Sysaccount management

README-role.md

@@ -230,6 +230,8 @@ Example playbook to ensure that different members are not associated with a role
       - User Administrators
       service:
       - service01
+      sysaccount:
+      - my-app
       action: member
       state: absent
 ```
@@ -253,11 +255,13 @@ Variable | Description | Required
 `host` | List of hosts to be assigned or not assigned to the role. | no
 `hostgroup` | List of hostgroups to be assigned or not assigned to the role. | no
 `service` | List of services to be assigned or not assigned to the role. | no
-`action` | Work on role or member level. It can be on of `member` or `role` and defaults to `role`. | no
+`sysaccount` | List of sysaccounts to be assigned or not assigned to the role. | no
+`action` | Work on role or member level. It can be one of `member` or `role` and defaults to `role`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
 
 
 Authors
 =======
 
 Rafael Jeffman
+Thomas Woerner

README-sysaccount.md

@@ -0,0 +1,196 @@
+Sysaccount module
+============
+
+Description
+-----------
+
+The sysaccount module allows to ensure presence and absence of system accounts.
+
+Features
+--------
+
+* Sysaccount management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipasysaccount module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.15+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure sysaccount "my-app" is present with random password:
+
+```yaml
+---
+- name: Playbook to manage IPA sysaccount.
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure sysaccount "my-app" is present with random password
+    ipasysaccount:
+      ipaadmin_password: SomeADMINpassword
+      name: my-app
+      random: true
+    register: result
+
+  - name: Print generated random password
+    debug:
+      var: result.sysaccount.randompassword
+
+```
+
+
+Example playbook to make sure sysaccount "my-app" is present with given password:
+
+```yaml
+---
+- name: Playbook to manage IPA sysaccount.
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure sysaccount "my-app" is present with given password
+    ipasysaccount:
+      ipaadmin_password: SomeADMINpassword
+      name: my-app
+      password: SomeAPPpassword
+```
+
+
+Example playbook to make sure sysaccount "my-app" is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA sysaccount.
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure sysaccount "my-app" is absent
+    ipasysaccount:
+      ipaadmin_password: SomeADMINpassword
+      name: my-app
+      state: absent
+```
+
+Example playbook to ensure existing sysaccount my-app is privileged
+
+```yaml
+---
+- name: Playbook to manage IPA sysaccount.
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure existing sysaccount my-app is privileged
+    ipasysaccount:
+      ipaadmin_password: SomeADMINpassword
+      name: my-app
+      privileged: true
+```
+
+Example playbook to ensure existing sysaccount my-app is not privileged
+
+```yaml
+---
+- name: Playbook to manage IPA sysaccount.
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure existing sysaccount my-app is not privileged
+    ipasysaccount:
+      ipaadmin_password: SomeADMINpassword
+      name: my-app
+      privileged: false
+```
+
+Example playbook to ensure existing sysaccount my-app is disabled
+
+```yaml
+---
+- name: Playbook to manage IPA sysaccount.
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure existing sysaccount my-app is disabled
+    ipasysaccount:
+      ipaadmin_password: SomeADMINpassword
+      name: my-app
+      state: disabled
+```
+
+Example playbook to ensure existing sysaccount my-app is enabled
+
+```yaml
+---
+- name: Playbook to manage IPA sysaccount.
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure existing sysaccount my-app is enabled
+    ipasysaccount:
+      ipaadmin_password: SomeADMINpassword
+      name: my-app
+      state: enabled
+```
+
+
+Variables
+---------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
+`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
+`name` \| `login` | The list of sysaccount name strings - internally uid. (list of strings) | yes
+`description` | A description for the sysaccount. (string) | no
+`privileged` | Allow password updates without reset. This flag is not replicated. It is needed to set privileged on all servers, where it is needed. (bool) | no
+`random` | Generate a random user password. (bool) | no
+`password` \| `userpassword` | Set the password. (string) | no
+`update_password` | Set password for a sysaccount in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, 'enabled', 'disabled',  default: `present`. | no
+
+
+Return Values
+=============
+
+There are only return values if a random passwords has been generated.
+
+Variable | Description | Returned When
+-------- | ----------- | -------------
+`sysaccount` | Sysaccount dict (dict) <br>Options: | Always
+&nbsp; | `randompassword` - The generated random password | If random is yes and sysaccount did not exist or update_password is yes
+
+
+
+Authors
+=======
+
+Thomas Woerner

README.md

@@ -50,6 +50,7 @@ Features
 * Modules for sudocmd management
 * Modules for sudocmdgroup management
 * Modules for sudorule management
+* Modules for sysaccount management
 * Modules for topology management
 * Modules for trust management
 * Modules for user management
@@ -465,6 +466,7 @@ Modules in plugin/modules
 * [ipasudocmd](README-sudocmd.md)
 * [ipasudocmdgroup](README-sudocmdgroup.md)
 * [ipasudorule](README-sudorule.md)
+* [ipasysaccount](README-sysaccount.md)
 * [ipatopologysegment](README-topology.md)
 * [ipatopologysuffix](README-topology.md)
 * [ipatrust](README-trust.md)

playbooks/sysaccount/sysaccount-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Sysaccount example
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure sysaccount my-app is absent
+    ipasysaccount:
+      ipaadmin_password: SomeADMINpassword
+      name: my-app
+      state: absent

playbooks/sysaccount/sysaccount-disabled.yml

@@ -0,0 +1,11 @@
+---
+- name: Sysaccount example
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure sysaccount my-app is disabled
+    ipasysaccount:
+      ipaadmin_password: SomeADMINpassword
+      name: my-app
+      state: disabled

playbooks/sysaccount/sysaccount-enabled.yml

@@ -0,0 +1,11 @@
+---
+- name: Sysaccount example
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure sysaccount my-app is enabled
+    ipasysaccount:
+      ipaadmin_password: SomeADMINpassword
+      name: my-app
+      state: enabled

playbooks/sysaccount/sysaccount-present.yml

@@ -0,0 +1,11 @@
+---
+- name: Sysaccount example
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure sysaccount my-app is present with random password
+    ipasysaccount:
+      ipaadmin_password: SomeADMINpassword
+      name: my-app
+      random: true

playbooks/sysaccount/sysaccount-privileged.yml

@@ -0,0 +1,11 @@
+---
+- name: Sysaccount example
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure sysaccount my-app is privileged
+    ipasysaccount:
+      ipaadmin_password: SomeADMINpassword
+      name: my-app
+      privileged: true

playbooks/sysaccount/sysaccount-unprivileged.yml

@@ -0,0 +1,11 @@
+---
+- name: Sysaccount example
+  hosts: ipaserver
+  become: false
+
+  tasks:
+  - name: Ensure sysaccount my-app is not privileged
+    ipasysaccount:
+      ipaadmin_password: SomeADMINpassword
+      name: my-app
+      privileged: false

plugins/modules/iparole.py

@@ -85,6 +85,11 @@
     type: list
     elements: str
     required: false
+  sysaccount:
+    description: List of sysaccounts.
+    type: list
+    elements: str
+    required: false
   action:
     description: Work on role or member level.
     type: str
@@ -177,7 +182,7 @@ def check_parameters(module):
             "description",
             "user", "group",
             "host", "hostgroup",
-            "service",
+            "service", "sysaccount",
             "privilege",
         ]
 
@@ -225,7 +230,7 @@ def ensure_absent_state(module, name, action, res_find):
                                  {"privilege": del_list}])
 
         member_args = {}
-        for key in ['user', 'group', 'hostgroup']:
+        for key in ['user', 'group', 'hostgroup', 'sysaccount']:
             _members = module.params_get_lowercase(key)
             if _members:
                 del_list = gen_intersection_list(
@@ -335,7 +340,7 @@ def ensure_role_with_members_is_present(module, name, res_find, action):
     add_members = {}
     del_members = {}
 
-    for key in ["user", "group", "hostgroup"]:
+    for key in ["user", "group", "hostgroup", "sysaccount"]:
         _members = module.params_get_lowercase(key)
         if _members is not None:
             add_list, del_list = gen_add_del_lists(
@@ -437,6 +442,8 @@ def create_module():
                            default=None),
             service=dict(required=False, type='list', elements="str",
                          default=None),
+            sysaccount=dict(required=False, type='list', elements="str",
+                            default=None),
 
             # state
             action=dict(type="str", default="role",
@@ -467,8 +474,15 @@ def main():
         state = ansible_module.params_get("state")
         action = ansible_module.params_get("action")
         names = ansible_module.params_get("name")
+        sysaccount = ansible_module.params_get("sysaccount")
         commands = []
 
+        has_sysaccount_member = ansible_module.ipa_command_param_exists(
+            "role_add_member", "sysaccount")
+        if not has_sysaccount_member and sysaccount is not None:
+            ansible_module.fail_json(
+                msg="sysaccount members are not supported by your IPA version")
+
         for name in names:
             cmds = role_commands_for_name(ansible_module, state, action, name)
             commands.extend(cmds)