ipa_role - Manage FreeIPA role

New in version 2.3.

Synopsis

  • Add, modify and delete a role within FreeIPA server using FreeIPA API

Options

parameter required default choices comments
cn
yes
Role name.
Can not be changed as it is the unique identifier.
aliases: name
description
no
A description of this role-group.
group
no
List of group names assign to this role.
If an empty list is passed all assigned groups will be unassigned from the role.
If option is omitted groups will not be checked or changed.
If option is passed all assigned groups that are not passed will be unassigned from the role.
host
no
List of host names to assign.
If an empty list is passed all assigned hosts will be unassigned from the role.
If option is omitted hosts will not be checked or changed.
If option is passed all assigned hosts that are not passed will be unassigned from the role.
hostgroup
no
List of host group names to assign.
If an empty list is passed all assigned host groups will be removed from the role.
If option is omitted host groups will not be checked or changed.
If option is passed all assigned hostgroups that are not passed will be unassigned from the role.
ipa_host
no ipa.example.com
IP or hostname of IPA server
ipa_pass
yes
Password of administrative user
ipa_port
no 443
Port of IPA server
ipa_prot
no https
  • http
  • https
Protocol used by IPA server
ipa_user
no admin
Administrative account used on IPA server
privilege
(added in 2.4)
no None
List of privileges granted to the role.
If an empty list is passed all assigned privileges will be removed.
If option is omitted privileges will not be checked or changed.
If option is passed all assigned privileges that are not passed will be removed.
service
no
List of service names to assign.
If an empty list is passed all assigned services will be removed from the role.
If option is omitted services will not be checked or changed.
If option is passed all assigned services that are not passed will be removed from the role.
state
no present
  • present
  • absent
State to ensure
user
no
List of user names to assign.
If an empty list is passed all assigned users will be removed from the role.
If option is omitted users will not be checked or changed.
validate_certs
no True
This only applies if ipa_prot is https.
If set to no, the SSL certificates will not be validated.
This should only set to no used on personally controlled sites using self-signed certificates.

Examples

# Ensure role is present
- ipa_role:
    name: dba
    description: Database Administrators
    state: present
    user:
    - pinky
    - brain
    ipa_host: ipa.example.com
    ipa_user: admin
    ipa_pass: topsecret

# Ensure role with certain details
- ipa_role:
    name: another-role
    description: Just another role
    group:
    - editors
    host:
    - host01.example.com
    hostgroup:
    - hostgroup01
    privilege:
    - Group Administrators
    - User Administrators
    service:
    - service01

# Ensure role is absent
- ipa_role:
    name: dba
    state: absent
    ipa_host: ipa.example.com
    ipa_user: admin
    ipa_pass: topsecret

Return Values

Common return values are documented here Return Values, the following are the fields unique to this module:

name description returned type sample
role
Role as returned by IPA API.
always dict

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Testing Ansible and Developing Modules.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.4/ipa_role_module.html