Add "sys_protected" argument to LDAP playbook

This commit adds "sys_protected" optional argument to LDAP playbook "manage_local_ldap_account.yml". The new argument automates adding an ldap user to the "sys_protected" group at creation time. Supported values for the "sys_protected" argument are "yes" and "no", "no" being the default value. Test Plan: PASS: Debian image gets successfully installed in AIO-SX system. PASS: Configure "secure-inventory" configuration for a standalone system. PASS: Successful ldap user creation with membership in "sys_protected" group, using argument "sys_protected=yes". PASS: Execute LDAP playbook to create a user with no membership in "sys_protected" group, using argument "sys_protected=no" PASS: Execute LDAP playbook to create a user with no membership in "sys_protected" group without setting argument "sys_protected" to verify the default value. PASS: Configure "secure-inventory" configuration for a DC system. PASS: Test "sys_protected" argument usage for LDAP playbook in a DC system by creating an ldap user in a "sys_protected" group, both on the system controller and on a subcloud. Story: 2010589 Task: 47908 Signed-off-by: Carmen Rata <carmen.rata@windriver.com> Change-Id: I4d487e70b4b1ace3c5b08a7ae10595b4accc2b51
2023-04-28 14:47:17 +00:00 · 2023-04-28 14:47:17 +00:00 · 1bda288e96
commit 1bda288e96
parent 708a1d5c43
5 changed files with 26 additions and 5 deletions
--- a/examples/manage-local-ldap-account/inventory-EXAMPLE
+++ b/examples/manage-local-ldap-account/inventory-EXAMPLE
@ -15,14 +15,14 @@
 # file. Then run the ansible-playbook command with --ask-vault-pass parameter:
 #
 # ansible-playbook --inventory inventory-secure --ask-vault-pass \
-# --extra-vars='user_id=JohnDoo' \
+# --extra-vars='user_id=JohnDoe' \
 # /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
 #
 # If you wish to use different values for password_change_period and
 # password_warning_period parameters follow the sample below:
 #
 # ansible-playbook --inventory inventory-secure --ask-vault-pass \
-# --extra-vars='user_id=JohnDoo password_change_period=120 \
+# --extra-vars='user_id=JohnDoe password_change_period=120 \
 # password_warning_period=1' \
 # /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
 #
@ -30,7 +30,14 @@
 # variable to yes:
 #
 # ansible-playbook --inventory inventory-secure --ask-vault-pass \
-# --extra-vars='user_id=JohnDoo sudo_permission=yes' \
+# --extra-vars='user_id=JohnDoe sudo_permission=yes' \
 # /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
 #
 # If you wish to add users to sys_protected group, set sys_protected
 # variable to yes:
 #
 # ansible-playbook --inventory inventory-secure --ask-vault-pass \
 # --extra-vars='user_id=JohnDoe sys_protected=yes' \
 # /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
 #
 # If you wish to delete an existing user account (e.g. na-admin):
--- a/playbookconfig/src/playbooks/manage_local_ldap_account.yml
+++ b/playbookconfig/src/playbooks/manage_local_ldap_account.yml
@ -114,6 +114,10 @@
    set_fact:
      in_sudo_permission: "{{ true if sudo_permission is defined and sudo_permission | bool else false }}"
  - name: Set sys_protected flag fact upfront
    set_fact:
      in_sys_protected: "{{ true if sys_protected is defined and sys_protected | bool else false }}"
 - hosts: systemcontroller
  gather_facts: no
--- a/playbookconfig/src/playbooks/roles/manage-local-ldap-account/common/add-hosts/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/manage-local-ldap-account/common/add-hosts/tasks/main.yml
@ -14,6 +14,7 @@
    ansible_ssh_common_args:
      '-o ProxyCommand="sshpass -p {{ ansible_password }} ssh -W [%h]:%p -q {{ ansible_user }}@{{ ansible_host }}"'
    in_sudo_permission: "{{ in_sudo_permission }}"
    in_sys_protected: "{{ in_sys_protected }}"
    in_mode: "{{ in_mode }}"
    in_user_password: "{{ in_user_password if in_mode == 'create' else '' }}"
    in_user_role: "{{ in_user_role if in_mode == 'create' else '' }}"
--- a/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-account/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-account/tasks/main.yml
@ -18,9 +18,13 @@
    set_fact:
      sudo_param: "{{ '--sudo' if in_sudo_permission else '' }}"
  - name: Set sys_protected_param if external variable sys_protected is true
    set_fact:
      sys_protected_param: "{{ '--secondgroup sys_protected' if in_sys_protected else '' }}"
  - name: Create LDAP user {{ in_user_id }}
    shell: >-
-      ldapusersetup -u {{ in_user_id }} {{ sudo_param }} --secondgroup sys_protected --passmax
+      ldapusersetup -u {{ in_user_id }} {{ sudo_param }} {{ sys_protected_param }} --passmax
      {{ password_change_period }} --passwarning {{ password_warning_period }}
    become: yes
--- a/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-keystone-account/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-keystone-account/tasks/main.yml
@ -69,6 +69,11 @@
  become: yes
  when: in_sudo_permission
 - name: Add LDAP user to 'sys_protected' group
  command: usermod -a -G sys_protected {{ in_user_id }}
  become: yes
  when: in_sys_protected
 - name: Retrieve LDAP user groups
  command: groups {{ in_user_id }}
  register: user_groups