For the maintainer_tests instances we just want to allow anyone with
shell access ability to sudo with no password. In this case asking for
password/tokens could provide a MITM attack vector. This matches up with
the way they were setup before with fas2.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
SSSD caches information, some types for hours by default. When changing
anything in IPA pertaining to a host this role is applied to, clean out
the caches on the host so the changes are effective immediately.
Signed-off-by: Nils Philippsen <nils@redhat.com>
With set_facts, if an element of a list is undefined, the containing
fact variable becomes a string. Something Sirius Cybernetics Corporation
something something.
Signed-off-by: Nils Philippsen <nils@redhat.com>
The `ipa_server_admin_passwords` contains the passwords of the admin
users of all IPA servers affected in a play. Don't loop over them
directly to avoid divulging them in the logs or on the console.
Signed-off-by: Nils Philippsen <nils@redhat.com>
Don't attempt to loop over undefined variables. This can happen if the
relevant `ipa_*` variables aren't defined for any host in the play.
Signed-off-by: Nils Philippsen <nils@redhat.com>
The reason for this is to avoid having to do the same or similar things
over and over again for each host in the play, especially since these
operations are delegated to the IPA server, i.e. had to run sequentially
host after host in order to avoid race conditions.
To achieve this, the IPA client related group variables are prepared in
suitable structures in `prepare-ipa-info.yml` and consumed by
`common.yml`, `hbac.yml` and `sudo.yml`, which do most operations in one
go per e.g. host group on the affected IPA server(s).
Additionally:
- Remove compat for legacy `fas_client_groups`, only check for its
presence and warn.
- Remove the prepared but masked out task to manage password-less sudo
access.
- Make yamllint a little happier on the changed files.
Signed-off-by: Nils Philippsen <nils@redhat.com>
The `ipa` command needs a valid Kerberos ticket for the IPA admin user
which might be present or not. This probably worked most of the time
because other tasks in the playbook acquired a ticket as a side effect.
Use `getent group ...` instead which doesn't query IPA directly. This
has the additional benefit that it verifies the groups in question are
POSIX groups, which is what we want for shell access and sudo.
Signed-off-by: Nils Philippsen <nils@redhat.com>
Rename:
- "group/sysadmin-main" to "usergroup/sysadmin-main" to prepare for
using host groups
- "sudo/all" to "all-users/sudo" likewise to make it apparent that it's
about users and to put the resource last to which access is granted
Signed-off-by: Nils Philippsen <nils@redhat.com>
This also uses HBAC to let all IPA accounts use the sudo command, so
what some user or group may use it for just has to be configured with
sudo rules in IPA.
Signed-off-by: Nils Philippsen <nils@redhat.com>
