ansible / ansible.builtin / v2.8.18 / module / ipa_sudorule Manage FreeIPA sudo rule | "added in version" 2.3 of ansible.builtin" Authors: Thomas Krahn (@Nosmoht) preview | supported by communityansible.builtin.ipa_sudorule (v2.8.18) — module
pip
Install with pip install ansible==2.8.18
Add, modify or delete sudo rule within IPA server using IPA API.
# Ensure sudo rule is present that's allows all every body to execute any command on any host without being asked for a password. - ipa_sudorule: name: sudo_all_nopasswd cmdcategory: all description: Allow to run every command with sudo without password hostcategory: all sudoopt: - '!authenticate' usercategory: all ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret
# Ensure user group developers can run every command on host group db-server as well as on host db01.example.com. - ipa_sudorule: name: sudo_dev_dbserver description: Allow developers to run every command with sudo on all database server cmdcategory: all host: - db01.example.com hostgroup: - db-server sudoopt: - '!authenticate' usergroup: - developers ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret
cn: aliases: - name description: - Canonical name. - Can not be changed as it is the unique identifier. required: true cmd: description: - List of commands assigned to the rule. - If an empty list is passed all commands will be removed from the rule. - If option is omitted commands will not be checked or changed. host: description: - List of hosts assigned to the rule. - If an empty list is passed all hosts will be removed from the rule. - If option is omitted hosts will not be checked or changed. - Option C(hostcategory) must be omitted to assign hosts. user: description: - List of users assigned to the rule. - If an empty list is passed all users will be removed from the rule. - If option is omitted users will not be checked or changed. state: choices: - present - absent - enabled - disabled default: present description: State to ensure sudoopt: description: - List of options to add to the sudo rule. ipa_host: default: ipa.example.com description: - IP or hostname of IPA server. - If the value is not specified in the task, the value of environment variable C(IPA_HOST) will be used instead. - If both the environment variable C(IPA_HOST) and the value are not specified in the task, then DNS will be used to try to discover the FreeIPA server. - The relevant entry needed in FreeIPA is the 'ipa-ca' entry. - If neither the DNS entry, nor the environment C(IPA_HOST), nor the value are available in the task, then the default value will be used. - Environment variable fallback mechanism is added in Ansible 2.5. type: str ipa_pass: description: - Password of administrative user. - If the value is not specified in the task, the value of environment variable C(IPA_PASS) will be used instead. - Note that if the 'urllib_gssapi' library is available, it is possible to use GSSAPI to authenticate to FreeIPA. - If the environment variable C(KRB5CCNAME) is available, the module will use this kerberos credentials cache to authenticate to the FreeIPA server. - If the environment variable C(KRB5_CLIENT_KTNAME) is available, and C(KRB5CCNAME) is not; the module will use this kerberos keytab to authenticate. - If GSSAPI is not available, the usage of 'ipa_pass' is required. - Environment variable fallback mechanism is added in Ansible 2.5. type: str ipa_port: default: 443 description: - Port of FreeIPA / IPA server. - If the value is not specified in the task, the value of environment variable C(IPA_PORT) will be used instead. - If both the environment variable C(IPA_PORT) and the value are not specified in the task, then default value is set. - Environment variable fallback mechanism is added in Ansible 2.5. type: int ipa_prot: choices: - http - https default: https description: - Protocol used by IPA server. - If the value is not specified in the task, the value of environment variable C(IPA_PROT) will be used instead. - If both the environment variable C(IPA_PROT) and the value are not specified in the task, then default value is set. - Environment variable fallback mechanism is added in Ansible 2.5. type: str ipa_user: default: admin description: - Administrative account used on IPA server. - If the value is not specified in the task, the value of environment variable C(IPA_USER) will be used instead. - If both the environment variable C(IPA_USER) and the value are not specified in the task, then default value is set. - Environment variable fallback mechanism is added in Ansible 2.5. type: str hostgroup: description: - List of host groups assigned to the rule. - If an empty list is passed all host groups will be removed from the rule. - If option is omitted host groups will not be checked or changed. - Option C(hostcategory) must be omitted to assign host groups. usergroup: description: - List of user groups assigned to the rule. - If an empty list is passed all user groups will be removed from the rule. - If option is omitted user groups will not be checked or changed. cmdcategory: choices: - all description: - Command category the rule applies to. description: description: - Description of the sudo rule. ipa_timeout: default: 10 description: - Specifies idle timeout (in seconds) for the connection. - For bulk operations, you may want to increase this in order to avoid timeout from IPA server. - If the value is not specified in the task, the value of environment variable C(IPA_TIMEOUT) will be used instead. - If both the environment variable C(IPA_TIMEOUT) and the value are not specified in the task, then default value is set. type: int hostcategory: choices: - all description: - Host category the rule applies to. - If 'all' is passed one must omit C(host) and C(hostgroup). - Option C(host) and C(hostgroup) must be omitted to assign 'all'. usercategory: choices: - all description: - User category the rule applies to. validate_certs: default: true description: - This only applies if C(ipa_prot) is I(https). - If set to C(no), the SSL certificates will not be validated. - This should only set to C(no) used on personally controlled sites using self-signed certificates. type: bool runasusercategory: choices: - all description: - RunAs User category the rule applies to. version_added: '2.5' version_added_collection: ansible.builtin runasgroupcategory: choices: - all description: - RunAs Group category the rule applies to. version_added: '2.5' version_added_collection: ansible.builtin
sudorule: description: Sudorule as returned by IPA returned: always type: dict