mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-12-22 02:58:28 +00:00
IPA Privileges
This release adds support for privileges and roles for the initial IPA team accounts.
This commit is contained in:
parent
a491898f28
commit
8dc0268a50
@ -5,6 +5,7 @@
|
||||
- name: Create our initial users
|
||||
hosts: ipaserver
|
||||
become: false
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
- vars/encpass.yml
|
||||
|
||||
|
@ -5,6 +5,7 @@
|
||||
- name: Create a User
|
||||
hosts: ipaserver
|
||||
become: false
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
- vars/encpass.yml
|
||||
|
||||
|
44
ansible/playbooks/import-rockyipaprivs.yml
Normal file
44
ansible/playbooks/import-rockyipaprivs.yml
Normal file
@ -0,0 +1,44 @@
|
||||
---
|
||||
# Creates necessary privileges for services
|
||||
- name: "Creating necessary privileges"
|
||||
freeipa.ansible_freeipa.ipaprivilege:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.privilege }}"
|
||||
description: "{{ item.description }}"
|
||||
loop: "{{ ipaprivileges }}"
|
||||
when: ipaprivileges is defined
|
||||
tags:
|
||||
- rbac
|
||||
|
||||
- name: "Creating permissions"
|
||||
freeipa.ansible_freeipa.ipaprivilege:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.privilege }}"
|
||||
permission: "{{ item.permissions }}"
|
||||
action: member
|
||||
loop: "{{ ipaprivileges }}"
|
||||
when: ipaprivileges is defined
|
||||
tags:
|
||||
- rbac
|
||||
|
||||
- name: "Creating roles based on custom privileges"
|
||||
freeipa.ansible_freeipa.iparole:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.role }}"
|
||||
privilege: "{{ item.privilege }}"
|
||||
user: "{{ item.user }}"
|
||||
loop: "{{ ipaprivileges }}"
|
||||
when: ipaprivileges is defined
|
||||
tags:
|
||||
- rbac
|
||||
|
||||
- name: "Creating roles based on standard privileges"
|
||||
freeipa.ansible_freeipa.iparole:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.role }}"
|
||||
privilege: "{{ item.privileges }}"
|
||||
user: "{{ item.user }}"
|
||||
loop: "{{ iparoles }}"
|
||||
when: iparoles is defined
|
||||
tags:
|
||||
- rbac
|
@ -31,3 +31,18 @@
|
||||
loop: "{{ adminusers }}"
|
||||
tags:
|
||||
- users
|
||||
|
||||
- name: "Creating Service Accounts"
|
||||
freeipa.ansible_freeipa.ipauser:
|
||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||
name: "{{ item.name }}"
|
||||
first: "{{ item.first }}"
|
||||
last: "{{ item.last }}"
|
||||
email: "{{ item.email }}"
|
||||
password: "{{ item.password }}"
|
||||
title: "{{ item.title }}"
|
||||
loginshell: "{{ item.loginshell }}"
|
||||
update_password: on_create
|
||||
loop: "{{ svcusers }}"
|
||||
tags:
|
||||
- users
|
||||
|
@ -3,6 +3,7 @@
|
||||
- name: Create our initial users
|
||||
hosts: ipaserver
|
||||
become: false
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
- vars/encpass.yml
|
||||
- vars/rdns.yml
|
||||
|
@ -3,11 +3,14 @@
|
||||
- name: Create our initial users
|
||||
hosts: ipaserver
|
||||
become: false
|
||||
gather_facts: false
|
||||
vars_files:
|
||||
- vars/encpass.yml
|
||||
- vars/users.yml
|
||||
- vars/adminusers.yml
|
||||
- vars/svcusers.yml
|
||||
- vars/groups.yml
|
||||
- vars/ipaprivs.yml
|
||||
|
||||
tasks:
|
||||
- name: "Checking for user variables"
|
||||
@ -27,3 +30,6 @@
|
||||
|
||||
- name: "Start sudo for admins"
|
||||
import_tasks: import-rockysudo.yml
|
||||
|
||||
- name: "Start privileges for services"
|
||||
import_tasks: import-rockyipaprivs.yml
|
||||
|
@ -63,3 +63,10 @@ adminusers:
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Infrastructure Manager
|
||||
loginshell: /bin/bash
|
||||
- name: bagner2
|
||||
first: Benjamin
|
||||
last: Agner
|
||||
email: bagner@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Security Director
|
||||
loginshell: /bin/bash
|
||||
|
28
ansible/playbooks/vars/ipaprivs.yml
Normal file
28
ansible/playbooks/vars/ipaprivs.yml
Normal file
@ -0,0 +1,28 @@
|
||||
---
|
||||
# privileges
|
||||
ipaprivileges:
|
||||
- privilege: Privileges - Kerberos Managers
|
||||
description: Kerberos Key Managers
|
||||
permissions:
|
||||
- "System: Manage Host Keytab"
|
||||
- "System: Manage Host Keytab Permissions"
|
||||
- "System: Manage Service Keytab"
|
||||
- "System: Manage Service Keytab Permissions"
|
||||
- "System: Manage User Principals"
|
||||
role: Kerberos Managers
|
||||
user:
|
||||
- kerbman
|
||||
|
||||
# Standalone Roles
|
||||
iparoles:
|
||||
- role: IPA Client Managers
|
||||
description: IPA Client Managers
|
||||
privileges:
|
||||
- "DNS Administrators"
|
||||
- "DNS Servers"
|
||||
- "Host Administrators"
|
||||
- "Host Enrollment"
|
||||
- "Host Group Administrators"
|
||||
- "Netgroups Administrators"
|
||||
user:
|
||||
- hostman
|
16
ansible/playbooks/vars/svcusers.yml
Normal file
16
ansible/playbooks/vars/svcusers.yml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
svcusers:
|
||||
- name: hostman
|
||||
first: Host
|
||||
last: Manager
|
||||
email: hostman@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: System Account - Host Manager
|
||||
loginshell: /sbin/nologin
|
||||
- name: kerbman
|
||||
first: Kerberos
|
||||
last: Manager
|
||||
email: kerbman@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: System Account - Kerberos Key Manager
|
||||
loginshell: /sbin/nologin
|
@ -63,3 +63,10 @@ users:
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Infrastructure Manager
|
||||
loginshell: /bin/bash
|
||||
- name: bagner
|
||||
first: Benjamin
|
||||
last: Agner
|
||||
email: bagner@rockylinux.org
|
||||
password: ThisIsNotMyPassword1!
|
||||
title: Security Director
|
||||
loginshell: /bin/bash
|
||||
|
@ -17,3 +17,4 @@ collections:
|
||||
- name: community.general
|
||||
- name: community.mysql
|
||||
- name: ansible.posix
|
||||
- name: ktdreyer.koji_ansible
|
||||
|
Loading…
Reference in New Issue
Block a user