Try SpotterManage FreeIPA sudo rule
Authors: Thomas Krahn (@Nosmoht)
Install with ansible-galaxy collection install community.general:==8.5.0
collections:
- name: community.general
version: 8.5.0Add, modify or delete sudo rule within IPA server using IPA API.
- name: Ensure sudo rule is present that's allows all every body to execute any command on any host without being asked for a password.
community.general.ipa_sudorule:
name: sudo_all_nopasswd
cmdcategory: all
description: Allow to run every command with sudo without password
hostcategory: all
sudoopt:
- '!authenticate'
usercategory: all
ipa_host: ipa.example.com
ipa_user: admin
ipa_pass: topsecret
- name: Ensure user group developers can run every command on host group db-server as well as on host db01.example.com.
community.general.ipa_sudorule:
name: sudo_dev_dbserver
description: Allow developers to run every command with sudo on all database server
cmdcategory: all
host:
- db01.example.com
hostgroup:
- db-server
sudoopt:
- '!authenticate'
usergroup:
- developers
ipa_host: ipa.example.com
ipa_user: admin
ipa_pass: topsecret
- name: Ensure user group operations can run any commands that is part of operations-cmdgroup on any host as user root.
community.general.ipa_sudorule:
name: sudo_operations_all
description: Allow operators to run any commands that is part of operations-cmdgroup on any host as user root.
cmdgroup:
- operations-cmdgroup
hostcategory: all
runasextusers:
- root
sudoopt:
- '!authenticate'
usergroup:
- operators
ipa_host: ipa.example.com
ipa_user: admin
ipa_pass: topsecret
cn:
aliases:
- name
description:
- Canonical name.
- Can not be changed as it is the unique identifier.
required: true
type: str
cmd:
description:
- List of commands assigned to the rule.
- If an empty list is passed all commands will be removed from the rule.
- If option is omitted commands will not be checked or changed.
elements: str
type: list
host:
description:
- List of hosts assigned to the rule.
- If an empty list is passed all hosts will be removed from the rule.
- If option is omitted hosts will not be checked or changed.
- Option O(hostcategory) must be omitted to assign hosts.
elements: str
type: list
user:
description:
- List of users assigned to the rule.
- If an empty list is passed all users will be removed from the rule.
- If option is omitted users will not be checked or changed.
elements: str
type: list
state:
choices:
- absent
- disabled
- enabled
- present
default: present
description: State to ensure.
type: str
sudoopt:
description:
- List of options to add to the sudo rule.
elements: str
type: list
cmdgroup:
description:
- List of command groups assigned to the rule.
- If an empty list is passed all command groups will be removed from the rule.
- If option is omitted command groups will not be checked or changed.
elements: str
type: list
version_added: 2.0.0
version_added_collection: community.general
deny_cmd:
description:
- List of denied commands assigned to the rule.
- If an empty list is passed all commands will be removed from the rule.
- If option is omitted commands will not be checked or changed.
elements: str
type: list
version_added: 8.1.0
version_added_collection: community.general
ipa_host:
default: ipa.example.com
description:
- IP or hostname of IPA server.
- If the value is not specified in the task, the value of environment variable E(IPA_HOST)
will be used instead.
- If both the environment variable E(IPA_HOST) and the value are not specified in
the task, then DNS will be used to try to discover the FreeIPA server.
- The relevant entry needed in FreeIPA is the C(ipa-ca) entry.
- If neither the DNS entry, nor the environment E(IPA_HOST), nor the value are available
in the task, then the default value will be used.
type: str
ipa_pass:
description:
- Password of administrative user.
- If the value is not specified in the task, the value of environment variable E(IPA_PASS)
will be used instead.
- Note that if the C(urllib_gssapi) library is available, it is possible to use GSSAPI
to authenticate to FreeIPA.
- If the environment variable E(KRB5CCNAME) is available, the module will use this
kerberos credentials cache to authenticate to the FreeIPA server.
- If the environment variable E(KRB5_CLIENT_KTNAME) is available, and E(KRB5CCNAME)
is not; the module will use this kerberos keytab to authenticate.
- If GSSAPI is not available, the usage of O(ipa_pass) is required.
type: str
ipa_port:
default: 443
description:
- Port of FreeIPA / IPA server.
- If the value is not specified in the task, the value of environment variable E(IPA_PORT)
will be used instead.
- If both the environment variable E(IPA_PORT) and the value are not specified in
the task, then default value is set.
type: int
ipa_prot:
choices:
- http
- https
default: https
description:
- Protocol used by IPA server.
- If the value is not specified in the task, the value of environment variable E(IPA_PROT)
will be used instead.
- If both the environment variable E(IPA_PROT) and the value are not specified in
the task, then default value is set.
type: str
ipa_user:
default: admin
description:
- Administrative account used on IPA server.
- If the value is not specified in the task, the value of environment variable E(IPA_USER)
will be used instead.
- If both the environment variable E(IPA_USER) and the value are not specified in
the task, then default value is set.
type: str
hostgroup:
description:
- List of host groups assigned to the rule.
- If an empty list is passed all host groups will be removed from the rule.
- If option is omitted host groups will not be checked or changed.
- Option O(hostcategory) must be omitted to assign host groups.
elements: str
type: list
usergroup:
description:
- List of user groups assigned to the rule.
- If an empty list is passed all user groups will be removed from the rule.
- If option is omitted user groups will not be checked or changed.
elements: str
type: list
cmdcategory:
choices:
- all
description:
- Command category the rule applies to.
type: str
description:
description:
- Description of the sudo rule.
type: str
ipa_timeout:
default: 10
description:
- Specifies idle timeout (in seconds) for the connection.
- For bulk operations, you may want to increase this in order to avoid timeout from
IPA server.
- If the value is not specified in the task, the value of environment variable E(IPA_TIMEOUT)
will be used instead.
- If both the environment variable E(IPA_TIMEOUT) and the value are not specified
in the task, then default value is set.
type: int
hostcategory:
choices:
- all
description:
- Host category the rule applies to.
- If V(all) is passed one must omit O(host) and O(hostgroup).
- Option O(host) and O(hostgroup) must be omitted to assign V(all).
type: str
usercategory:
choices:
- all
description:
- User category the rule applies to.
type: str
deny_cmdgroup:
description:
- List of denied command groups assigned to the rule.
- If an empty list is passed all command groups will be removed from the rule.
- If option is omitted command groups will not be checked or changed.
elements: str
type: list
version_added: 8.1.0
version_added_collection: community.general
runasextusers:
description:
- List of external RunAs users
elements: str
type: list
version_added: 2.3.0
version_added_collection: community.general
validate_certs:
default: true
description:
- This only applies if O(ipa_prot) is V(https).
- If set to V(false), the SSL certificates will not be validated.
- This should only set to V(false) used on personally controlled sites using self-signed
certificates.
type: bool
runasusercategory:
choices:
- all
description:
- RunAs User category the rule applies to.
type: str
runasgroupcategory:
choices:
- all
description:
- RunAs Group category the rule applies to.
type: str
sudorule: description: Sudorule as returned by IPA returned: always type: dict