ipa/client: add site-wide & host-based sudo rules

This also uses HBAC to let all IPA accounts use the sudo command, so what some user or group may use it for just has to be configured with sudo rules in IPA. Signed-off-by: Nils Philippsen <nils@redhat.com>
2021-01-20 16:31:38 +01:00 · 2021-01-20 16:31:38 +01:00 · 295564bfbc
commit 295564bfbc
parent 5cfd6bd10b
2 changed files with 60 additions and 0 deletions
--- a/roles/ipa/client/tasks/main.yml
+++ b/roles/ipa/client/tasks/main.yml
@ -29,3 +29,11 @@
  when: env == 'staging'
  tags:
    - ipa/client
+
+- name: Configure sudo on IPA cluster
+  delegate_to: "{{ ipa_server }}"
+  import_tasks: sudo.yml
+  # don't muck with prod for now
+  when: env == 'staging'
+  tags:
+    - ipa/client
--- a/roles/ipa/client/tasks/sudo.yml
+++ b/roles/ipa/client/tasks/sudo.yml
@ -0,0 +1,52 @@
+- name: Check that configured sudo groups exist
+  command: "ipa group-show --no-members {{ item }}"
+  changed_when: False
+  loop: "{{ (ipa_client_sudo_groups | default([])) + (ipa_client_sudo_nopasswd_groups | default([])) | list }}"
+  tags:
+    - config
+
+- name: "Give members of `sysadmin-main` sudo access to anything, anywhere"
+  ipasudorule:
+    name: "group/sysadmin-main"
+    description: "Allow members of `sysadmin-main` to use sudo to do anything, anywhere"
+    ipaadmin_password: "{{ ipa_admin_password }}"
+    state: present
+    cmdcategory: "all"
+    hostcategory: "all"
+    runasusercategory: "all"
+    runasgroupcategory: "all"
+    group:
+      - sysadmin-main
+  tags:
+    - config
+
+- name: "Give certain groups sudo access to anything on {{ ansible_fqdn }}"
+  ipasudorule:
+    name: "host/{{ ansible_fqdn }}"
+    description: "Allow members of groups sudo access to anything on {{ ansible_fqdn }}"
+    ipaadmin_password: "{{ ipa_admin_password }}"
+    state: present
+    group: "{{ ipa_client_sudo_groups | list }}"
+    host: "{{ ansible_fqdn }}"
+    cmdcategory: "all"
+    runasusercategory: "all"
+    runasgroupcategory: "all"
+  when: ipa_client_sudo_groups is defined and ipa_client_sudo_groups | length > 0
+  tags:
+    - config
+
+- name: "Give certain groups password-less sudo access to anything on {{ ansible_fqdn }}"
+  ipasudorule:
+    name: "host/{{ ansible_fqdn }}/nopasswd"
+    description: "Allow members of groups password-less sudo access to anything on {{ ansible_fqdn }}"
+    ipaadmin_password: "{{ ipa_admin_password }}"
+    state: present
+    group: "{{ ipa_client_sudo_groups_nopasswd | list }}"
+    host: "{{ ansible_fqdn }}"
+    cmdcategory: "all"
+    runasusercategory: "all"
+    runasgroupcategory: "all"
+    options: "!authenticate"
+  when: ipa_client_sudo_groups_nopasswd is defined and ipa_client_sudo_groups_nopasswd | length > 0
+  tags:
+    - config