WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-03-20 03:57:02 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
6706723eea466bc9ffedc00a2fc86a0797279113
fedora-infra_ansible/roles/ipa/server/tasks/toddlers.yml
Aurélien Bompard beb724ee65 IPA: setup a permission to modify group managers 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2025-09-01 11:18:45 +02:00

61 lines
2.0 KiB
YAML
Raw Blame History

# Toddlers capabilities
- name: Create toddlers toddlers-sync-groups service
ansible.builtin.include_role:
name: "ipa/service" # noqa role-name[path]
vars:
host: os-control01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org # noqa: var-naming[no-role-prefix]
service: toddlers-sync-group # noqa: var-naming[no-role-prefix]
- name: Create the permission to modify member managers
ansible.builtin.command:
argv:
- ipa
- permission-add
- Modify Group Managers
- --right=write
- --attrs=membermanager
- --bindtype=permission
- --subtree=cn=groups,cn=accounts,{{ipa_basedn}}
- --filter=(!(cn=admins))
- --filter=(objectclass=ipausergroup)
register: output
changed_when: "'already exists' not in output.stderr"
failed_when: "'already exists' not in output.stderr and output.rc != 0"
- name: Create the privilege
ansible.builtin.command:
argv:
- ipa
- privilege-add
- Group Membership Synchronization
- --desc=Toddler to synchronize group memberships
register: output
changed_when: "'already exists' not in output.stderr"
failed_when: "'already exists' not in output.stderr and output.rc != 0"
- name: Setup the privilege
ansible.builtin.command:
argv:
- ipa
- privilege-add-permission
- Group Membership Synchronization
- "--permissions=System: Modify Group Membership"
- "--permissions=Modify Group Managers"
register: output
changed_when: "'Number of permissions added 0' not in output.stdout"
failed_when: "'Number of permissions added 0' not in output.stdout and output.rc != 0"
- name: Create the role
community.general.ipa_role:
name: Group Membership Synchronization
description: "Toddler role to synchronize group memberships"
privilege:
- Group Membership Synchronization
service:
- toddlers-sync-group/os-control01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org
ipa_host: "{{ inventory_hostname }}"
ipa_user: admin
ipa_pass: "{{ ipa_admin_password }}"
validate_certs: no
Reference in New Issue View Git Blame Copy Permalink