e3afdf14b6
The RHEL suppplied ansible-freeipa RPM package installs the
modules at the default ansible module path and not as a
collection. This caused problems for the end user.
This also changes the linter job to run on CentOS, since
the ansible-freeipa package is not available on Ubuntu.
This also reverts commit 2cc09a2b68c5b64b35742de91d4e7c0cd73f188c.
Reason for revert: We get this error:
error={"msg": "template error while templating string:
cannot import name 'environmentfilter' from 'jinja2.filters'
(/usr/lib/python3.9/site-packages/ansible/_vendor/jinja2/filters.py)\n
line 0. String: {{ 'A' if record_value | ansible.utils.ipv4
else 'AAAA' }}"}
Change-Id: I7df25fb945da1d98c68fe4113a09afdc2f2c5687
82 lines
2.8 KiB
YAML
82 lines
2.8 KiB
YAML
---
|
|
# Copyright 2020 Red Hat, Inc.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
# This playbook adds the privileges and IPA role needed to do the things that
|
|
# tripleo wants to do in FreeIPA to add hosts and services. The operations in
|
|
# this playbook likely need admin privileges and should be executed on an
|
|
# IPA client.
|
|
#
|
|
|
|
- name: set keytab permissions facts
|
|
set_fact:
|
|
novajoin_perms:
|
|
- {name: 'Modify host password', right: "write", type: "host", attrs: ["userpassword"]}
|
|
- {name: 'Write host certificate', right: "write", type: "host", attrs: ["usercertificate"]}
|
|
- {name: 'Modify host userclass', right: "write", type: "host", attrs: ["userclass"]}
|
|
- {name: 'Modify service managedBy attribute', right: "write", type: "service", attrs: ["managedby"]}
|
|
novajoin_privilege_perms:
|
|
- 'System: add hosts'
|
|
- 'System: remove hosts'
|
|
- 'Modify host password'
|
|
- 'Modify host userclass'
|
|
- 'System: Modify hosts'
|
|
- 'Modify service managedBy attribute'
|
|
- 'System: Add krbPrincipalName to a Host'
|
|
- 'System: Add Services'
|
|
- 'System: Remove Services'
|
|
- 'Revoke certificate'
|
|
- 'System: manage host keytab'
|
|
- 'System: Manage host certificates'
|
|
- 'System: modify services'
|
|
- 'System: manage service keytab'
|
|
- 'System: read dns entries'
|
|
- 'System: remove dns entries'
|
|
- 'System: add dns entries'
|
|
- 'System: update dns entries'
|
|
- 'System: Modify Realm Domains'
|
|
- 'Retrieve Certificates from the CA'
|
|
|
|
- name: add nova host management permissions
|
|
ipapermission:
|
|
name: "{{ item.name }}"
|
|
right: "{{ item.right }}"
|
|
object_type: "{{ item.type }}"
|
|
attrs: "{{ item.attrs }}"
|
|
loop: "{{ novajoin_perms|flatten(levels=1) }}"
|
|
|
|
- name: add Nova Host privilege
|
|
ipaprivilege:
|
|
name: Nova Host Management
|
|
description: Nova Host Management
|
|
|
|
- name: add permissions to the Nova Host privilege
|
|
ipaprivilege:
|
|
name: Nova Host Management
|
|
action: member
|
|
permission: "{{ item }}"
|
|
register: add_perm_command
|
|
failed_when:
|
|
- add_perm_command.failed
|
|
- '"This entry is already a member" not in add_perm_command.msg'
|
|
loop: "{{ novajoin_privilege_perms }}"
|
|
|
|
- name: add Nova Host Manager role
|
|
iparole:
|
|
name: Nova Host Manager
|
|
description: Nova Host Manager
|
|
privilege:
|
|
- Nova Host Management
|