From 3abcb2d011b86e6c32da959ab2912f6c1f7d28d9 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Wed, 10 Mar 2021 16:33:29 +0100
Subject: [PATCH] ipa/client: clean sss caches on changes

SSSD caches information, some types for hours by default. When changing
anything in IPA pertaining to a host this role is applied to, clean out
the caches on the host so the changes are effective immediately.

Signed-off-by: Nils Philippsen <nils@redhat.com>
---
 roles/ipa/client/handlers/main.yml | 3 +++
 roles/ipa/client/tasks/hbac.yml    | 5 +++++
 roles/ipa/client/tasks/main.yml    | 1 +
 roles/ipa/client/tasks/sudo.yml    | 2 ++
 4 files changed, 11 insertions(+)
 create mode 100644 roles/ipa/client/handlers/main.yml

diff --git a/roles/ipa/client/handlers/main.yml b/roles/ipa/client/handlers/main.yml
new file mode 100644
index 0000000000..a8c0d4f5a3
--- /dev/null
+++ b/roles/ipa/client/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: clean sss caches
+  command: sss_cache -E
diff --git a/roles/ipa/client/tasks/hbac.yml b/roles/ipa/client/tasks/hbac.yml
index 12f4ad0dc8..74b361cdde 100644
--- a/roles/ipa/client/tasks/hbac.yml
+++ b/roles/ipa/client/tasks/hbac.yml
@@ -14,6 +14,7 @@
     state: present
     group:
       - sysadmin-main
+  notify: clean sss caches
   no_log: true
   loop: "{{ ipa_servers }}"
   when: ipa_servers is defined
@@ -24,6 +25,7 @@
     name: "usergroup/sysadmin-main"
     ipaadmin_password: "{{ ipa_server_admin_passwords[item] }}"
     state: enabled
+  notify: clean sss caches
   no_log: true
   loop: "{{ ipa_servers }}"
   when: ipa_servers is defined
@@ -34,6 +36,7 @@
     name: allow_all
     ipaadmin_password: "{{ ipa_server_admin_passwords[item] }}"
     state: disabled
+  notify: clean sss caches
   no_log: true
   loop: "{{ ipa_servers }}"
   when: ipa_servers is defined
@@ -49,6 +52,7 @@
     usercategory: "all"
     hbacsvcgroup:
       - Sudo
+  notify: clean sss caches
   no_log: true
   loop: "{{ ipa_servers }}"
   when: ipa_servers is defined
@@ -120,5 +124,6 @@
     action: member
     state: present
     group: "{{ ipa_server_host_groups_dict[item[0]][item[1]]['shell_groups'] }}"
+  notify: clean sss caches
   loop: "{{ ipa_server_host_groups }}"
   when: ipa_server_host_groups is defined and ipa_server_host_groups_dict[item[0]][item[1]]['shell_groups'] is defined
diff --git a/roles/ipa/client/tasks/main.yml b/roles/ipa/client/tasks/main.yml
index 0c4081e1fd..d36a65b192 100644
--- a/roles/ipa/client/tasks/main.yml
+++ b/roles/ipa/client/tasks/main.yml
@@ -26,6 +26,7 @@
          -U -N --force-join
          --mkhomedir
     creates: /etc/ipa/default.conf
+  notify: clean sss caches
   tags:
     - ipa/client
     - config
diff --git a/roles/ipa/client/tasks/sudo.yml b/roles/ipa/client/tasks/sudo.yml
index 8507c69b34..33a7fda035 100644
--- a/roles/ipa/client/tasks/sudo.yml
+++ b/roles/ipa/client/tasks/sudo.yml
@@ -14,6 +14,7 @@
     runasgroupcategory: "all"
     group:
       - sysadmin-main
+  notify: clean sss caches
   no_log: true
   loop: "{{ ipa_servers }}"
   when: ipa_servers is defined
@@ -30,5 +31,6 @@
     cmdcategory: "all"
     runasusercategory: "all"
     runasgroupcategory: "all"
+  notify: clean sss caches
   loop: "{{ ipa_server_host_groups }}"
   when: ipa_server_host_groups is defined and ipa_server_host_groups_dict[item[0]][item[1]]['sudo_groups'] is defined