linuxfabrik.lfops.ipasudorule

Manage FreeIPA sudo rules

Synopsis

• Manage FreeIPA sudo rules

Available since LFOps 6.0.0.

Optional Parameters

action

• Work on sudorule or member level
• Type: String. One of member, sudorule.
• Default: sudorule

allow_sudocmd

• List of allowed sudocmds assigned to this sudorule.
• Type: List.

allow_sudocmdgroup

• List of allowed sudocmd groups assigned to this sudorule.
• Type: List.

cmdcategory

• Command category the sudo rule applies to
• Type: String. One of all, ``.

deny_sudocmd

• List of denied sudocmds assigned to this sudorule.
• Type: List.

deny_sudocmdgroup

• List of denied sudocmd groups assigned to this sudorule.
• Type: List.

description

• The sudorule description
• Type: String.

group

• List of user groups assigned to the sudo rule.
• Type: List.

host

• List of host names assigned to this sudorule.
• Type: List.

hostcategory

• Host category the sudo rule applies to.
• Type: String. One of all, ``.

hostgroup

• List of host groups assigned to this sudorule.
• Type: List.

hostmask

• Host masks of allowed hosts.
• Type: List.

name

• The sudorule name
• Type: List.

nomembers

• Suppress processing of membership attributes
• Type: Bool.

order

• Order to apply this rule.
• Type: Number.

runasgroup

• List of groups for Sudo to execute as.
• Type: List.

runasgroupcategory

• RunAs Group category applied to the sudo rule.
• Type: String. One of all, ``.

runasuser

• List of users for Sudo to execute as.
• Type: List.

runasuser_group

• List of groups for Sudo to execute as.
• Type: List.

runasusercategory

• RunAs User category applied to the sudorule.
• Type: String. One of all, ``.

state

• State to ensure
• Type: String. One of present, absent, enabled, disabled.
• Default: present

sudooption

• List of sudo options.
• Type: List.

sudorules

• The list of sudorule dicts.
• Type: List.

• Subkeys:

  • allow_sudocmd:

    • List of allowed sudocmds assigned to this sudorule.
    • Type: List.

  • allow_sudocmdgroup:

    • List of allowed sudocmd groups assigned to this sudorule.
    • Type: List.

  • cmdcategory:

    • Command category the sudo rule applies to
    • Type: String. One of all, ``.

  • deny_sudocmd:

    • List of denied sudocmds assigned to this sudorule.
    • Type: List.

  • deny_sudocmdgroup:

    • List of denied sudocmd groups assigned to this sudorule.
    • Type: List.

  • description:

    • The sudorule description
    • Type: String.

  • group:

    • List of user groups assigned to the sudo rule.
    • Type: List.

  • host:

    • List of host names assigned to this sudorule.
    • Type: List.

  • hostcategory:

    • Host category the sudo rule applies to.
    • Type: String. One of all, ``.

  • hostgroup:

    • List of host groups assigned to this sudorule.
    • Type: List.

  • hostmask:

    • Host masks of allowed hosts.
    • Type: List.

  • name:

    • The sudorule name
    • Type: List.

  • nomembers:

    • Suppress processing of membership attributes
    • Type: Bool.

  • order:

    • Order to apply this rule.
    • Type: Number.

  • runasgroup:

    • List of groups for Sudo to execute as.
    • Type: List.

  • runasgroupcategory:

    • RunAs Group category applied to the sudo rule.
    • Type: String. One of all, ``.

  • runasuser:

    • List of users for Sudo to execute as.
    • Type: List.

  • runasuser_group:

    • List of groups for Sudo to execute as.
    • Type: List.

  • runasusercategory:

    • RunAs User category applied to the sudorule.
    • Type: String. One of all, ``.

  • sudooption:

    • List of sudo options.
    • Type: List.

  • user:

    • List of users assigned to the sudo rule.
    • Type: List.

  • usercategory:

    • User category the sudo rule applies to
    • Type: String. One of all, ``.

user

• List of users assigned to the sudo rule.
• Type: List.

usercategory

• User category the sudo rule applies to
• Type: String. One of all, ``.

Examples

# Ensure Sudo Rule tesrule1 is present
- ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: testrule1

# Ensure sudocmd is present in Sudo Rule
- ipasudorule:
    ipaadmin_password: pass1234
    name: testrule1
    allow_sudocmd:
      - /sbin/ifconfig
      - /usr/bin/vim
    action: member
    state: absent

# Ensure host server is present in Sudo Rule
- ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: testrule1
    host: server
    action: member

# Ensure hostgroup cluster is present in Sudo Rule
- ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: testrule1
    hostgroup: cluster
    action: member

# Ensure sudo rule for usercategory "all" is enabled
- ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: allusers
    usercategory: all
    state: enabled

# Ensure sudo rule for hostcategory "all" is enabled
- ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: allhosts
    hostcategory: all
    state: enabled

# Ensure sudo rule applies for hosts with hostmasks
- ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: testrule1
    hostmask:
    - 192.168.122.1/24
    - 192.168.120.1/24

# Ensure sudorule 'runasuser' has 'ipasuers' group as runas users.
- ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: testrule1
    runasuser_group: ipausers
    action: member

# Ensure Sudo Rule tesrule1 is absent
- ipasudorule:
    ipaadmin_password: SomeADMINpassword
    name: testrule1
    state: absent

# Ensure multiple Sudo Rules are present using batch mode.
- ipasudorule:
    ipaadmin_password: SomeADMINpassword
    sudorules:
      - name: testrule1
        hostmask:
          - 192.168.122.1/24
      - name: testrule2
        hostcategory: all

Authors

• Rafael Guterres Jeffman (@rjeffman)
• Thomas Woerner (@t-woerner)