freeipa.ansible_freeipa.ipasudorule (1.11.1) — module

Manage FreeIPA sudo rules

Authors: Rafael Guterres Jeffman (@rjeffman), Thomas Woerner (@t-woerner)

preview | supported by community

Install collection

Install with ansible-galaxy collection install freeipa.ansible_freeipa:==1.11.1


Add to requirements.yml

  collections:
    - name: freeipa.ansible_freeipa
      version: 1.11.1

Description

Manage FreeIPA sudo rules

Usage examples

1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure Sudo Rule tesrule1 is present
- freeipa.ansible_freeipa.ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: testrule1
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure sudocmd is present in Sudo Rule
- freeipa.ansible_freeipa.ipasudorule:
    ipaadmin_password: pass1234
    name: testrule1
    allow_sudocmd:
      - /sbin/ifconfig
      - /usr/bin/vim
    action: member
    state: absent
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure host server is present in Sudo Rule
- freeipa.ansible_freeipa.ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: testrule1
    host: server
    action: member
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure hostgroup cluster is present in Sudo Rule
- freeipa.ansible_freeipa.ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: testrule1
    hostgroup: cluster
    action: member
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure sudo rule for usercategory "all" is enabled
- freeipa.ansible_freeipa.ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: allusers
    usercategory: all
    state: enabled
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure sudo rule for hostcategory "all" is enabled
- freeipa.ansible_freeipa.ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: allhosts
    hostcategory: all
    state: enabled
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure sudo rule applies for hosts with hostmasks
- freeipa.ansible_freeipa.ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: testrule1
    hostmask:
    - 192.168.122.1/24
    - 192.168.120.1/24
    action: member
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure Sudo Rule tesrule1 is absent
- freeipa.ansible_freeipa.ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: testrule1
    state: absent

Inputs

    
host:
    description: List of host names assigned to this sudorule.
    elements: str
    required: false
    type: list

name:
    aliases:
    - cn
    description: The sudorule name
    elements: str
    required: true
    type: list

user:
    description: List of users assigned to the sudo rule.
    elements: str
    required: false
    type: list

group:
    description: List of user groups assigned to the sudo rule.
    elements: str
    required: false
    type: list

order:
    aliases:
    - sudoorder
    description: Order to apply this rule.
    required: false
    type: int

state:
    choices:
    - present
    - absent
    - enabled
    - disabled
    default: present
    description: State to ensure
    type: str

action:
    choices:
    - member
    - sudorule
    default: sudorule
    description: Work on sudorule or member level
    type: str

hostmask:
    description: Host masks of allowed hosts.
    elements: str
    required: false
    type: list

hostgroup:
    description: List of host groups assigned to this sudorule.
    elements: str
    required: false
    type: list

nomembers:
    description: Suppress processing of membership attributes
    required: false
    type: bool

runasuser:
    description: List of users for Sudo to execute as.
    elements: str
    required: false
    type: list

runasgroup:
    description: List of groups for Sudo to execute as.
    elements: str
    required: false
    type: list

sudooption:
    aliases:
    - options
    description: List of sudo options.
    elements: str
    required: false
    type: list

cmdcategory:
    aliases:
    - cmdcat
    choices:
    - all
    - ''
    description: Command category the sudo rule applies to
    required: false
    type: str

description:
    description: The sudorule description
    required: false
    type: str

deny_sudocmd:
    description: List of denied sudocmds assigned to this sudorule.
    elements: str
    required: false
    type: list

hostcategory:
    aliases:
    - hostcat
    choices:
    - all
    - ''
    description: Host category the sudo rule applies to.
    required: false
    type: str

usercategory:
    aliases:
    - usercat
    choices:
    - all
    - ''
    description: User category the sudo rule applies to
    required: false
    type: str

allow_sudocmd:
    description: List of allowed sudocmds assigned to this sudorule.
    elements: str
    required: false
    type: list

ipaapi_context:
    choices:
    - server
    - client
    description: 'The context in which the module will execute. Executing in a

      server context is preferred. If not provided context will be

      determined by the execution environment.

      '
    required: false
    type: str

deny_sudocmdgroup:
    description: List of denied sudocmd groups assigned to this sudorule.
    elements: str
    required: false
    type: list

ipaadmin_password:
    description: The admin password.
    required: false
    type: str

ipaapi_ldap_cache:
    default: true
    description: Use LDAP cache for IPA connection.
    type: bool

runasusercategory:
    aliases:
    - runasusercat
    choices:
    - all
    - ''
    description: RunAs User category applied to the sudorule.
    required: false
    type: str

allow_sudocmdgroup:
    description: List of allowed sudocmd groups assigned to this sudorule.
    elements: str
    required: false
    type: list

ipaadmin_principal:
    default: admin
    description: The admin principal.
    type: str

runasgroupcategory:
    aliases:
    - runasgroupcat
    choices:
    - all
    - ''
    description: RunAs Group category applied to the sudo rule.
    required: false
    type: str