _args])
+ if runasuser_del or runasuser_group_del:
commands.append([
- name, "sudorule_remove_runasuser", {"user": runasuser_del}
+ name,
+ "sudorule_remove_runasuser",
+ {"user": runasuser_del, "group": runasuser_group_del}
])
# Manage RunAS Groups
diff --git a/tests/sudorule/test_sudorule.yml b/tests/sudorule/test_sudorule.yml
index 622438cd3899ee7f860f1a768f3e04ee9e3461d9..476fb1d89b848000377a0a6ab46e3f938a3adad7 100644
--- a/tests/sudorule/test_sudorule.yml
+++ b/tests/sudorule/test_sudorule.yml
@@ -8,34 +8,26 @@
tasks:
# setup
- - name: Ensure user is absent
+ - name: Ensure test user is present
ipauser:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: user01
- state: absent
+ first: user
+ last: zeroone
- - name: Ensure group is absent
+ - name: Ensure group01 is present, with user01 on it.
ipagroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: group01
- state: absent
-
- - name: Ensure user is present
- ipauser:
- ipaadmin_password: SomeADMINpassword
- ipaapi_context: "{{ ipa_context | default(omit) }}"
- name: user01
- first: user
- last: zeroone
+ user: user01
- - name: Ensure group is present, with user01 on it.
+ - name: Ensure group02 is present
ipagroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
- name: group01
- user: user01
+ name: group02
- name: Ensure sudocmdgroup is absent
ipasudocmdgroup:
@@ -154,6 +146,100 @@
register: result
failed_when: result.changed or result.failed
+ - name: Ensure group01 is on the list of users sudorule execute as.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ name: testrule1
+ runasuser_group:
+ - group01
+ action: member
+ register: result
+ failed_when: not result.changed or result.failed
+
+ - name: Ensure group01 is on the list of users sudorule execute as, again.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ name: testrule1
+ runasuser_group:
+ - group01
+ action: member
+ register: result
+ failed_when: result.changed or result.failed
+
+ - name: Ensure group01 and group2 are on the list of users sudorule execute as.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ name: testrule1
+ runasuser_group:
+ - group01
+ - group02
+ action: member
+ register: result
+ failed_when: not result.changed or result.failed
+
+ - name: Ensure group01 and group2 are on the list of users sudorule execute as, again.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ name: testrule1
+ runasuser_group:
+ - group01
+ - group02
+ action: member
+ register: result
+ failed_when: result.changed or result.failed
+
+ - name: Check if group02 is on the list of users sudorule execute as.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ name: testrule1
+ runasuser_group:
+ - group02
+ action: member
+ register: result
+ check_mode: true
+ failed_when: result.changed or result.failed
+
+ - name: Ensure group01 is not on the list of users sudorule execute as.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ name: testrule1
+ runasuser_group:
+ - group01
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed or result.failed
+
+ - name: Ensure group01 is not on the list of users sudorule execute as, again.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ name: testrule1
+ runasuser_group:
+ - group01
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed or result.failed
+
+ - name: Check if group02 is on the list of users sudorule execute as.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ name: testrule1
+ runasuser_group:
+ - group02
+ action: member
+ register: result
+ check_mode: true
+ failed_when: result.changed or result.failed
+
- name: Ensure group01 is on the list of group sudorule execute as.
ipasudorule:
ipaadmin_password: SomeADMINpassword
@@ -1155,3 +1241,19 @@
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: cluster
state: absent
+
+ - name: Ensure groups are absent
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ name:
+ - group01
+ - group02
+ state: absent
+
+ - name: Ensure user is absent
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ name: user01
+ state: absent