Try SpotterManage FreeIPA sudo rule
| "added in version" 2.3 of ansible.builtin"
Authors: Thomas Krahn (@Nosmoht)
preview | supported by community
pipInstall with pip install ansible==2.4.4.0.post1
Add, modify or delete sudo rule within IPA server using IPA API.
# Ensure sudo rule is present that's allows all every body to execute any command on any host without being asked for a password.
- ipa_sudorule:
name: sudo_all_nopasswd
cmdcategory: all
description: Allow to run every command with sudo without password
hostcategory: all
sudoopt:
- '!authenticate'
usercategory: all
ipa_host: ipa.example.com
ipa_user: admin
ipa_pass: topsecret
# Ensure user group developers can run every command on host group db-server as well as on host db01.example.com.
- ipa_sudorule:
name: sudo_dev_dbserver
description: Allow developers to run every command with sudo on all database server
cmdcategory: all
host:
- db01.example.com
hostgroup:
- db-server
sudoopt:
- '!authenticate'
usergroup:
- developers
ipa_host: ipa.example.com
ipa_user: admin
ipa_pass: topsecret
cn:
aliases:
- name
description:
- Canonical name.
- Can not be changed as it is the unique identifier.
required: true
cmd:
description:
- List of commands assigned to the rule.
- If an empty list is passed all commands will be removed from the rule.
- If option is omitted commands will not be checked or changed.
required: false
host:
description:
- List of hosts assigned to the rule.
- If an empty list is passed all hosts will be removed from the rule.
- If option is omitted hosts will not be checked or changed.
- Option C(hostcategory) must be omitted to assign hosts.
required: false
user:
description:
- List of users assigned to the rule.
- If an empty list is passed all users will be removed from the rule.
- If option is omitted users will not be checked or changed.
required: false
state:
choices:
- present
- absent
- enabled
- disabled
default: present
description: State to ensure
required: false
ipa_host:
default: ipa.example.com
description: IP or hostname of IPA server
required: false
ipa_pass:
description: Password of administrative user
required: true
ipa_port:
default: 443
description: Port of IPA server
required: false
ipa_prot:
choices:
- http
- https
default: https
description: Protocol used by IPA server
required: false
ipa_user:
default: admin
description: Administrative account used on IPA server
required: false
hostgroup:
description:
- List of host groups assigned to the rule.
- If an empty list is passed all host groups will be removed from the rule.
- If option is omitted host groups will not be checked or changed.
- Option C(hostcategory) must be omitted to assign host groups.
required: false
usergroup:
description:
- List of user groups assigned to the rule.
- If an empty list is passed all user groups will be removed from the rule.
- If option is omitted user groups will not be checked or changed.
required: false
cmdcategory:
choices:
- all
description:
- Command category the rule applies to.
required: false
hostcategory:
choices:
- all
description:
- Host category the rule applies to.
- If 'all' is passed one must omit C(host) and C(hostgroup).
- Option C(host) and C(hostgroup) must be omitted to assign 'all'.
required: false
usercategory:
choices:
- all
description:
- User category the rule applies to.
required: false
validate_certs:
default: true
description:
- This only applies if C(ipa_prot) is I(https).
- If set to C(no), the SSL certificates will not be validated.
- This should only set to C(no) used on personally controlled sites using self-signed
certificates.
required: false
sudorule: description: Sudorule as returned by IPA returned: always type: dict