From e92d0dda1a54a8576586450578f8873ce920530d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Thu, 19 Nov 2020 12:01:45 +0100 Subject: [PATCH] Add the CentOS Ipsilon staging instance to the ipsilon IPA HBAC rule MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Bompard --- playbooks/groups/ipsilon.yml | 76 +++++++++++++++++++++--------------- 1 file changed, 44 insertions(+), 32 deletions(-) diff --git a/playbooks/groups/ipsilon.yml b/playbooks/groups/ipsilon.yml index 0db5ebf3a6..c254db8067 100644 --- a/playbooks/groups/ipsilon.yml +++ b/playbooks/groups/ipsilon.yml @@ -1,37 +1,5 @@ - import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=ipsilon:ipsilon_stg" -# This next block configures IPA, it only needs to be run on one member of the cluster -- name: setup IPA - hosts: ipa[0]:ipa_stg[0] - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - tasks: - - name: Add the ipsilon HBAC service in IPA - ipahbacsvc: - name: ipsilon - description: Ipsilon authentication service - ipaadmin_password: "{{ ipa_admin_password }}" - tags: - - ipsilon - - - name: Allow login through ipsilon - ipahbacrule: - name: ipsilon - description: Login through ipsilon - hbacsvc: - - ipsilon - usercategory: all - host: "{{ (env == 'production')|ternary(groups['ipsilon'], groups['ipsilon_stg']) }}" - ipaadmin_password: "{{ ipa_admin_password }}" - tags: - - ipsilon - - name: make the box be real hosts: ipsilon:ipsilon_stg @@ -96,3 +64,47 @@ handlers: - import_tasks: "{{ handlers_path }}/restart_services.yml" + + +# This next block configures IPA, it only needs to be run on one member of the cluster. +# Run it after setting up Ipsilon because the host need to be declared in IPA already. +- name: setup IPA + hosts: ipa[0]:ipa_stg[0] + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - name: Add the ipsilon HBAC service in IPA + ipahbacsvc: + name: ipsilon + description: Ipsilon authentication service + ipaadmin_password: "{{ ipa_admin_password }}" + tags: + - ipsilon + + - name: Allow login through ipsilon + ipahbacrule: + name: ipsilon + description: Login through ipsilon + hbacsvc: + - ipsilon + usercategory: all + host: "{{ (env == 'production')|ternary(groups['ipsilon'], groups['ipsilon_stg']) }}" + ipaadmin_password: "{{ ipa_admin_password }}" + tags: + - ipsilon + + - name: Allow login through ipsilon for the CentOS instance + ipahbacrule: + name: ipsilon + action: member + host: centos-ipa-client02.stg.iad2.fedoraproject.org + ipaadmin_password: "{{ ipa_admin_password }}" + tags: + - ipsilon + when: env == "staging"