--- # Copyright 2020 Red Hat, Inc. # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # # This playbook adds a role with the correct privileges needed by tripleo-ipa # and TLS-e to add hosts and services to the IPA server. The operations in # this playbook likely need admin privileges and should be executed on an # IPA client. This playbook only needs to be run once per IPA server as # multiple tripleo deployments can utilize the same role. - name: Playbook to setup an IPA role with correct privileges for TLS-e connection: "{{ (tripleo_ipa_host is defined) | ternary('ssh', 'local') }}" hosts: "{{ tripleo_ipa_host | default('localhost') }}" tasks: - name: ensure definitions fail: msg: >- {{ item }} is undefined when: not item.ansible_var and not item.env_var with_items: - name: ipa_principal ansible_var: "{{ ipa_principal | default('') }}" env_var: "{{ lookup('env', 'IPA_PRINCIPAL') }}" - name: ipa_password ansible_var: "{{ ipa_password | default('') }}" env_var: "{{ lookup('env', 'IPA_PASSWORD') }}" - name: set IPA server facts set_fact: ipa_principal: "{{ tripleo_ipa_principal | default(lookup('env', 'IPA_PRINCIPAL')) }}" ipa_password: "{{ tripleo_ipa_password | default(lookup('env', 'IPA_PASSWORD')) }}" - name: set keytab permissions facts set_fact: tripleo_ipa_perms: - {name: 'Modify host password', right: "write", type: "host", attrs: "userpassword"} - {name: 'Write host certificate', right: "write", type: "host", attrs: "usercertificate"} - {name: 'Modify host userclass', right: "write", type: "host", attrs: "userclass"} - {name: 'Modify service managedBy attribute', right: "write", type: "service", attrs: "managedby"} tripleo_ipa_privilege_perms: - 'System: add hosts' - 'System: remove hosts' - 'Modify host password' - 'Modify host userclass' - 'System: Modify hosts' - 'Modify service managedBy attribute' - 'System: Add krbPrincipalName to a Host' - 'System: Add Services' - 'System: Remove Services' - 'Revoke certificate' - 'System: manage host keytab' - 'System: Manage host certificates' - 'System: modify services' - 'System: manage service keytab' - 'System: read dns entries' - 'System: remove dns entries' - 'System: add dns entries' - 'System: update dns entries' - 'System: Modify Realm Domains' - 'Retrieve Certificates from the CA' # unfortunately we don't have ansible module yet to create perms # TODO(d34dh0r53): we should be able to obtain a token via curl # which will allow us to perform these operations without a kinit first. - name: add nova host management permissions shell: | ipa permission-find "{{ item.name }}" if [ $? -ne 0 ]; then ipa permission-add "{{ item.name }}" --right "{{ item.right }}" \ --type "{{ item.type }}" --attrs "{{ item.attrs }}" fi loop: "{{ tripleo_ipa_perms|flatten(levels=1) }}" # unfortunately we don't have ansible module yet to create privileges - name: add nova host privilege shell: | ipa privilege-find 'Nova Host Management' if [ $? -ne 0 ]; then ipa privilege-add --desc='Nova Host Management' 'Nova Host Management' fi - name: add permissions to the nova host privilege shell: | ipa privilege-add-permission 'Nova Host Management' \ --permission "{{ item }}" register: add_perm_command failed_when: - add_perm_command.rc !=0 - '"This entry is already a member" not in add_perm_command.stdout' loop: "{{ tripleo_ipa_privilege_perms|flatten(levels=1) }}" - name: add nova host manager role ipa_role: name: Nova Host Manager description: Nova Host Manager ipa_user: "{{ ipa_principal }}" ipa_pass: "{{ ipa_password }}" privilege: - Nova Host Management