Documentation

ipa_hbacrule - Manage FreeIPA HBAC rule

New in version 2.3.

Synopsis

  • Add, modify or delete an IPA HBAC rule using IPA API.

Parameters

Parameter
Choices/Defaults
Comments
cn
required
Canonical name.
Can not be changed as it is the unique identifier.

aliases: name
description
Description
host
List of host names to assign.
If an empty list is passed all hosts will be removed from the rule.
If option is omitted hosts will not be checked or changed.
hostcategory
    Choices:
  • all
Host category
hostgroup
List of hostgroup names to assign.
If an empty list is passed all hostgroups will be removed. from the rule
If option is omitted hostgroups will not be checked or changed.
ipa_host
Default:
ipa.example.com
IP or hostname of IPA server.
If the value is not specified in the task, the value of environment variable IPA_HOST will be used instead.
If both the environment variable IPA_HOST and the value are not specified in the task, then default value is set.
Environment variable fallback mechanism is added in version 2.5.
ipa_pass
required
Password of administrative user.
If the value is not specified in the task, the value of environment variable IPA_PASS will be used instead.
If both the environment variable IPA_PASS and the value are not specified in the task, then default value is set.
Environment variable fallback mechanism is added in version 2.5.
ipa_port
Default:
443
Port of FreeIPA / IPA server.
If the value is not specified in the task, the value of environment variable IPA_PORT will be used instead.
If both the environment variable IPA_PORT and the value are not specified in the task, then default value is set.
Environment variable fallback mechanism is added in version 2.5.
ipa_prot
    Choices:
  • http
  • https ←
Protocol used by IPA server.
If the value is not specified in the task, the value of environment variable IPA_PROT will be used instead.
If both the environment variable IPA_PROT and the value are not specified in the task, then default value is set.
Environment variable fallback mechanism is added in version 2.5.
ipa_user
Default:
admin
Administrative account used on IPA server.
If the value is not specified in the task, the value of environment variable IPA_USER will be used instead.
If both the environment variable IPA_USER and the value are not specified in the task, then default value is set.
Environment variable fallback mechanism is added in version 2.5.
service
List of service names to assign.
If an empty list is passed all services will be removed from the rule.
If option is omitted services will not be checked or changed.
servicecategory
    Choices:
  • all
Service category
servicegroup
List of service group names to assign.
If an empty list is passed all assigned service groups will be removed from the rule.
If option is omitted service groups will not be checked or changed.
sourcehost
List of source host names to assign.
If an empty list if passed all assigned source hosts will be removed from the rule.
If option is omitted source hosts will not be checked or changed.
sourcehostcategory
    Choices:
  • all
Source host category
sourcehostgroup
List of source host group names to assign.
If an empty list if passed all assigned source host groups will be removed from the rule.
If option is omitted source host groups will not be checked or changed.
state
    Choices:
  • present ←
  • absent
  • enabled
  • disabled
State to ensure
user
List of user names to assign.
If an empty list if passed all assigned users will be removed from the rule.
If option is omitted users will not be checked or changed.
usercategory
    Choices:
  • all
User category
usergroup
List of user group names to assign.
If an empty list if passed all assigned user groups will be removed from the rule.
If option is omitted user groups will not be checked or changed.
validate_certs
Default:
yes
This only applies if ipa_prot is https.
If set to no, the SSL certificates will not be validated.
This should only set to no used on personally controlled sites using self-signed certificates.

Examples

# Ensure rule to allow all users to access any host from any host
- ipa_hbacrule:
    name: allow_all
    description: Allow all users to access any host from any host
    hostcategory: all
    servicecategory: all
    usercategory: all
    state: present
    ipa_host: ipa.example.com
    ipa_user: admin
    ipa_pass: topsecret

# Ensure rule with certain limitations
- ipa_hbacrule:
    name: allow_all_developers_access_to_db
    description: Allow all developers to access any database from any host
    hostgroup:
    - db-server
    usergroup:
    - developers
    state: present
    ipa_host: ipa.example.com
    ipa_user: admin
    ipa_pass: topsecret

# Ensure rule is absent
- ipa_hbacrule:
    name: rule_to_be_deleted
    state: absent
    ipa_host: ipa.example.com
    ipa_user: admin
    ipa_pass: topsecret

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key
Returned
Description
hbacrule
dict
always
HBAC rule as returned by IPA API.



Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Author

  • Thomas Krahn (@Nosmoht)

Hint

If you notice any issues in this documentation you can edit this document to improve it.