x/tripleo-ipa
Code Issues Proposed changes
tripleo-ipa/tripleo_ipa/roles/tripleo_ipa_setup/tasks/setup.yml
afariasa fa63e4f3d9 Replacing community.general ipa modules with ansible-freeipa 
The community.general ipa modules used in tripleo-ipa don't work
under FIPS deployment. This patch is fixing that by replacing it
with the ansible-freeipa ipa modules.

Co-Author: Ade Lee <alee@redhat.com>
Co-Author: Grzegorz Grasza <xek@redhat.com>
Change-Id: Ibfd1b34fdf3d533579512f531ac8619b356f9ba0
2022-08-01 11:04:01 +02:00

82 lines
2.9 KiB
YAML
Raw Blame History

---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# This playbook adds the privileges and IPA role needed to do the things that
# tripleo wants to do in FreeIPA to add hosts and services. The operations in
# this playbook likely need admin privileges and should be executed on an
# IPA client.
#
- name: set keytab permissions facts
set_fact:
novajoin_perms:
- {name: 'Modify host password', right: "write", type: "host", attrs: ["userpassword"]}
- {name: 'Write host certificate', right: "write", type: "host", attrs: ["usercertificate"]}
- {name: 'Modify host userclass', right: "write", type: "host", attrs: ["userclass"]}
- {name: 'Modify service managedBy attribute', right: "write", type: "service", attrs: ["managedby"]}
novajoin_privilege_perms:
- 'System: add hosts'
- 'System: remove hosts'
- 'Modify host password'
- 'Modify host userclass'
- 'System: Modify hosts'
- 'Modify service managedBy attribute'
- 'System: Add krbPrincipalName to a Host'
- 'System: Add Services'
- 'System: Remove Services'
- 'Revoke certificate'
- 'System: manage host keytab'
- 'System: Manage host certificates'
- 'System: modify services'
- 'System: manage service keytab'
- 'System: read dns entries'
- 'System: remove dns entries'
- 'System: add dns entries'
- 'System: update dns entries'
- 'System: Modify Realm Domains'
- 'Retrieve Certificates from the CA'
- name: add nova host management permissions
freeipa.ansible_freeipa.ipapermission:
name: "{{ item.name }}"
right: "{{ item.right }}"
object_type: "{{ item.type }}"
attrs: "{{ item.attrs }}"
loop: "{{ novajoin_perms|flatten(levels=1) }}"
- name: add Nova Host privilege
freeipa.ansible_freeipa.ipaprivilege:
name: Nova Host Management
description: Nova Host Management
- name: add permissions to the Nova Host privilege
freeipa.ansible_freeipa.ipaprivilege:
name: Nova Host Management
action: member
permission: "{{ item }}"
register: add_perm_command
failed_when:
- add_perm_command.failed
- '"This entry is already a member" not in add_perm_command.msg'
loop: "{{ novajoin_privilege_perms }}"
- name: add Nova Host Manager role
freeipa.ansible_freeipa.iparole:
name: Nova Host Manager
description: Nova Host Manager
privilege:
- Nova Host Management
View Git Blame Copy Permalink