ipa/client: Revamp combining shell groups

The previous implementation didn't work because of a chicken-and-egg
problem: To add the batcave shell groups to those specifically for
bastion, it needs to look them up, but they aren't set yet (probably
because `batcave` comes after `bastion`).

Now, one can (optionally) set `ipa_client_shell_groups_inherit_from`, a
list of Ansible group names whose `ipa_client_shell_groups` will be
combined with that of the host itself. This is more robust because it's
done late, after variables are set from the inventory.

Signed-off-by: Nils Philippsen <nils@redhat.com>
This commit is contained in:
Nils Philippsen 2021-03-25 13:34:15 +01:00
parent 34728c85cd
commit 46b3fb9390
2 changed files with 32 additions and 43 deletions

View file

@ -9,6 +9,31 @@
# Thanks to having two environments, staging and prod, this has to deal with the "responsible" IPA
# server for individual hosts.
# ipa_hosts_combined_shell_groups_dict ->
# {
# "ansible_host_1": ["shell_group_1", "shell_group_2", ...],
# "ansible_host_2": ["shell_group_3", "shell_group_4", ...],
# ...
# }
- name: Combine own and inherited shell groups per host
set_fact:
ipa_hosts_combined_shell_groups_dict: >-
{{
ipa_hosts_combined_shell_groups_dict | default({}) | combine(
{
item:
(hostvars[item]['ipa_client_shell_groups_inherit_from'] | default([]))
| map('extract', groups, 0)
| map('extract', hostvars, 'ipa_client_shell_groups')
| flatten
| union(hostvars[item]['ipa_client_shell_groups'] | default([]))
| sort
},
recursive=True
)
}}
loop: "{{ ansible_play_hosts }}"
# ipa_server_host_groups_dict ->
# {
# "ipa_server_1": {
@ -56,7 +81,9 @@
hostvars[item]['ipa_server']: {
hostvars[item]['ipa_host_group']: {
'desc': hostvars[item]['ipa_host_group_desc'] | default(omit),
'shell_groups': hostvars[item]['ipa_client_shell_groups'] | default(omit),
'shell_groups':
(ipa_hosts_combined_shell_groups_dict[item] | length > 0)
| ternary(ipa_hosts_combined_shell_groups_dict[item], omit),
'sudo_groups': hostvars[item]['ipa_client_sudo_groups'] | default(omit),
'hosts': {item: true},
}
@ -70,7 +97,7 @@
(ipa_server_all_groups_hosts_dict | default({})) | combine(
{
hostvars[item]['ipa_server']: {
'groups': hostvars[item]['ipa_client_shell_groups'] | default([]) | union(
'groups': ipa_hosts_combined_shell_groups_dict[item] | union(
hostvars[item]['ipa_client_sudo_groups'] | default([])
),
'hosts': {item: True},