feat(acl): add plugin for creating and managing ACLs
This commit is contained in:
parent
2822ba3ec8
commit
31550df5f3
77
plugins/module_utils/proxmox_datacenter_acl.py
Normal file
77
plugins/module_utils/proxmox_datacenter_acl.py
Normal file
@ -0,0 +1,77 @@
|
|||||||
|
import dataclasses
|
||||||
|
from dataclasses import dataclass, field
|
||||||
|
from typing import List, Tuple
|
||||||
|
|
||||||
|
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.common import _proxmox_request, ProxmoxAuthInfo
|
||||||
|
|
||||||
|
|
||||||
|
@dataclass(frozen=True)
|
||||||
|
class ProxmoxACL:
|
||||||
|
path: str
|
||||||
|
role: str
|
||||||
|
propagate: bool = True
|
||||||
|
user: str = None
|
||||||
|
group: str = None
|
||||||
|
token: str = None
|
||||||
|
|
||||||
|
|
||||||
|
def get_acls(auth_info: ProxmoxAuthInfo) -> List['ProxmoxACL']:
|
||||||
|
acl_answer = _proxmox_request('get', '/access/acl', auth_info).json()
|
||||||
|
return list(map(
|
||||||
|
lambda r: ProxmoxACL(r['path'], r['roleid'], r['propagate'],
|
||||||
|
(r['ugid'] if (r['type'] == 'user') else None),
|
||||||
|
(r['ugid'] if (r['type'] == 'group') else None),
|
||||||
|
(r['ugid'] if (r['type'] == 'token') else None)),
|
||||||
|
acl_answer['data']
|
||||||
|
))
|
||||||
|
|
||||||
|
|
||||||
|
def set_acl(auth_info: ProxmoxAuthInfo, acl: ProxmoxACL, dry_run: bool, state: str = 'present') -> Tuple[dict, dict]:
|
||||||
|
existing_acls = get_acls(auth_info)
|
||||||
|
# find existing acl matching the specified one
|
||||||
|
try:
|
||||||
|
existing_acl = [x for x in existing_acls if x == acl][0]
|
||||||
|
except:
|
||||||
|
existing_acl = None
|
||||||
|
|
||||||
|
if state == 'present':
|
||||||
|
acl_spec = _acl_to_dict(acl) | {
|
||||||
|
'propagate': acl.propagate
|
||||||
|
}
|
||||||
|
if not dry_run:
|
||||||
|
acl_res = _proxmox_request('put', f"/access/acl", auth_info, data=acl_spec)
|
||||||
|
acl_res.raise_for_status()
|
||||||
|
if acl_res.ok and acl_res.json()['success'] == 1:
|
||||||
|
new_acl = acl
|
||||||
|
else:
|
||||||
|
new_acl = acl
|
||||||
|
elif state == 'exact':
|
||||||
|
# Also match on propagate and remove ACLs which match in all fields except propagation
|
||||||
|
pass
|
||||||
|
else:
|
||||||
|
# ACL to be removed
|
||||||
|
if not dry_run:
|
||||||
|
acl_spec = _acl_to_dict(acl) | {
|
||||||
|
'delete': 1
|
||||||
|
}
|
||||||
|
acl_res = _proxmox_request('put', '/access/acl', auth_info, data=acl_spec)
|
||||||
|
acl_res.raise_for_status()
|
||||||
|
if acl_res.ok:
|
||||||
|
new_acl = None
|
||||||
|
else:
|
||||||
|
new_acl = None
|
||||||
|
return dataclasses.asdict(existing_acl) if existing_acl else None, dataclasses.asdict(new_acl) if new_acl else None
|
||||||
|
|
||||||
|
|
||||||
|
def _acl_to_dict(acl: ProxmoxACL) -> dict:
|
||||||
|
acl_spec = {
|
||||||
|
'path': acl.path,
|
||||||
|
'roles': acl.role,
|
||||||
|
}
|
||||||
|
if acl.user:
|
||||||
|
acl_spec['users'] = acl.user
|
||||||
|
if acl.group:
|
||||||
|
acl_spec['groups'] = acl.group
|
||||||
|
if acl.token:
|
||||||
|
acl_spec['tokens'] = acl.token
|
||||||
|
return acl_spec
|
185
plugins/modules/acl.py
Normal file
185
plugins/modules/acl.py
Normal file
@ -0,0 +1,185 @@
|
|||||||
|
#!/usr/bin/python
|
||||||
|
# coding: utf-8
|
||||||
|
|
||||||
|
# (c) 2022, Johanna Dorothea Reichmann <transcaffeine@finally.coffee>
|
||||||
|
|
||||||
|
__metaclass__ = type
|
||||||
|
|
||||||
|
import traceback
|
||||||
|
|
||||||
|
from ansible.module_utils.basic import AnsibleModule
|
||||||
|
|
||||||
|
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.common import *
|
||||||
|
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.proxmox_datacenter_acl import *
|
||||||
|
|
||||||
|
|
||||||
|
LIB_IMP_ERR = None
|
||||||
|
try:
|
||||||
|
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.proxmox_datacenter_acl import set_acl
|
||||||
|
from ansible_collections.finallycoffee.proxmox.plugins.module_utils.proxmox_datacenter_acl import ProxmoxACL
|
||||||
|
HAS_LIB = True
|
||||||
|
except:
|
||||||
|
HAS_LIB = False
|
||||||
|
LIB_IMP_ERR = traceback.format_exc()
|
||||||
|
|
||||||
|
|
||||||
|
DOCUMENTATION = r'''
|
||||||
|
---
|
||||||
|
module: acl
|
||||||
|
author:
|
||||||
|
- Johanna Dorothea Reichmann (transcaffeine@finally.coffee)
|
||||||
|
requirements:
|
||||||
|
- python >= 3.9
|
||||||
|
short_description: Configures an access control list in a proxmox node
|
||||||
|
description:
|
||||||
|
- "Configue access control lists in a proxmox instance"
|
||||||
|
options:
|
||||||
|
proxmox_instance:
|
||||||
|
description: Location of the proxmox API with scheme, domain name/ip and port, e.g. https://localhost:8006
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
proxmox_api_token_id:
|
||||||
|
description: The token ID containing username, realm and token name (format: user@realm!name)
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
proxmox_api_secret:
|
||||||
|
description: The secret
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
proxmox_api_verify_cert:
|
||||||
|
description: If the certificate presented for `proxmox_instance_url` should be verified
|
||||||
|
type: bool
|
||||||
|
required: false
|
||||||
|
default: true
|
||||||
|
path:
|
||||||
|
description: Path to which access should be granted. Must be a valid proxmox access control path
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
role:
|
||||||
|
description: The role which the user/group/token should be added to when they match the ACL
|
||||||
|
type: str
|
||||||
|
required: true
|
||||||
|
group:
|
||||||
|
description: The group to match on the ACL. Must be a valid proxmox group id
|
||||||
|
type: str
|
||||||
|
required: false
|
||||||
|
user:
|
||||||
|
description: The user to match on the ACL. Must be a valid proxmox user id
|
||||||
|
type: str
|
||||||
|
required: false
|
||||||
|
token:
|
||||||
|
description: The token to match on the ACL. Must be a valid proxmox token id
|
||||||
|
type: str
|
||||||
|
required: false
|
||||||
|
propagate:
|
||||||
|
description: Wether to allow inheriting permissions or not.
|
||||||
|
type: bool
|
||||||
|
default: true
|
||||||
|
required: false
|
||||||
|
state:
|
||||||
|
description: >-
|
||||||
|
If the access control list should be present, absent or exact. When state is exact,
|
||||||
|
the value of `propagate` is also considered, and if an existing access control rule is found
|
||||||
|
which only differs in the value of `propagate`, the old rule is removed by the module,
|
||||||
|
essentially replacing it.
|
||||||
|
type: str
|
||||||
|
choices: [present, exact, absent]
|
||||||
|
default: present
|
||||||
|
required: false
|
||||||
|
'''
|
||||||
|
|
||||||
|
EXAMPLES = r'''
|
||||||
|
- name: Configure an admin group from LDAP as proxmox global admins
|
||||||
|
finallycoffee.proxmox.acl:
|
||||||
|
proxmox_instance: https://my.proxmox-node.local:8006
|
||||||
|
promox_api_token_id: root@pam!token
|
||||||
|
proxmox_api_secret: supersecuretokencontent
|
||||||
|
path: /
|
||||||
|
roles: Administrator
|
||||||
|
groups: proxmox-admins-openldap
|
||||||
|
propagate: true
|
||||||
|
state: present
|
||||||
|
- name: Configure an LDAP user to use their own VM
|
||||||
|
finallycoffee.proxmox.acl:
|
||||||
|
proxmox_instance: https://my.proxmox-node.local:8006
|
||||||
|
promox_api_token_id: root@pam!token
|
||||||
|
proxmox_api_secret: supersecuretokencontent
|
||||||
|
path: /vms/1000
|
||||||
|
roles: PVEVMUser
|
||||||
|
groups: myusername-openldap
|
||||||
|
state: present
|
||||||
|
'''
|
||||||
|
|
||||||
|
RETURN = r'''
|
||||||
|
acl:
|
||||||
|
description: The updated/created access control list
|
||||||
|
returned: always
|
||||||
|
type: complex
|
||||||
|
|
||||||
|
'''
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
_ = dict
|
||||||
|
module = AnsibleModule(
|
||||||
|
argument_spec=_(
|
||||||
|
proxmox_instance=_(required=True, type='str'),
|
||||||
|
proxmox_api_token_id=_(required=True, type='str'),
|
||||||
|
proxmox_api_secret=_(type='str', required=True, no_log=True),
|
||||||
|
proxmox_api_verify_cert=_(type='bool', required=False, default=True),
|
||||||
|
path=_(required=True, type='str'),
|
||||||
|
role=_(required=True, type='str'),
|
||||||
|
group=_(required=False, type='str'),
|
||||||
|
user=_(required=False, type='str'),
|
||||||
|
token=_(required=False, type='str'),
|
||||||
|
propagate=_(required=False, default=True, type='bool'),
|
||||||
|
state=_(type='str', required=False, default='present', choices=['present', 'exact', 'absent'])
|
||||||
|
),
|
||||||
|
supports_check_mode=True
|
||||||
|
)
|
||||||
|
|
||||||
|
result = _(
|
||||||
|
changed=False,
|
||||||
|
diff={},
|
||||||
|
message=''
|
||||||
|
)
|
||||||
|
|
||||||
|
realms = []
|
||||||
|
try:
|
||||||
|
acl_spec = ProxmoxACL(
|
||||||
|
module.params['path'],
|
||||||
|
module.params['role'],
|
||||||
|
module.params['propagate'],
|
||||||
|
module.params.get('user', None),
|
||||||
|
module.params.get('group', None),
|
||||||
|
module.params.get('token', None),
|
||||||
|
)
|
||||||
|
acl_change = set_acl(ProxmoxAuthInfo(
|
||||||
|
module.params['proxmox_instance'],
|
||||||
|
module.params['proxmox_api_token_id'],
|
||||||
|
module.params['proxmox_api_secret'],
|
||||||
|
module.params['proxmox_api_verify_cert'],
|
||||||
|
),
|
||||||
|
acl_spec,
|
||||||
|
module.check_mode,
|
||||||
|
module.params['state'])
|
||||||
|
except IOError as owie:
|
||||||
|
result['msg'] = owie
|
||||||
|
module.exit_json(**result)
|
||||||
|
|
||||||
|
diff_excluded_keys = []
|
||||||
|
result['acl'] = acl_change[1]
|
||||||
|
result['diff'] = {
|
||||||
|
'before_header': f"{acl_change[0].get('role', module.params['role'])}@{acl_change[0].get('path', module.params['path'])}" if acl_change[0] else acl_change[0],
|
||||||
|
'after_header': f"{acl_change[1].get('role', module.params['role'])}@{acl_change[1].get('path', module.params['path'])}" if acl_change[1] else acl_change[1],
|
||||||
|
'before': {k: v for k, v in acl_change[0].items() if k not in diff_excluded_keys} if acl_change[0] else acl_change[0],
|
||||||
|
'after': {k: v for k, v in acl_change[1].items() if k not in diff_excluded_keys} if acl_change[1] else acl_change[1],
|
||||||
|
}
|
||||||
|
# TODO: Needs special handling for state=exact
|
||||||
|
result['changed'] = acl_change[0] != acl_change[1]
|
||||||
|
|
||||||
|
module.exit_json(**result)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
main()
|
Loading…
Reference in New Issue
Block a user