From 35363c22971d1672373d4b5e3574873fc2280e60 Mon Sep 17 00:00:00 2001 From: quasd Date: Wed, 17 Mar 2021 10:24:15 +0200 Subject: [PATCH 1/5] Add support for setting runasextusers --- plugins/modules/identity/ipa/ipa_sudorule.py | 37 +++++++++++++++++--- 1 file changed, 33 insertions(+), 4 deletions(-) diff --git a/plugins/modules/identity/ipa/ipa_sudorule.py b/plugins/modules/identity/ipa/ipa_sudorule.py index 35c3327841f..f649155c2a9 100644 --- a/plugins/modules/identity/ipa/ipa_sudorule.py +++ b/plugins/modules/identity/ipa/ipa_sudorule.py @@ -68,6 +68,11 @@ - Option C(hostcategory) must be omitted to assign host groups. type: list elements: str + runasextusers: + description: + - List of external RunAs users + type: list + elements: str runasusercategory: description: - RunAs User category the rule applies to. @@ -143,13 +148,15 @@ ipa_user: admin ipa_pass: topsecret -- name: Ensure user group operations can run any commands that is part of operations-cmdgroup on any host. +- name: Ensure user group operations can run any commands that is part of operations-cmdgroup on any host as user root. community.general.ipa_sudorule: name: sudo_operations_all - description: Allow operators to run any commands that is part of operations-cmdgroup on any host. + description: Allow operators to run any commands that is part of operations-cmdgroup on any host as user root. cmdgroup: - operations-cmdgroup hostcategory: all + runasextusers: + - root sudoopt: - '!authenticate' usergroup: @@ -183,6 +190,12 @@ def sudorule_find(self, name): def sudorule_add(self, name, item): return self._post_json(method='sudorule_add', name=name, item=item) + def sudorule_add_runasuser(self, name, item): + return self._post_json(method='sudorule_add_runasuser', name=name, item={'user': item}) + + def sudorule_remove_runasuser(self, name, item): + return self._post_json(method='sudorule_remove_runasuser', name=name, item={'user': item}) + def sudorule_mod(self, name, item): return self._post_json(method='sudorule_mod', name=name, item=item) @@ -287,6 +300,7 @@ def ensure(module, client): hostgroup = module.params['hostgroup'] runasusercategory = module.params['runasusercategory'] runasgroupcategory = module.params['runasgroupcategory'] + runasextusers = module.params['runasextusers'] if state in ['present', 'enabled']: ipaenabledflag = 'TRUE' @@ -371,6 +385,21 @@ def ensure(module, client): for item in diff: client.sudorule_add_option_ipasudoopt(name, item) + if runasextusers is not None: + ipa_sudorule_run_as_user = ipa_sudorule.get('ipasudorunasextuser', []) + diff = list(set(ipa_sudorule_run_as_user) - set(runasextusers)) + if len(diff) > 0: + changed = True + if not module.check_mode: + for item in diff: + client.sudorule_remove_runasuser(name=name,item=item) + diff = list(set(runasextusers) - set(ipa_sudorule_run_as_user)) + if len(diff) > 0: + changed = True + if not module.check_mode: + for item in diff: + client.sudorule_add_runasuser(name=name,item=item) + if user is not None: changed = category_changed(module, client, 'usercategory', ipa_sudorule) or changed changed = client.modify_if_diff(name, ipa_sudorule.get('memberuser_user', []), user, @@ -406,8 +435,8 @@ def main(): state=dict(type='str', default='present', choices=['present', 'absent', 'enabled', 'disabled']), user=dict(type='list', elements='str'), usercategory=dict(type='str', choices=['all']), - usergroup=dict(type='list', elements='str')) - + usergroup=dict(type='list', elements='str'), + runasextusers=dict(type='list', elements='str')) module = AnsibleModule(argument_spec=argument_spec, mutually_exclusive=[['cmdcategory', 'cmd'], ['cmdcategory', 'cmdgroup'], From 7750aff5db5ed6fe48bfbac103602ebdefeca40d Mon Sep 17 00:00:00 2001 From: quasd Date: Wed, 17 Mar 2021 10:43:22 +0200 Subject: [PATCH 2/5] fix formatting --- plugins/modules/identity/ipa/ipa_sudorule.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/modules/identity/ipa/ipa_sudorule.py b/plugins/modules/identity/ipa/ipa_sudorule.py index f649155c2a9..204f8e57391 100644 --- a/plugins/modules/identity/ipa/ipa_sudorule.py +++ b/plugins/modules/identity/ipa/ipa_sudorule.py @@ -392,13 +392,13 @@ def ensure(module, client): changed = True if not module.check_mode: for item in diff: - client.sudorule_remove_runasuser(name=name,item=item) + client.sudorule_remove_runasuser(name=name, item=item) diff = list(set(runasextusers) - set(ipa_sudorule_run_as_user)) if len(diff) > 0: changed = True if not module.check_mode: for item in diff: - client.sudorule_add_runasuser(name=name,item=item) + client.sudorule_add_runasuser(name=name, item=item) if user is not None: changed = category_changed(module, client, 'usercategory', ipa_sudorule) or changed From 530e2327226c75e3287ed32496169d206377a6dd Mon Sep 17 00:00:00 2001 From: quasd Date: Wed, 17 Mar 2021 14:57:14 +0200 Subject: [PATCH 3/5] add changelog fragment --- changelogs/fragments/2031-ipa_sudorule_add_runasextusers.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelogs/fragments/2031-ipa_sudorule_add_runasextusers.yml diff --git a/changelogs/fragments/2031-ipa_sudorule_add_runasextusers.yml b/changelogs/fragments/2031-ipa_sudorule_add_runasextusers.yml new file mode 100644 index 00000000000..862f5b9f02c --- /dev/null +++ b/changelogs/fragments/2031-ipa_sudorule_add_runasextusers.yml @@ -0,0 +1,3 @@ +--- +minor_changes: +- ipa_sudorule - Add support for setting sudo runasuser (https://github.com/ansible-collections/community.general/pull/2031). From 1b32e40c5259d58dd23e0231d88af485edabc10a Mon Sep 17 00:00:00 2001 From: quasd Date: Wed, 17 Mar 2021 14:58:16 +0200 Subject: [PATCH 4/5] Update plugins/modules/identity/ipa/ipa_sudorule.py Co-authored-by: Felix Fontein --- plugins/modules/identity/ipa/ipa_sudorule.py | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/modules/identity/ipa/ipa_sudorule.py b/plugins/modules/identity/ipa/ipa_sudorule.py index 204f8e57391..15abef8f17f 100644 --- a/plugins/modules/identity/ipa/ipa_sudorule.py +++ b/plugins/modules/identity/ipa/ipa_sudorule.py @@ -73,6 +73,7 @@ - List of external RunAs users type: list elements: str + version_added: 2.3.0 runasusercategory: description: - RunAs User category the rule applies to. From aa1e7f8ccd96d55809717462b158ff2ab4788638 Mon Sep 17 00:00:00 2001 From: quasd Date: Wed, 17 Mar 2021 15:03:03 +0200 Subject: [PATCH 5/5] Update changelogs/fragments/2031-ipa_sudorule_add_runasextusers.yml Co-authored-by: Felix Fontein --- changelogs/fragments/2031-ipa_sudorule_add_runasextusers.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelogs/fragments/2031-ipa_sudorule_add_runasextusers.yml b/changelogs/fragments/2031-ipa_sudorule_add_runasextusers.yml index 862f5b9f02c..9e70a16d809 100644 --- a/changelogs/fragments/2031-ipa_sudorule_add_runasextusers.yml +++ b/changelogs/fragments/2031-ipa_sudorule_add_runasextusers.yml @@ -1,3 +1,3 @@ --- minor_changes: -- ipa_sudorule - Add support for setting sudo runasuser (https://github.com/ansible-collections/community.general/pull/2031). +- ipa_sudorule - add support for setting sudo runasuser (https://github.com/ansible-collections/community.general/pull/2031).