Merge pull request #52 from stackhpc/api-update

adding roles for users, groups and rbac-cg

Author: Alex-Welsh

roles/pulp_content_guard/README.md

@@ -10,22 +10,32 @@ Role variables
 * `pulp_username`: Username used to access Pulp server. Default is `admin`
 * `pulp_password`: Password used to access Pulp server. Default is unset
 * `pulp_validate_certs`: Whether to validate Pulp server certificate. Default is `true`
-* `pulp_content_guard_x509_cert_guards`: List of x509 cert guards. Each item is
-  a dict with the following keys: `name`, `description`, `ca_certificate`,
-  `state`.
+* `pulp_content_guard_x509_cert_guards`: List of x509 cert guards to create/update/delete. Each item is
+  a dict containing: 
+  * `name` (Required)
+  * `description`
+  * `ca_certificate`
+  * `state` (Default is `present`. Setting this value to `absent` will delete the content guard if it exists)
+* `pulp_content_guard_rbac`: List of RBAC content guards to create/update/delete. Default is an empty list. Each item is a dict containing:
+  * `name` (Required)
+  * `roles` List of dict containing:
+    * `role` (role name)
+    * `groups` List of groups to be assigned the role
+  * `state` (default is `present`. Setting this value to `absent` will delete the content guard if it exists)
 
+Note: groups assigned roles are evaluated against the content guard's current list of roles returned from the Pulp server API. Removing a group from the list of groups defined under any role in `pulp_content_guard_rbac[*].roles` will result in the group being removed, and adding a group will result in it being added. Adding an empty `groups:` for a role will result in all groups being removed from that role.
 
 Example playbook
 ----------------
 
-```
+```yaml
 ---
 - name: Create Pulp content guards
   any_errors_fatal: True
   gather_facts: True
   hosts: all
   roles:
-    - role: stackhpc.pulp.pulp_contentguard
+    - role: stackhpc.pulp.pulp_content_guard
       pulp_username: admin
       pulp_password: "{{ secrets_pulp_admin_password }}"
       pulp_content_guard_x509_cert_guards:
@@ -36,4 +46,26 @@ Example playbook
             ...
             -----END CERTIFICATE-----
           state: present
+          
+    - role: stackhpc.pulp.pulp_content_guard
+      pulp_url: http://localhost:8080
+      pulp_username: admin
+      pulp_password: "{{ secrets_pulp_admin_password }}"
+      pulp_content_guard_rbac:
+        - name: test_rbac_cg_1
+          description: test content guard number 1
+          roles:
+            - role: core.rbaccontentguard_downloader
+              groups:
+            - role: core.rbaccontentguard_viewer
+          state: present
+        - name: test_rbac_cg_2
+          state: absent
+        - name: test_rbac_cg_3
+          description: test content guard number 3
+          roles:
+            - role: core.rbaccontentguard_viewer
+              groups:
+                - test_group_1
+                - test_group_2
 ```

roles/pulp_content_guard/defaults/main.yml

@@ -5,3 +5,4 @@ pulp_password:
 pulp_validate_certs: true
 
 pulp_content_guard_x509_cert_guards: []
+pulp_content_guard_rbac: []

roles/pulp_content_guard/tasks/main.yml

@@ -12,3 +12,6 @@
   with_items: "{{ pulp_content_guard_x509_cert_guards }}"
   loop_control:
     label: "{{ item.name }}"
+
+- name: Ensure RBAC cert guards exist
+  import_tasks: rbac/rbac.yml

roles/pulp_content_guard/tasks/rbac/add_or_remove_group_roles.yml

@@ -0,0 +1,54 @@
+---
+
+- name: Initialise facts
+  set_fact:
+    new_roles: []
+    current_roles: []
+
+- name: Get RBAC content guard list
+  uri:
+    url: "{{ pulp_rbac_cg_url }}?name={{ content_guard.name }}"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    method: GET
+    status_code: 200
+    force_basic_auth: true
+  register: rbac_cg_result
+
+- name: Get role list
+  uri:
+    url: "{{ pulp_url }}{{ (rbac_cg_result.json.results | first).pulp_href }}list_roles/"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    method: GET
+    status_code: 200
+    force_basic_auth: true
+  register: role_list_result
+
+- name: Remove unused roles
+  vars:
+    rolenames: "{{ content_guard.roles | default([]) | map(attribute='role') | list }}"
+    url_query: "[?name=='{{ content_guard.name }}'].pulp_href"
+  uri:
+    url: "{{ pulp_url }}{{ (rbac_cg_result.json.results | first).pulp_href }}remove_role/"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    force_basic_auth: true
+    method: POST
+    status_code: 201
+    body:
+      role: "{{ item.role }}"
+      groups: "{{ item.groups }}"
+    body_format: form-urlencoded
+  loop: "{{ role_list_result.json.roles }}"
+  register: result
+  when:
+    - item.role not in rolenames
+    - item.users == []
+  changed_when: result.status == 201
+
+- name: Loop on new roles
+  include_tasks: add_or_remove_groups_from_role.yml
+  loop: "{{ content_guard.roles | default([]) }}"
+  loop_control:
+    loop_var: rbac_cg_new_role

roles/pulp_content_guard/tasks/rbac/add_or_remove_groups_from_role.yml

@@ -0,0 +1,41 @@
+---
+
+- name: Set fact current groups
+  vars:
+    role_query: "[?role=='{{ rbac_cg_new_role.role }}'].groups"
+  set_fact:
+    current_groups: "{{ role_list_result.json.roles | json_query(role_query) | first | default([]) }}"
+
+- name: Add new group to role
+  uri:
+    url: "{{ pulp_url }}{{ (rbac_cg_result.json.results | first).pulp_href }}add_role/"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    force_basic_auth: true
+    method: POST
+    status_code: 201
+    body:
+      role: "{{ rbac_cg_new_role.role }}"
+      groups: "{{ item }}"
+    body_format: form-urlencoded
+  register: result
+  loop: "{{ rbac_cg_new_role.groups | default([], true) }}"
+  when: item not in current_groups
+  changed_when: result.status == 201
+
+- name: Remove old group from role
+  uri:
+    url: "{{ pulp_url }}{{ (rbac_cg_result.json.results | first).pulp_href }}remove_role/"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    force_basic_auth: true
+    method: POST
+    status_code: 201
+    body:
+      role: "{{ rbac_cg_new_role.role }}"
+      groups: "{{ item }}"
+    body_format: form-urlencoded
+  register: result
+  loop: "{{ current_groups }}"
+  when: item not in (rbac_cg_new_role.groups | default([]))
+  changed_when: result.status == 201

roles/pulp_content_guard/tasks/rbac/rbac.yml

@@ -0,0 +1,97 @@
+---
+
+- name: Get RBAC content guard list
+  uri:
+    url: "{{ pulp_rbac_cg_url }}"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    method: GET
+    status_code: 200
+    force_basic_auth: true
+  register: rbac_cg_list_result
+
+- name: Initialise remove_rbac_cg
+  set_fact:
+    remove_rbac_cg: []
+
+- name: Set fact remove_rbac_cg
+  set_fact:
+    remove_rbac_cg: "{{ (remove_rbac_cg | default([])) + [item.name] }}"
+  when: item.state is defined and item.state == 'absent'
+  with_items: "{{ pulp_content_guard_rbac }}"
+
+- name: Create RBAC content guards
+  vars:
+    rbaccgnames: "{{ rbac_cg_list_result.json.results | map(attribute='name') | list }}"
+  uri:
+    url: "{{ pulp_rbac_cg_url }}"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    force_basic_auth: true
+    method: POST
+    status_code: 201
+    body:
+      name: "{{ item.name }}"
+      description: "{{ item.description | default(None) }}"
+    body_format: form-urlencoded
+  loop: "{{ pulp_content_guard_rbac }}"
+  register: result
+  when:
+    - item.name not in rbaccgnames
+    - item.state is not defined or item.state != 'absent'
+  changed_when: result.status == 201
+
+- name: Update existing rbac content guards
+  vars:
+    rbaccgnames: "{{ rbac_cg_list_result.json.results | map(attribute='name') | list }}"
+    url_query: "[?name=='{{ item.name }}'].pulp_href"
+  uri:
+    url: "{{ pulp_url }}{{ rbac_cg_list_result.json.results | json_query(url_query) | first }}"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    force_basic_auth: true
+    method: PATCH
+    body:
+      name: "{{ item.name }}"
+      description: "{{ item.description | default(None) }}"
+    body_format: form-urlencoded
+  loop: "{{ pulp_content_guard_rbac }}"
+  register: result
+  when:
+    - item.name in rbaccgnames
+    - item.state is not defined or item.state != 'absent'
+  changed_when:
+  # The pulp API currently does not report when a change is made, so we must
+  # manually check
+    - result.json not in rbac_cg_list_result.json.results
+    - result.status == 200
+
+- name: Add or remove group roles from content guard
+  include_tasks: add_or_remove_group_roles.yml
+  loop: "{{ pulp_content_guard_rbac | default([], true) }}"
+  loop_control:
+    loop_var: content_guard
+  when: not (content_guard.state is defined and content_guard.state == 'absent')
+
+- name: Initialise hrefs
+  set_fact:
+    hrefs: []
+
+- name: Set fact hrefs
+  set_fact:
+    hrefs: "{{ (hrefs | default([])) + [item.pulp_href] }}"
+  when: item.name in (remove_rbac_cg | default([]))
+  with_items: "{{ rbac_cg_list_result.json.results }}"
+
+- name: Delete RBAC content guards
+  uri:
+    url: "{{ pulp_url }}{{ item }}"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    force_basic_auth: true
+    method: DELETE
+    status_code: 204
+    body_format: form-urlencoded
+  loop: "{{ hrefs }}"
+  register: result
+  changed_when: result.status == 204

roles/pulp_content_guard/vars/main.yml

@@ -0,0 +1,2 @@
+---
+pulp_rbac_cg_url: "{{ pulp_url }}/pulp/api/v3/contentguards/core/rbac/"

roles/pulp_distribution/README.md

@@ -25,7 +25,7 @@ Role variables
 Example playbook
 ----------------
 
-```
+```yaml
 ---
 - name: Manage Pulp distributions
   any_errors_fatal: True

roles/pulp_django_user/README.md

@@ -22,7 +22,7 @@ Note: User groups are evauluated against the user's current list of groups retur
 Example playbook
 ----------------
 
-```
+```yaml
 ---
 - name: Create Pulp Django users
   gather_facts: True

roles/pulp_group/README.md

@@ -0,0 +1,40 @@
+pulp_group
+================
+
+This role creates and deletes Pulp groups using the Pulp API. 
+
+To add users to groups or add groups to content guards, use the pulp_user and pulp_content_guard roles respectively.
+
+Role variables
+--------------
+
+* `pulp_url`: URL of Pulp server. Default is `https://localhost:8080`
+* `pulp_username`: Username used to access Pulp server. Default is `admin`
+* `pulp_password`: Password used to access Pulp server. Default is unset
+* `pulp_groups`: List of groups to be created/updated/deleted. Default is an empty list. Each item is a dict containing:
+  * `name` (Required)
+  * `state` (default is `present`. Setting this value to `absent` will delete the use if it exists)
+
+
+
+Example playbook
+----------------
+
+```yaml
+---
+- name: Create and delete groups
+  gather_facts: True
+  hosts: localhost
+  roles:
+    - role: stackhpc.pulp.pulp_group
+      pulp_url: https://pulp.example.com
+      pulp_username: admin
+      pulp_password: "{{ secrets_pulp_admin_password }}"
+      pulp_groups:
+        - name: example-group-1
+          state: present
+        - name: example-group-2
+          state: present
+        - name: example-group-3
+          state: absent
+```