ipa/client: Revamp combining shell groups
The previous implementation didn't work because of a chicken-and-egg problem: To add the batcave shell groups to those specifically for bastion, it needs to look them up, but they aren't set yet (probably because `batcave` comes after `bastion`). Now, one can (optionally) set `ipa_client_shell_groups_inherit_from`, a list of Ansible group names whose `ipa_client_shell_groups` will be combined with that of the host itself. This is more robust because it's done late, after variables are set from the inventory. Signed-off-by: Nils Philippsen <nils@redhat.com>
This commit is contained in:
Nils Philippsen
parent
34728c85cd
commit
46b3fb9390
2 changed files with 32 additions and 43 deletions
|
|
@ -25,44 +25,7 @@ primary_auth_source: ipa
|
||||||
ipa_host_group: bastion
|
ipa_host_group: bastion
|
||||||
ipa_host_group_desc: Bastion hosts
|
ipa_host_group_desc: Bastion hosts
|
||||||
|
|
||||||
# this assumes the `batcave` group exists with at least one host in it
|
ipa_client_shell_groups:
|
||||||
#batcave_ipa_client_shell_groups: "{{ hostvars[groups['batcave'][0]]['ipa_client_shell_groups'] | default([]) }}"
|
|
||||||
|
|
||||||
# Stopgap because the above doesn't work, needs to be in sync with what's actually set for the
|
|
||||||
# batcave group.
|
|
||||||
batcave_ipa_client_shell_groups:
|
|
||||||
- fi-apprentice
|
|
||||||
- sysadmin-ask
|
|
||||||
- sysadmin-atomic
|
|
||||||
- sysadmin-badges
|
|
||||||
- sysadmin-bot
|
|
||||||
- sysadmin-centos
|
|
||||||
- sysadmin-cloud
|
|
||||||
- sysadmin-copr
|
|
||||||
- sysadmin-coreos
|
|
||||||
- sysadmin-cvs
|
|
||||||
- sysadmin-datanommer
|
|
||||||
- sysadmin-debuginfod
|
|
||||||
- sysadmin-fedimg
|
|
||||||
- sysadmin-fpdc
|
|
||||||
- sysadmin-gnome
|
|
||||||
- sysadmin-hosted
|
|
||||||
- sysadmin-koschei
|
|
||||||
- sysadmin-libravatar
|
|
||||||
- sysadmin-mbs
|
|
||||||
- sysadmin-messaging
|
|
||||||
- sysadmin-noc
|
|
||||||
- sysadmin-odcs
|
|
||||||
- sysadmin-osbs
|
|
||||||
- sysadmin-qa
|
|
||||||
- sysadmin-releasemonitoring
|
|
||||||
- sysadmin-releng
|
|
||||||
- sysadmin-tools
|
|
||||||
- sysadmin-upstreamfirst
|
|
||||||
- sysadmin-veteran
|
|
||||||
- sysadmin-web
|
|
||||||
|
|
||||||
bastion_ipa_client_shell_groups:
|
|
||||||
- pungi-devel
|
- pungi-devel
|
||||||
- sysadmin-analysis
|
- sysadmin-analysis
|
||||||
- sysadmin-dba
|
- sysadmin-dba
|
||||||
|
|
@ -71,9 +34,8 @@ bastion_ipa_client_shell_groups:
|
||||||
- sysadmin-spin
|
- sysadmin-spin
|
||||||
- sysadmin-troubleshoot
|
- sysadmin-troubleshoot
|
||||||
- sysadmin-qa
|
- sysadmin-qa
|
||||||
|
ipa_client_shell_groups_inherit_from:
|
||||||
|
- batcave
|
||||||
ipa_client_shell_groups: "{{ (bastion_ipa_client_shell_groups + batcave_ipa_client_shell_groups) | sort | unique }}"
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# This is a postfix gateway. This will pick up gateway postfix config in base
|
# This is a postfix gateway. This will pick up gateway postfix config in base
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,31 @@
|
||||||
# Thanks to having two environments, staging and prod, this has to deal with the "responsible" IPA
|
# Thanks to having two environments, staging and prod, this has to deal with the "responsible" IPA
|
||||||
# server for individual hosts.
|
# server for individual hosts.
|
||||||
|
|
||||||
|
# ipa_hosts_combined_shell_groups_dict ->
|
||||||
|
# {
|
||||||
|
# "ansible_host_1": ["shell_group_1", "shell_group_2", ...],
|
||||||
|
# "ansible_host_2": ["shell_group_3", "shell_group_4", ...],
|
||||||
|
# ...
|
||||||
|
# }
|
||||||
|
- name: Combine own and inherited shell groups per host
|
||||||
|
set_fact:
|
||||||
|
ipa_hosts_combined_shell_groups_dict: >-
|
||||||
|
{{
|
||||||
|
ipa_hosts_combined_shell_groups_dict | default({}) | combine(
|
||||||
|
{
|
||||||
|
item:
|
||||||
|
(hostvars[item]['ipa_client_shell_groups_inherit_from'] | default([]))
|
||||||
|
| map('extract', groups, 0)
|
||||||
|
| map('extract', hostvars, 'ipa_client_shell_groups')
|
||||||
|
| flatten
|
||||||
|
| union(hostvars[item]['ipa_client_shell_groups'] | default([]))
|
||||||
|
| sort
|
||||||
|
},
|
||||||
|
recursive=True
|
||||||
|
)
|
||||||
|
}}
|
||||||
|
loop: "{{ ansible_play_hosts }}"
|
||||||
|
|
||||||
# ipa_server_host_groups_dict ->
|
# ipa_server_host_groups_dict ->
|
||||||
# {
|
# {
|
||||||
# "ipa_server_1": {
|
# "ipa_server_1": {
|
||||||
|
|
@ -56,7 +81,9 @@
|
||||||
hostvars[item]['ipa_server']: {
|
hostvars[item]['ipa_server']: {
|
||||||
hostvars[item]['ipa_host_group']: {
|
hostvars[item]['ipa_host_group']: {
|
||||||
'desc': hostvars[item]['ipa_host_group_desc'] | default(omit),
|
'desc': hostvars[item]['ipa_host_group_desc'] | default(omit),
|
||||||
'shell_groups': hostvars[item]['ipa_client_shell_groups'] | default(omit),
|
'shell_groups':
|
||||||
|
(ipa_hosts_combined_shell_groups_dict[item] | length > 0)
|
||||||
|
| ternary(ipa_hosts_combined_shell_groups_dict[item], omit),
|
||||||
'sudo_groups': hostvars[item]['ipa_client_sudo_groups'] | default(omit),
|
'sudo_groups': hostvars[item]['ipa_client_sudo_groups'] | default(omit),
|
||||||
'hosts': {item: true},
|
'hosts': {item: true},
|
||||||
}
|
}
|
||||||
|
|
@ -70,7 +97,7 @@
|
||||||
(ipa_server_all_groups_hosts_dict | default({})) | combine(
|
(ipa_server_all_groups_hosts_dict | default({})) | combine(
|
||||||
{
|
{
|
||||||
hostvars[item]['ipa_server']: {
|
hostvars[item]['ipa_server']: {
|
||||||
'groups': hostvars[item]['ipa_client_shell_groups'] | default([]) | union(
|
'groups': ipa_hosts_combined_shell_groups_dict[item] | union(
|
||||||
hostvars[item]['ipa_client_sudo_groups'] | default([])
|
hostvars[item]['ipa_client_sudo_groups'] | default([])
|
||||||
),
|
),
|
||||||
'hosts': {item: True},
|
'hosts': {item: True},
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue