finallycoffee/proxmox
finallycoffee/proxmox
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat(acl): add plugin for creating and managing ACLs

Browse Source
This commit is contained in:
transcaffeine 2022-08-14 16:45:28 +02:00
parent 2822ba3ec8
commit 31550df5f3
Signed by: transcaffeine
GPG Key ID: 03624C433676E465
2 changed files with 262 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
plugins/module_utils/proxmox_datacenter_acl.py Normal file
View File

@ -0,0 +1,77 @@
import dataclasses
from dataclasses import dataclass, field
from typing import List, Tuple
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.common import _proxmox_request, ProxmoxAuthInfo
@dataclass(frozen=True)
class ProxmoxACL:
path: str
role: str
propagate: bool = True
user: str = None
group: str = None
token: str = None
def get_acls(auth_info: ProxmoxAuthInfo) -> List['ProxmoxACL']:
acl_answer = _proxmox_request('get', '/access/acl', auth_info).json()
return list(map(
lambda r: ProxmoxACL(r['path'], r['roleid'], r['propagate'],
(r['ugid'] if (r['type'] == 'user') else None),
(r['ugid'] if (r['type'] == 'group') else None),
(r['ugid'] if (r['type'] == 'token') else None)),
acl_answer['data']
))
def set_acl(auth_info: ProxmoxAuthInfo, acl: ProxmoxACL, dry_run: bool, state: str = 'present') -> Tuple[dict, dict]:
existing_acls = get_acls(auth_info)
# find existing acl matching the specified one
try:
existing_acl = [x for x in existing_acls if x == acl][0]
except:
existing_acl = None
if state == 'present':
acl_spec = _acl_to_dict(acl) | {
'propagate': acl.propagate
}
if not dry_run:
acl_res = _proxmox_request('put', f"/access/acl", auth_info, data=acl_spec)
acl_res.raise_for_status()
if acl_res.ok and acl_res.json()['success'] == 1:
new_acl = acl
else:
new_acl = acl
elif state == 'exact':
# Also match on propagate and remove ACLs which match in all fields except propagation
pass
else:
# ACL to be removed
if not dry_run:
acl_spec = _acl_to_dict(acl) | {
'delete': 1
}
acl_res = _proxmox_request('put', '/access/acl', auth_info, data=acl_spec)
acl_res.raise_for_status()
if acl_res.ok:
new_acl = None
else:
new_acl = None
return dataclasses.asdict(existing_acl) if existing_acl else None, dataclasses.asdict(new_acl) if new_acl else None
def _acl_to_dict(acl: ProxmoxACL) -> dict:
acl_spec = {
'path': acl.path,
'roles': acl.role,
}
if acl.user:
acl_spec['users'] = acl.user
if acl.group:
acl_spec['groups'] = acl.group
if acl.token:
acl_spec['tokens'] = acl.token
return acl_spec

185
plugins/modules/acl.py Normal file
View File

@ -0,0 +1,185 @@
#!/usr/bin/python
# coding: utf-8
# (c) 2022, Johanna Dorothea Reichmann <transcaffeine@finally.coffee>
__metaclass__ = type
import traceback
from ansible.module_utils.basic import AnsibleModule
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.common import *
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.proxmox_datacenter_acl import *
LIB_IMP_ERR = None
try:
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.proxmox_datacenter_acl import set_acl
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.proxmox_datacenter_acl import ProxmoxACL
HAS_LIB = True
except:
HAS_LIB = False
LIB_IMP_ERR = traceback.format_exc()
DOCUMENTATION = r'''
---
module: acl
author:
- Johanna Dorothea Reichmann (transcaffeine@finally.coffee)
requirements:
- python >= 3.9
short_description: Configures an access control list in a proxmox node
description:
- "Configue access control lists in a proxmox instance"
options:
proxmox_instance:
description: Location of the proxmox API with scheme, domain name/ip and port, e.g. https://localhost:8006
type: str
required: true
proxmox_api_token_id:
description: The token ID containing username, realm and token name (format: user@realm!name)
type: str
required: true
proxmox_api_secret:
description: The secret
type: str
required: true
proxmox_api_verify_cert:
description: If the certificate presented for `proxmox_instance_url` should be verified
type: bool
required: false
default: true
path:
description: Path to which access should be granted. Must be a valid proxmox access control path
type: str
required: true
role:
description: The role which the user/group/token should be added to when they match the ACL
type: str
required: true
group:
description: The group to match on the ACL. Must be a valid proxmox group id
type: str
required: false
user:
description: The user to match on the ACL. Must be a valid proxmox user id
type: str
required: false
token:
description: The token to match on the ACL. Must be a valid proxmox token id
type: str
required: false
propagate:
description: Wether to allow inheriting permissions or not.
type: bool
default: true
required: false
state:
description: >-
If the access control list should be present, absent or exact. When state is exact,
the value of `propagate` is also considered, and if an existing access control rule is found
which only differs in the value of `propagate`, the old rule is removed by the module,
essentially replacing it.
type: str
choices: [present, exact, absent]
default: present
required: false
'''
EXAMPLES = r'''
- name: Configure an admin group from LDAP as proxmox global admins
finallycoffee.proxmox.acl:
proxmox_instance: https://my.proxmox-node.local:8006
promox_api_token_id: root@pam!token
proxmox_api_secret: supersecuretokencontent
path: /
roles: Administrator
groups: proxmox-admins-openldap
propagate: true
state: present
- name: Configure an LDAP user to use their own VM
finallycoffee.proxmox.acl:
proxmox_instance: https://my.proxmox-node.local:8006
promox_api_token_id: root@pam!token
proxmox_api_secret: supersecuretokencontent
path: /vms/1000
roles: PVEVMUser
groups: myusername-openldap
state: present
'''
RETURN = r'''
acl:
description: The updated/created access control list
returned: always
type: complex
'''
def main():
_ = dict
module = AnsibleModule(
argument_spec=_(
proxmox_instance=_(required=True, type='str'),
proxmox_api_token_id=_(required=True, type='str'),
proxmox_api_secret=_(type='str', required=True, no_log=True),
proxmox_api_verify_cert=_(type='bool', required=False, default=True),
path=_(required=True, type='str'),
role=_(required=True, type='str'),
group=_(required=False, type='str'),
user=_(required=False, type='str'),
token=_(required=False, type='str'),
propagate=_(required=False, default=True, type='bool'),
state=_(type='str', required=False, default='present', choices=['present', 'exact', 'absent'])
),
supports_check_mode=True
)
result = _(
changed=False,
diff={},
message=''
)
realms = []
try:
acl_spec = ProxmoxACL(
module.params['path'],
module.params['role'],
module.params['propagate'],
module.params.get('user', None),
module.params.get('group', None),
module.params.get('token', None),
)
acl_change = set_acl(ProxmoxAuthInfo(
module.params['proxmox_instance'],
module.params['proxmox_api_token_id'],
module.params['proxmox_api_secret'],
module.params['proxmox_api_verify_cert'],
),
acl_spec,
module.check_mode,
module.params['state'])
except IOError as owie:
result['msg'] = owie
module.exit_json(**result)
diff_excluded_keys = []
result['acl'] = acl_change[1]
result['diff'] = {
'before_header': f"{acl_change[0].get('role', module.params['role'])}@{acl_change[0].get('path', module.params['path'])}" if acl_change[0] else acl_change[0],
'after_header': f"{acl_change[1].get('role', module.params['role'])}@{acl_change[1].get('path', module.params['path'])}" if acl_change[1] else acl_change[1],
'before': {k: v for k, v in acl_change[0].items() if k not in diff_excluded_keys} if acl_change[0] else acl_change[0],
'after': {k: v for k, v in acl_change[1].items() if k not in diff_excluded_keys} if acl_change[1] else acl_change[1],
}
# TODO: Needs special handling for state=exact
result['changed'] = acl_change[0] != acl_change[1]
module.exit_json(**result)
if __name__ == '__main__':
main()