From 7b650d56c9ed6187e656b5bc8f500b8ba9637346 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Fri, 2 Jul 2021 18:04:30 +0200
Subject: [PATCH] Allow people in the sysadmin-main group to manage stage users
 in Noggin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 roles/ipa/server/tasks/main.yml | 53 +++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml
index eeb806e4e1..c43dc8543b 100644
--- a/roles/ipa/server/tasks/main.yml
+++ b/roles/ipa/server/tasks/main.yml
@@ -538,6 +538,59 @@
   when: ipa_initial
 
 
+# Let people in the sysadmin-main group manage registering users (Stage Users)
+# through Noggin:
+
+- name: Create the stage users managers privilege
+  command:
+    argv:
+      - ipa
+      - privilege-add
+      - Stage User Managers
+      - --desc=Manage registering users in Noggin
+  tags:
+  - ipa/server
+  - config
+  when: ipa_initial
+  register: output
+  changed_when: "'already exists' not in output.stderr"
+  failed_when: "'already exists' not in output.stderr and output.rc != 0"
+
+- name: Setup the stage users managers privilege
+  command:
+    argv:
+      - ipa
+      - privilege-add-permission
+      - Stage User Managers
+      - "--permissions=System: Read Stage Users"
+      - "--permissions=System: Modify Stage User"
+      - "--permissions=System: Remove Stage User"
+  tags:
+  - ipa/server
+  - config
+  when: ipa_initial
+  register: output
+  changed_when: "'Number of permissions added 0' not in output.stdout"
+  failed_when: "'Number of permissions added 0' not in output.stdout and output.rc != 0"
+
+- name: Create the stage users managers role
+  ipa_role:
+    name: "Stage User Managers"
+    description: "Manage registering users in Noggin"
+    privilege:
+    - "Stage User Managers"
+    group:
+    - sysadmin-main
+    ipa_host: "{{ inventory_hostname }}"
+    ipa_user: admin
+    ipa_pass: "{{ipa_admin_password}}"
+    validate_certs: no
+  tags:
+  - ipa/server
+  - config
+  when: ipa_initial
+
+
 - name: Destroy admin ticket
   command: kdestroy -A
   tags: