ipa_sudorule - Manage FreeIPA sudo rule

New in version 2.3.

Synopsis

  • Add, modify or delete sudo rule within IPA server using IPA API.

Options

parameter required default choices comments
cmd
no
List of commands assigned to the rule.
If an empty list is passed all commands will be removed from the rule.
If option is omitted commands will not be checked or changed.
cmdcategory
no
  • all
Command category the rule applies to.
cn
yes
Canonical name.
Can not be changed as it is the unique identifier.
aliases: name
host
no
List of hosts assigned to the rule.
If an empty list is passed all hosts will be removed from the rule.
If option is omitted hosts will not be checked or changed.
Option hostcategory must be omitted to assign hosts.
hostcategory
no
  • all
Host category the rule applies to.
If 'all' is passed one must omit host and hostgroup.
Option host and hostgroup must be omitted to assign 'all'.
hostgroup
no
List of host groups assigned to the rule.
If an empty list is passed all host groups will be removed from the rule.
If option is omitted host groups will not be checked or changed.
Option hostcategory must be omitted to assign host groups.
ipa_host
no ipa.example.com
IP or hostname of IPA server
ipa_pass
yes
Password of administrative user
ipa_port
no 443
Port of IPA server
ipa_prot
no https
  • http
  • https
Protocol used by IPA server
ipa_user
no admin
Administrative account used on IPA server
state
no present
  • present
  • absent
  • enabled
  • disabled
State to ensure
user
no
List of users assigned to the rule.
If an empty list is passed all users will be removed from the rule.
If option is omitted users will not be checked or changed.
usercategory
no
  • all
User category the rule applies to.
usergroup
no
List of user groups assigned to the rule.
If an empty list is passed all user groups will be removed from the rule.
If option is omitted user groups will not be checked or changed.
validate_certs
no True
This only applies if ipa_prot is https.
If set to no, the SSL certificates will not be validated.
This should only set to no used on personally controlled sites using self-signed certificates.

Examples

# Ensure sudo rule is present that's allows all every body to execute any command on any host without being asked for a password.
- ipa_sudorule:
    name: sudo_all_nopasswd
    cmdcategory: all
    description: Allow to run every command with sudo without password
    hostcategory: all
    sudoopt:
    - '!authenticate'
    usercategory: all
    ipa_host: ipa.example.com
    ipa_user: admin
    ipa_pass: topsecret
# Ensure user group developers can run every command on host group db-server as well as on host db01.example.com.
- ipa_sudorule:
    name: sudo_dev_dbserver
    description: Allow developers to run every command with sudo on all database server
    cmdcategory: all
    host:
    - db01.example.com
    hostgroup:
    - db-server
    sudoopt:
    - '!authenticate'
    usergroup:
    - developers
    ipa_host: ipa.example.com
    ipa_user: admin
    ipa_pass: topsecret

Return Values

Common return values are documented here Return Values, the following are the fields unique to this module:

name description returned type sample
sudorule
Sudorule as returned by IPA
always dict

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Testing Ansible and Developing Modules.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.4/ipa_sudorule_module.html