diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion index ab91074aec..5d55362779 100644 --- a/inventory/group_vars/bastion +++ b/inventory/group_vars/bastion @@ -25,44 +25,7 @@ primary_auth_source: ipa ipa_host_group: bastion ipa_host_group_desc: Bastion hosts -# this assumes the `batcave` group exists with at least one host in it -#batcave_ipa_client_shell_groups: "{{ hostvars[groups['batcave'][0]]['ipa_client_shell_groups'] | default([]) }}" - -# Stopgap because the above doesn't work, needs to be in sync with what's actually set for the -# batcave group. -batcave_ipa_client_shell_groups: -- fi-apprentice -- sysadmin-ask -- sysadmin-atomic -- sysadmin-badges -- sysadmin-bot -- sysadmin-centos -- sysadmin-cloud -- sysadmin-copr -- sysadmin-coreos -- sysadmin-cvs -- sysadmin-datanommer -- sysadmin-debuginfod -- sysadmin-fedimg -- sysadmin-fpdc -- sysadmin-gnome -- sysadmin-hosted -- sysadmin-koschei -- sysadmin-libravatar -- sysadmin-mbs -- sysadmin-messaging -- sysadmin-noc -- sysadmin-odcs -- sysadmin-osbs -- sysadmin-qa -- sysadmin-releasemonitoring -- sysadmin-releng -- sysadmin-tools -- sysadmin-upstreamfirst -- sysadmin-veteran -- sysadmin-web - -bastion_ipa_client_shell_groups: +ipa_client_shell_groups: - pungi-devel - sysadmin-analysis - sysadmin-dba @@ -71,9 +34,8 @@ bastion_ipa_client_shell_groups: - sysadmin-spin - sysadmin-troubleshoot - sysadmin-qa - - -ipa_client_shell_groups: "{{ (bastion_ipa_client_shell_groups + batcave_ipa_client_shell_groups) | sort | unique }}" +ipa_client_shell_groups_inherit_from: +- batcave # # This is a postfix gateway. This will pick up gateway postfix config in base diff --git a/roles/ipa/client/tasks/prepare-ipa-info.yml b/roles/ipa/client/tasks/prepare-ipa-info.yml index f9b6324ac6..1a518df9a4 100644 --- a/roles/ipa/client/tasks/prepare-ipa-info.yml +++ b/roles/ipa/client/tasks/prepare-ipa-info.yml @@ -9,6 +9,31 @@ # Thanks to having two environments, staging and prod, this has to deal with the "responsible" IPA # server for individual hosts. +# ipa_hosts_combined_shell_groups_dict -> +# { +# "ansible_host_1": ["shell_group_1", "shell_group_2", ...], +# "ansible_host_2": ["shell_group_3", "shell_group_4", ...], +# ... +# } +- name: Combine own and inherited shell groups per host + set_fact: + ipa_hosts_combined_shell_groups_dict: >- + {{ + ipa_hosts_combined_shell_groups_dict | default({}) | combine( + { + item: + (hostvars[item]['ipa_client_shell_groups_inherit_from'] | default([])) + | map('extract', groups, 0) + | map('extract', hostvars, 'ipa_client_shell_groups') + | flatten + | union(hostvars[item]['ipa_client_shell_groups'] | default([])) + | sort + }, + recursive=True + ) + }} + loop: "{{ ansible_play_hosts }}" + # ipa_server_host_groups_dict -> # { # "ipa_server_1": { @@ -56,7 +81,9 @@ hostvars[item]['ipa_server']: { hostvars[item]['ipa_host_group']: { 'desc': hostvars[item]['ipa_host_group_desc'] | default(omit), - 'shell_groups': hostvars[item]['ipa_client_shell_groups'] | default(omit), + 'shell_groups': + (ipa_hosts_combined_shell_groups_dict[item] | length > 0) + | ternary(ipa_hosts_combined_shell_groups_dict[item], omit), 'sudo_groups': hostvars[item]['ipa_client_sudo_groups'] | default(omit), 'hosts': {item: true}, } @@ -70,7 +97,7 @@ (ipa_server_all_groups_hosts_dict | default({})) | combine( { hostvars[item]['ipa_server']: { - 'groups': hostvars[item]['ipa_client_shell_groups'] | default([]) | union( + 'groups': ipa_hosts_combined_shell_groups_dict[item] | union( hostvars[item]['ipa_client_sudo_groups'] | default([]) ), 'hosts': {item: True},