freeipa.ansible_freeipa.ipahbacrule (1.11.1) — module

Manage FreeIPA HBAC rules

Authors: Thomas Woerner (@t-woerner)

preview | supported by community

Install collection

Install with ansible-galaxy collection install freeipa.ansible_freeipa:==1.11.1


Add to requirements.yml

  collections:
    - name: freeipa.ansible_freeipa
      version: 1.11.1

Description

Manage FreeIPA HBAC rules

Usage examples

1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure HBAC Rule allhosts is present
- freeipa.ansible_freeipa.ipahbacrule:
    ipaadmin_password: SomeADMINpassword
    name: allhosts
    usercategory: all
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure host server is present in HBAC Rule allhosts
- freeipa.ansible_freeipa.ipahbacrule:
    ipaadmin_password: SomeADMINpassword
    name: allhosts
    host: server
    action: member
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure HBAC Rule sshd-pinky is present
- freeipa.ansible_freeipa.ipahbacrule:
    ipaadmin_password: SomeADMINpassword
    name: sshd-pinky
    hostcategory: all
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure user pinky is present in HBAC Rule sshd-pinky
- freeipa.ansible_freeipa.ipahbacrule:
    ipaadmin_password: SomeADMINpassword
    name: sshd-pinky
    user: pinky
    action: member
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure HBAC service sshd is present in HBAC Rule sshd-pinky
- freeipa.ansible_freeipa.ipahbacrule:
    ipaadmin_password: SomeADMINpassword
    name: sshd-pinky
    hbacsvc: sshd
    action: member
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure HBAC Rule sshd-pinky is disabled
- freeipa.ansible_freeipa.ipahbacrule:
    ipaadmin_password: SomeADMINpassword
    name: sshd-pinky
    state: disabled
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure HBAC Rule sshd-pinky is enabled
- freeipa.ansible_freeipa.ipahbacrule:
    ipaadmin_password: SomeADMINpassword
    name: sshd-pinky
    state: enabled
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure HBAC Rule sshd-pinky is absent
- freeipa.ansible_freeipa.ipahbacrule:
    ipaadmin_password: SomeADMINpassword
    name: sshd-pinky
    state: absent

Inputs

    
host:
    description: List of host names assigned to this hbacrule.
    elements: str
    required: false
    type: list

name:
    aliases:
    - cn
    description: The hbacrule name
    elements: str
    required: true
    type: list

user:
    description: List of user names assigned to this hbacrule.
    elements: str
    required: false
    type: list

group:
    description: List of user groups assigned to this hbacrule.
    elements: str
    required: false
    type: list

state:
    choices:
    - present
    - absent
    - enabled
    - disabled
    default: present
    description: State to ensure
    type: str

action:
    choices:
    - member
    - hbacrule
    default: hbacrule
    description: Work on hbacrule or member level
    type: str

hbacsvc:
    description: List of HBAC service names assigned to this hbacrule.
    elements: str
    required: false
    type: list

hostgroup:
    description: List of host groups assigned to this hbacrule.
    elements: str
    required: false
    type: list

nomembers:
    description: Suppress processing of membership attributes
    required: false
    type: bool

description:
    description: The hbacrule description
    required: false
    type: str

hbacsvcgroup:
    description: List of HBAC service names assigned to this hbacrule.
    elements: str
    required: false
    type: list

hostcategory:
    aliases:
    - hostcat
    choices:
    - all
    - ''
    description: Host category the rule applies to
    required: false
    type: str

usercategory:
    aliases:
    - usercat
    choices:
    - all
    - ''
    description: User category the rule applies to
    required: false
    type: str

ipaapi_context:
    choices:
    - server
    - client
    description: 'The context in which the module will execute. Executing in a

      server context is preferred. If not provided context will be

      determined by the execution environment.

      '
    required: false
    type: str

servicecategory:
    aliases:
    - servicecat
    choices:
    - all
    - ''
    description: Service category the rule applies to
    required: false
    type: str

ipaadmin_password:
    description: The admin password.
    required: false
    type: str

ipaapi_ldap_cache:
    default: true
    description: Use LDAP cache for IPA connection.
    type: bool

ipaadmin_principal:
    default: admin
    description: The admin principal.
    type: str