Try SpotterManage FreeIPA HBAC rule
| "added in version" 2.3 of ansible.builtin"
Authors: Thomas Krahn (@Nosmoht)
preview | supported by community
pipInstall with pip install ansible==2.3.0.0.post1
Add, modify or delete an IPA HBAC rule using IPA API.
# Ensure rule to allow all users to access any host from any host
- ipa_hbacrule:
name: allow_all
description: Allow all users to access any host from any host
hostcategory: all
servicecategory: all
usercategory: all
state: present
ipa_host: ipa.example.com
ipa_user: admin
ipa_pass: topsecret
# Ensure rule with certain limitations
- ipa_hbacrule:
name: allow_all_developers_access_to_db
description: Allow all developers to access any database from any host
hostgroup:
- db-server
usergroup:
- developers
state: present
ipa_host: ipa.example.com
ipa_user: admin
ipa_pass: topsecret
# Ensure rule is absent
- ipa_hbacrule:
name: rule_to_be_deleted
state: absent
ipa_host: ipa.example.com
ipa_user: admin
ipa_pass: topsecret
cn:
aliases:
- name
description:
- Canonical name.
- Can not be changed as it is the unique identifier.
required: true
host:
description:
- List of host names to assign.
- If an empty list is passed all hosts will be removed from the rule.
- If option is omitted hosts will not be checked or changed.
required: false
user:
description:
- List of user names to assign.
- If an empty list if passed all assigned users will be removed from the rule.
- If option is omitted users will not be checked or changed.
state:
choices:
- present
- absent
- enabled
- disabled
default: present
description: State to ensure
required: false
service:
description:
- List of service names to assign.
- If an empty list is passed all services will be removed from the rule.
- If option is omitted services will not be checked or changed.
ipa_host:
default: ipa.example.com
description: IP or hostname of IPA server
required: false
ipa_pass:
description: Password of administrative user
required: true
ipa_port:
default: 443
description: Port of IPA server
required: false
ipa_prot:
choices:
- http
- https
default: https
description: Protocol used by IPA server
required: false
ipa_user:
default: admin
description: Administrative account used on IPA server
required: false
hostgroup:
description:
- List of hostgroup names to assign.
- If an empty list is passed all hostgroups will be removed. from the rule
- If option is omitted hostgroups will not be checked or changed.
usergroup:
description:
- List of user group names to assign.
- If an empty list if passed all assigned user groups will be removed from the rule.
- If option is omitted user groups will not be checked or changed.
sourcehost:
description:
- List of source host names to assign.
- If an empty list if passed all assigned source hosts will be removed from the rule.
- If option is omitted source hosts will not be checked or changed.
description:
description: Description
required: false
hostcategory:
choices:
- all
description: Host category
required: false
servicegroup:
description:
- List of service group names to assign.
- If an empty list is passed all assigned service groups will be removed from the
rule.
- If option is omitted service groups will not be checked or changed.
usercategory:
choices:
- all
description: User category
required: false
validate_certs:
default: true
description:
- This only applies if C(ipa_prot) is I(https).
- If set to C(no), the SSL certificates will not be validated.
- This should only set to C(no) used on personally controlled sites using self-signed
certificates.
required: false
servicecategory:
choices:
- all
description: Service category
required: false
sourcehostgroup:
description:
- List of source host group names to assign.
- If an empty list if passed all assigned source host groups will be removed from
the rule.
- If option is omitted source host groups will not be checked or changed.
sourcehostcategory:
choices:
- all
description: Source host category
required: false
hbacrule: description: HBAC rule as returned by IPA API. returned: always type: dict