infrastructure/mono-infrastructure
7
0
Fork 0
mirror of https://github.com/rocky-linux/infrastructure synced 2024-11-16 18:51:23 +00:00
Code Issues Projects Releases Wiki Activity

IPA Privileges

Browse Source 
This release adds support for privileges and roles for the initial IPA
team accounts.
This commit is contained in:
nazunalika 2020-12-20 22:05:52 -07:00
parent a491898f28
commit 8dc0268a50
11 changed files with 127 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ansible/playbooks/adhoc-ipagroups.yml
View File

@ -5,6 +5,7 @@
- name: Create our initial users - name: Create our initial users
hosts: ipaserver hosts: ipaserver
become: false become: false
gather_facts: false
vars_files: vars_files:
- vars/encpass.yml - vars/encpass.yml

1
ansible/playbooks/adhoc-ipausers.yml
View File

@ -5,6 +5,7 @@
- name: Create a User - name: Create a User
hosts: ipaserver hosts: ipaserver
become: false become: false
gather_facts: false
vars_files: vars_files:
- vars/encpass.yml - vars/encpass.yml

44
ansible/playbooks/import-rockyipaprivs.yml Normal file
View File

@ -0,0 +1,44 @@
---
# Creates necessary privileges for services
- name: "Creating necessary privileges"
freeipa.ansible_freeipa.ipaprivilege:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.privilege }}"
description: "{{ item.description }}"
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating permissions"
freeipa.ansible_freeipa.ipaprivilege:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.privilege }}"
permission: "{{ item.permissions }}"
action: member
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating roles based on custom privileges"
freeipa.ansible_freeipa.iparole:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.role }}"
privilege: "{{ item.privilege }}"
user: "{{ item.user }}"
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating roles based on standard privileges"
freeipa.ansible_freeipa.iparole:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.role }}"
privilege: "{{ item.privileges }}"
user: "{{ item.user }}"
loop: "{{ iparoles }}"
when: iparoles is defined
tags:
- rbac

15
ansible/playbooks/import-rockyusers.yml
View File

@ -31,3 +31,18 @@
loop: "{{ adminusers }}" loop: "{{ adminusers }}"
tags: tags:
- users - users
- name: "Creating Service Accounts"
freeipa.ansible_freeipa.ipauser:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.name }}"
first: "{{ item.first }}"
last: "{{ item.last }}"
email: "{{ item.email }}"
password: "{{ item.password }}"
title: "{{ item.title }}"
loginshell: "{{ item.loginshell }}"
update_password: on_create
loop: "{{ svcusers }}"
tags:
- users

1
ansible/playbooks/init-rocky-ipa-internal-dns.yml
View File

@ -3,6 +3,7 @@
- name: Create our initial users - name: Create our initial users
hosts: ipaserver hosts: ipaserver
become: false become: false
gather_facts: false
vars_files: vars_files:
- vars/encpass.yml - vars/encpass.yml
- vars/rdns.yml - vars/rdns.yml

6
ansible/playbooks/init-rocky-ipa-team.yml
View File

@ -3,11 +3,14 @@
- name: Create our initial users - name: Create our initial users
hosts: ipaserver hosts: ipaserver
become: false become: false
gather_facts: false
vars_files: vars_files:
- vars/encpass.yml - vars/encpass.yml
- vars/users.yml - vars/users.yml
- vars/adminusers.yml - vars/adminusers.yml
- vars/svcusers.yml
- vars/groups.yml - vars/groups.yml
- vars/ipaprivs.yml
tasks: tasks:
- name: "Checking for user variables" - name: "Checking for user variables"
@ -27,3 +30,6 @@
- name: "Start sudo for admins" - name: "Start sudo for admins"
import_tasks: import-rockysudo.yml import_tasks: import-rockysudo.yml
- name: "Start privileges for services"
import_tasks: import-rockyipaprivs.yml

7
ansible/playbooks/vars/adminusers.yml
View File

@ -63,3 +63,10 @@ adminusers:
password: ThisIsNotMyPassword1! password: ThisIsNotMyPassword1!
title: Infrastructure Manager title: Infrastructure Manager
loginshell: /bin/bash loginshell: /bin/bash
- name: bagner2
first: Benjamin
last: Agner
email: bagner@rockylinux.org
password: ThisIsNotMyPassword1!
title: Security Director
loginshell: /bin/bash

28
ansible/playbooks/vars/ipaprivs.yml Normal file
View File

@ -0,0 +1,28 @@
---
# privileges
ipaprivileges:
- privilege: Privileges - Kerberos Managers
description: Kerberos Key Managers
permissions:
- "System: Manage Host Keytab"
- "System: Manage Host Keytab Permissions"
- "System: Manage Service Keytab"
- "System: Manage Service Keytab Permissions"
- "System: Manage User Principals"
role: Kerberos Managers
user:
- kerbman
# Standalone Roles
iparoles:
- role: IPA Client Managers
description: IPA Client Managers
privileges:
- "DNS Administrators"
- "DNS Servers"
- "Host Administrators"
- "Host Enrollment"
- "Host Group Administrators"
- "Netgroups Administrators"
user:
- hostman

16
ansible/playbooks/vars/svcusers.yml Normal file
View File

@ -0,0 +1,16 @@
---
svcusers:
- name: hostman
first: Host
last: Manager
email: hostman@rockylinux.org
password: ThisIsNotMyPassword1!
title: System Account - Host Manager
loginshell: /sbin/nologin
- name: kerbman
first: Kerberos
last: Manager
email: kerbman@rockylinux.org
password: ThisIsNotMyPassword1!
title: System Account - Kerberos Key Manager
loginshell: /sbin/nologin

7
ansible/playbooks/vars/users.yml
View File

@ -63,3 +63,10 @@ users:
password: ThisIsNotMyPassword1! password: ThisIsNotMyPassword1!
title: Infrastructure Manager title: Infrastructure Manager
loginshell: /bin/bash loginshell: /bin/bash
- name: bagner
first: Benjamin
last: Agner
email: bagner@rockylinux.org
password: ThisIsNotMyPassword1!
title: Security Director
loginshell: /bin/bash

1
ansible/roles/requirements.yml
View File

@ -17,3 +17,4 @@ collections:
- name: community.general - name: community.general
- name: community.mysql - name: community.mysql
- name: ansible.posix - name: ansible.posix
- name: ktdreyer.koji_ansible