ansible-tripleo-ipa-server/tripleo_ipa_server/playbooks/ipa-server-create-role.yaml

---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# This playbook adds a role with the correct privileges needed by tripleo-ipa
# and TLS-e to add hosts and services to the IPA server.  The operations in
# this playbook likely need admin privileges and should be executed on an
# IPA client.  This playbook only needs to be run once per IPA server as
# multiple tripleo deployments can utilize the same role.

- name: Playbook to setup an IPA role with correct privileges for TLS-e
  connection: "{{ (tripleo_ipa_host is defined) | ternary('ssh', 'local') }}"
  hosts: "{{ tripleo_ipa_host | default('localhost') }}"
  tasks:
    - name: ensure definitions
      fail:
        msg: >-
          {{ item }} is undefined          
      when: not item.ansible_var and not item.env_var
      with_items:
        - name: ipa_principal
          ansible_var: "{{ ipa_principal | default('') }}"
          env_var: "{{ lookup('env', 'IPA_PRINCIPAL') }}"
        - name: ipa_password
          ansible_var: "{{ ipa_password | default('') }}"
          env_var: "{{ lookup('env', 'IPA_PASSWORD') }}"

    - name: set IPA server facts
      set_fact:
        ipa_principal: "{{ tripleo_ipa_principal | default(lookup('env', 'IPA_PRINCIPAL')) }}"
        ipa_password: "{{ tripleo_ipa_password | default(lookup('env', 'IPA_PASSWORD')) }}"

    - name: set keytab permissions facts
      set_fact:
        tripleo_ipa_perms:
          - {name: 'Modify host password', right: "write", type: "host", attrs: "userpassword"}
          - {name: 'Write host certificate', right: "write", type: "host", attrs: "usercertificate"}
          - {name: 'Modify host userclass', right: "write", type: "host", attrs: "userclass"}
          - {name: 'Modify service managedBy attribute', right: "write", type: "service", attrs: "managedby"}
        tripleo_ipa_privilege_perms:
          - 'System: add hosts'
          - 'System: remove hosts'
          - 'Modify host password'
          - 'Modify host userclass'
          - 'System: Modify hosts'
          - 'Modify service managedBy attribute'
          - 'System: Add krbPrincipalName to a Host'
          - 'System: Add Services'
          - 'System: Remove Services'
          - 'Revoke certificate'
          - 'System: manage host keytab'
          - 'System: Manage host certificates'
          - 'System: modify services'
          - 'System: manage service keytab'
          - 'System: read dns entries'
          - 'System: remove dns entries'
          - 'System: add dns entries'
          - 'System: update dns entries'
          - 'System: Modify Realm Domains'
          - 'Retrieve Certificates from the CA'

    # unfortunately we don't have ansible module yet to create perms
    # TODO(d34dh0r53): we should be able to obtain a token via curl
    # which will allow us to perform these operations without a kinit first.
    - name: add nova host management permissions
      shell: |
        ipa permission-find "{{ item.name }}"
        if [ $? -ne 0 ]; then
          ipa permission-add "{{ item.name }}" --right "{{ item.right }}" \
            --type "{{ item.type }}" --attrs "{{ item.attrs }}"
        fi        
      loop: "{{ tripleo_ipa_perms|flatten(levels=1) }}"

    # unfortunately we don't have ansible module yet to create privileges
    - name: add nova host privilege
      shell: |
        ipa privilege-find 'Nova Host Management'
        if [ $? -ne 0 ]; then
          ipa privilege-add --desc='Nova Host Management' 'Nova Host Management'
        fi        

    - name: add permissions to the nova host privilege
      shell: |
        ipa privilege-add-permission 'Nova Host Management' \
          --permission "{{ item }}"        
      register: add_perm_command
      failed_when:
        - add_perm_command.rc !=0
        - '"This entry is already a member" not in add_perm_command.stdout'
      loop: "{{ tripleo_ipa_privilege_perms|flatten(levels=1) }}"

    - name: add nova host manager role
      ipa_role:
        name: Nova Host Manager
        description: Nova Host Manager
        ipa_user: "{{ ipa_principal }}"
        ipa_pass: "{{ ipa_password }}"
        privilege:
          - Nova Host Management