Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

ipa/client: only warn about essential vars missing

Browse source 
If either `ipa_client_shell_groups` and `ipa_client_sudo_groups` are
unset or empty, sysadmin-main will still be able to login and sudo.

Signed-off-by: Nils Philippsen <nils@redhat.com>
This commit is contained in:
Nils Philippsen 2021-03-24 17:27:59 +01:00 committed by kevin
parent eae91f0d2b
commit f9abb293c0
1 changed files with 1 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
roles/ipa/client/tasks/hbac.yml
View file

@ -92,7 +92,7 @@
when: fas_client_groups is defined when: fas_client_groups is defined
run_once: false run_once: false
- name: "Warn if IPA client variables are unset" - name: "Warn if essential IPA client variables are unset"
fail: fail:
msg: "`{{ item }}` is not defined" msg: "`{{ item }}` is not defined"
ignore_errors: true ignore_errors: true
@ -100,8 +100,6 @@
loop: loop:
- ipa_host_group - ipa_host_group
- ipa_host_group_desc - ipa_host_group_desc
- ipa_client_shell_groups
- ipa_client_sudo_groups
- name: Ensure shell access HBAC rule exists - name: Ensure shell access HBAC rule exists
delegate_to: "{{ item[0] }}" delegate_to: "{{ item[0] }}"