Merge pull request #14953 from rocky-linux/develop

IPA Privileges
This commit is contained in:
Louis Abel 2020-12-21 08:46:35 -07:00 committed by GitHub
commit b13f8f7841
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 186 additions and 0 deletions

View file

@ -0,0 +1,33 @@
---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Pulls keytabs for a kerberos service
# What is expected:
# -> ipaService, using this format: SVC/hostname.rockylinux.org@ROCKYLINUX.ORG
# -> ipaKeytabFullPath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab
# -> ipaServer: This needs to be one of the IPA servers
- name: Pull keytab from IPA
hosts: "{{ host }}"
become: false
gather_facts: false
vars_files:
- vars/encpass.yml
tasks:
- name: "Checking for user variables"
assert:
that:
- ipaadmin_password | mandatory
- ipaService | mandatory
- ipaKeytabFullPath | mandatory
- ipaServer | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing required information"
- name: "Pulling keytab"
command: "ipa-getkeytab -s {{ ipaServer }} -p {{ ipaService }} -k {{ ipaKeytabFullPath }}"
register: ipakeytab_result
changed_when:
- ipakeytab_result.rc == 0
tags:
- keytab

View file

@ -5,6 +5,7 @@
- name: Create our initial users
hosts: ipaserver
become: false
gather_facts: false
vars_files:
- vars/encpass.yml

View file

@ -0,0 +1,26 @@
---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates kerberos services in the idm infrastructure based on the variables provided
- name: Create Services
hosts: ipaserver
become: false
gather_facts: false
vars_files:
- vars/encpass.yml
tasks:
- name: "Checking for user variables"
assert:
that:
- ipaadmin_password | mandatory
- ipaService | mandatory
success_msg: "Required variables provided"
fail_msg: "We are missing required information"
- name: "Creating Kerberos Service"
freeipa.ansible_freeipa.ipaservice:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipaService }}"
tags:
- services

View file

@ -5,6 +5,7 @@
- name: Create a User
hosts: ipaserver
become: false
gather_facts: false
vars_files:
- vars/encpass.yml

View file

@ -0,0 +1,44 @@
---
# Creates necessary privileges for services
- name: "Creating necessary privileges"
freeipa.ansible_freeipa.ipaprivilege:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.privilege }}"
description: "{{ item.description }}"
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating permissions"
freeipa.ansible_freeipa.ipaprivilege:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.privilege }}"
permission: "{{ item.permissions }}"
action: member
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating roles based on custom privileges"
freeipa.ansible_freeipa.iparole:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.role }}"
privilege: "{{ item.privilege }}"
user: "{{ item.user }}"
loop: "{{ ipaprivileges }}"
when: ipaprivileges is defined
tags:
- rbac
- name: "Creating roles based on standard privileges"
freeipa.ansible_freeipa.iparole:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.role }}"
privilege: "{{ item.privileges }}"
user: "{{ item.user }}"
loop: "{{ iparoles }}"
when: iparoles is defined
tags:
- rbac

View file

@ -31,3 +31,18 @@
loop: "{{ adminusers }}"
tags:
- users
- name: "Creating Service Accounts"
freeipa.ansible_freeipa.ipauser:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ item.name }}"
first: "{{ item.first }}"
last: "{{ item.last }}"
email: "{{ item.email }}"
password: "{{ item.password }}"
title: "{{ item.title }}"
loginshell: "{{ item.loginshell }}"
update_password: on_create
loop: "{{ svcusers }}"
tags:
- users

View file

@ -3,6 +3,7 @@
- name: Create our initial users
hosts: ipaserver
become: false
gather_facts: false
vars_files:
- vars/encpass.yml
- vars/rdns.yml

View file

@ -3,11 +3,14 @@
- name: Create our initial users
hosts: ipaserver
become: false
gather_facts: false
vars_files:
- vars/encpass.yml
- vars/users.yml
- vars/adminusers.yml
- vars/svcusers.yml
- vars/groups.yml
- vars/ipaprivs.yml
tasks:
- name: "Checking for user variables"
@ -27,3 +30,6 @@
- name: "Start sudo for admins"
import_tasks: import-rockysudo.yml
- name: "Start privileges for services"
import_tasks: import-rockyipaprivs.yml

View file

@ -63,3 +63,10 @@ adminusers:
password: ThisIsNotMyPassword1!
title: Infrastructure Manager
loginshell: /bin/bash
- name: bagner2
first: Benjamin
last: Agner
email: bagner@rockylinux.org
password: ThisIsNotMyPassword1!
title: Security Director
loginshell: /bin/bash

View file

@ -0,0 +1,28 @@
---
# privileges
ipaprivileges:
- privilege: Privileges - Kerberos Managers
description: Kerberos Key Managers
permissions:
- "System: Manage Host Keytab"
- "System: Manage Host Keytab Permissions"
- "System: Manage Service Keytab"
- "System: Manage Service Keytab Permissions"
- "System: Manage User Principals"
role: Kerberos Managers
user:
- kerbman
# Standalone Roles
iparoles:
- role: IPA Client Managers
description: IPA Client Managers
privileges:
- "DNS Administrators"
- "DNS Servers"
- "Host Administrators"
- "Host Enrollment"
- "Host Group Administrators"
- "Netgroups Administrators"
user:
- hostman

View file

@ -0,0 +1,16 @@
---
svcusers:
- name: hostman
first: Host
last: Manager
email: hostman@rockylinux.org
password: ThisIsNotMyPassword1!
title: System Account - Host Manager
loginshell: /sbin/nologin
- name: kerbman
first: Kerberos
last: Manager
email: kerbman@rockylinux.org
password: ThisIsNotMyPassword1!
title: System Account - Kerberos Key Manager
loginshell: /sbin/nologin

View file

@ -63,3 +63,10 @@ users:
password: ThisIsNotMyPassword1!
title: Infrastructure Manager
loginshell: /bin/bash
- name: bagner
first: Benjamin
last: Agner
email: bagner@rockylinux.org
password: ThisIsNotMyPassword1!
title: Security Director
loginshell: /bin/bash

View file

@ -17,3 +17,4 @@ collections:
- name: community.general
- name: community.mysql
- name: ansible.posix
- name: ktdreyer.koji_ansible