From 79c4fd4c38b6a4b581d73bdd3cf83f779be9b678 Mon Sep 17 00:00:00 2001 From: Tom Page Date: Tue, 1 Aug 2023 14:01:58 +0100 Subject: [PATCH] Add roles option to roles role to allow setting multiple roles in one item rather than repeating entire sections of code (#658) --- changelogs/fragments/roles.yml | 4 +++ roles/roles/README.md | 16 ++++++++--- roles/roles/tasks/main.yml | 44 +++++++++++++++++++++++++++++ roles/roles/tests/configs/roles.yml | 4 ++- tests/configs/roles.yml | 4 ++- 5 files changed, 66 insertions(+), 6 deletions(-) create mode 100644 changelogs/fragments/roles.yml diff --git a/changelogs/fragments/roles.yml b/changelogs/fragments/roles.yml new file mode 100644 index 000000000..859500b7d --- /dev/null +++ b/changelogs/fragments/roles.yml @@ -0,0 +1,4 @@ +--- +minor_changes: + - Added roles option to roles role to allow setting multiple roles in one item rather than repeating entire sections of code +... diff --git a/roles/roles/README.md b/roles/roles/README.md index 88f1c05fa..f2939b84d 100644 --- a/roles/roles/README.md +++ b/roles/roles/README.md @@ -79,6 +79,7 @@ This also speeds up the overall role. |`users`|""|no|list|The users for which the role applies| |`team`|""|no|str|The team for which the role applies| |`teams`|""|no|list|The teams for which the role applies| +|`roles`|""|no|str (see note below)|The roles which are applied to one of {`target_team`, `inventory`, `job_template`, `target_team`, `inventory`, `job_template`} for either `user` or `team` | |`role`|""|no|str (see note below)|The role which is applied to one of {`target_team`, `inventory`, `job_template`, `target_team`, `inventory`, `job_template`} for either `user` or `team` | |`target_team`|""|no|str|The team the role applies against| |`target_teams`|""|no|list|The teams the role applies against| @@ -100,7 +101,7 @@ This also speeds up the overall role. #### Role -`role` must be one of the following: +`role` must be one of the following (or roles must contain a list made up from the following): - `admin` - `read` @@ -117,6 +118,8 @@ This also speeds up the overall role. - `notification_admin` - `job_template_admin` +Note that the `roles` option takes precedence over the `role` option and simply allows to specify multiple roles for a user or team (or set of users or teams). + ### Standard RBAC Data Structure #### Json Example @@ -132,13 +135,16 @@ This also speeds up the overall role. { "team": "My Team", "organization": "Default", - "role": "execute" + "role": [ + "execute", + "read" + ] } ] } ``` -#### Yaml Example +git check ```yaml --- @@ -151,7 +157,9 @@ controller_roles: role: member - team: "My Team" organization: "Default" - role: execute + roles: + - execute + - read ``` ## Playbook Examples diff --git a/roles/roles/tasks/main.yml b/roles/roles/tasks/main.yml index d12c8d1a3..1961fbcba 100644 --- a/roles/roles/tasks/main.yml +++ b/roles/roles/tasks/main.yml @@ -1,4 +1,47 @@ --- +- name: Create Roles Based Access Entry on Controller + role: + user: "{{ __controller_role_item.0.user | default(omit, true) }}" + users: "{{ __controller_role_item.0.users | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}" + team: "{{ __controller_role_item.0.team | default(omit, true) }}" + teams: "{{ __controller_role_item.0.teams | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}" + role: "{{ __controller_role_item.1 | mandatory }}" + target_team: "{{ __controller_role_item.0.target_team | default(omit, true) }}" + target_teams: "{{ __controller_role_item.0.target_teams | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}" + inventory: "{{ __controller_role_item.0.inventory | default(omit, true) }}" + inventories: "{{ __controller_role_item.0.inventories | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}" + job_template: "{{ __controller_role_item.0.job_template | default(omit, true) }}" + job_templates: "{{ __controller_role_item.0.job_templates | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}" + workflow: "{{ __controller_role_item.0.workflow | default(omit, true) }}" + workflows: "{{ __controller_role_item.0.workflows | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}" + credential: "{{ __controller_role_item.0.credential | default(omit, true) }}" + credentials: "{{ __controller_role_item.0.credentials | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}" + organization: "{{ __controller_role_item.0.organization | default(omit, true) }}" + organizations: "{{ __controller_role_item.0.organizations | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}" + lookup_organization: "{{ __controller_role_item.0.lookup_organization | default(omit, true) }}" + project: "{{ __controller_role_item.0.project | default(omit, true) }}" + projects: "{{ __controller_role_item.0.projects | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}" + instance_groups: "{{ __controller_role_item.0.instance_groups | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}" + state: "{{ __controller_role_item.0.state | default(controller_state | default('present')) }}" + + # Role Standard Options + controller_username: "{{ controller_username | default(omit, true) }}" + controller_password: "{{ controller_password | default(omit, true) }}" + controller_oauthtoken: "{{ controller_oauthtoken | default(omit, true) }}" + controller_host: "{{ controller_hostname | default(omit, true) }}" + controller_config_file: "{{ controller_config_file | default(omit, true) }}" + validate_certs: "{{ controller_validate_certs | default(omit) }}" + loop: "{{ controller_roles | subelements('roles', skip_missing=true) }}" + loop_control: + loop_var: __controller_role_item + no_log: "{{ controller_configuration_role_secure_logging }}" + async: 1000 + poll: 0 + register: __controller_role_job_async + changed_when: not __controller_role_job_async.changed + vars: + ansible_async_dir: '/tmp/.ansible_async' + - name: Create Role Based Access Entry on Controller role: user: "{{ __controller_role_item.user | default(omit, true) }}" @@ -32,6 +75,7 @@ controller_config_file: "{{ controller_config_file | default(omit, true) }}" validate_certs: "{{ controller_validate_certs | default(omit) }}" loop: "{{ controller_roles }}" + when: not __controller_role_item.roles is defined loop_control: loop_var: __controller_role_item no_log: "{{ controller_configuration_role_secure_logging }}" diff --git a/roles/roles/tests/configs/roles.yml b/roles/roles/tests/configs/roles.yml index 7582ecd84..6c2659b32 100644 --- a/roles/roles/tests/configs/roles.yml +++ b/roles/roles/tests/configs/roles.yml @@ -2,7 +2,9 @@ controller_roles: - user: admin job_template: Demo Job Template - role: read + roles: + - read + - execute - inventory: Demo Inventory user: admin role: read diff --git a/tests/configs/roles.yml b/tests/configs/roles.yml index 24fd1d1df..48dd4d14b 100644 --- a/tests/configs/roles.yml +++ b/tests/configs/roles.yml @@ -8,7 +8,9 @@ controller_roles: role: use - inventory: RHVM-02 team: satlab-admin - role: admin + roles: + - admin + - use # - workflow: Test workflow 1 # team: satellite-qe # role: execute