adding roles for users, groups and rbac-cg

Author: Alex-Welsh

roles/pulp_content_guard_rbac/README.md

@@ -0,0 +1,41 @@
+pulp_content_guard_rbac
+================
+
+This role creates and deletes Pulp RBAC content guards using the Pulp API
+
+Role variables
+--------------
+
+* `pulp_url`: URL of Pulp server. Default is `https://localhost:8080`
+* `pulp_admin_username`: Username used to access Pulp server. Default is `admin`
+* `pulp_admin_password`: Password used to access Pulp server. Default is unset
+* `pulp_content_guards_rbac_present`: List of groups to be present. Default is an empty list.
+* `pulp_content_guards_rbac_absent`: List of groups to be absent. Default is an empty list.
+
+Note: The groups associated with specified content guards are evauluated against the user's current list of content guards, and their respective groups, returned from the Pulp server API. Removing a group from the list of groups defined in `pulp_content_guards_rbac_present[*].download_groups` will result in the group being removed from that content guard, and adding a group will result in the group being added to that content guard. Adding an empty `download_groups:` for a content guard will result in all groups being removed for that content guard.
+
+Example playbook
+----------------
+
+```
+---
+- name: Create and delete Pulp RBAC content guards
+  gather_facts: True
+  hosts: localhost
+  roles:
+    - role: stackhpc.pulp.pulp_content_guard_rbac
+      pulp_url: https://pulp.example.com
+      pulp_admin_username: admin
+      pulp_admin_password: "{{ secrets_pulp_admin_password }}"
+      pulp_content_guards_rbac_present:
+        - name: content-guard-1
+          download_groups:
+            - existing-group-1
+            - existing-group-2
+        - name: content-guard-2
+          download_groups:
+            - existing-group-3
+      pulp_content_guards_rbac_absent:
+        - content-guard-3
+        - content-guard-4
+```

roles/pulp_content_guard_rbac/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+pulp_url: https://localhost:8080
+pulp_admin_username: admin
+pulp_admin_password:
+pulp_validate_certs: true
+
+pulp_content_guards_rbac_present: []
+pulp_content_guards_rbac_absent: []

roles/pulp_content_guard_rbac/tasks/main.yml

@@ -0,0 +1,68 @@
+---
+
+- name: Get RBAC content guard list
+  uri:
+    url: "{{ pulp_rbac_cg_url }}"
+    user: "{{ pulp_admin_username }}"
+    password: "{{ pulp_admin_password }}"
+    method: GET
+    status_code: 200
+    force_basic_auth: true
+  no_log: true
+  register: rbac_cg_list_result
+
+- name: Set fact cgnames
+  set_fact:
+    cgnames: "{{ (cgnames | default([])) + [item.name] }}"
+  with_items: "{{ rbac_cg_list_result.json.results }}"
+
+- name: Create RBAC content guards
+  uri:
+    url: "{{ pulp_rbac_cg_url }}"
+    user: "{{ pulp_admin_username }}"
+    password: "{{ pulp_admin_password }}"
+    force_basic_auth: true
+    method: POST
+    status_code: 201
+    body:
+      name: "{{ item.name }}"
+    body_format: form-urlencoded
+  loop: "{{ pulp_content_guards_rbac_present | default([], true) }}"
+  loop_control:
+    label: "{{ item.name }}"
+  no_log: true
+  register: result
+  when: item.name not in cgnames
+  changed_when: result.status == 201
+
+- name: Add or remove group(s) from content guard
+  include_tasks: rbac_group/add_or_remove_groups.yml
+  loop: "{{ pulp_content_guards_rbac_present | default([], true) }}"
+  loop_control:
+    loop_var: content_guard
+
+- name: Initialise hrefs
+  set_fact:
+    hrefs: []
+
+- name: Set fact hrefs
+  set_fact:
+    hrefs: "{{ (hrefs | default([])) + [item.pulp_href] }}"
+  when: item.name in (pulp_content_guards_rbac_absent | default([], true))
+  with_items: "{{ rbac_cg_list_result.json.results }}"
+
+- name: Delete RBAC content guards
+  uri:
+    url: "{{ pulp_url }}{{ item }}"
+    user: "{{ pulp_admin_username }}"
+    password: "{{ pulp_admin_password }}"
+    force_basic_auth: true
+    method: DELETE
+    status_code: 204
+    body_format: form-urlencoded
+  loop: "{{ hrefs | default([]) }}"
+  loop_control:
+    label: "{{ item }}"
+  no_log: true
+  register: result
+  changed_when: result.status == 204

roles/pulp_content_guard_rbac/tasks/rbac_group/add_or_remove_groups.yml

@@ -0,0 +1,77 @@
+---
+
+- name: Initialise facts
+  set_fact:
+    new_groups: []
+    current_groups: []
+
+- name: Get RBAC content guard list
+  uri:
+    url: "{{ pulp_rbac_cg_url }}"
+    user: "{{ pulp_admin_username }}"
+    password: "{{ pulp_admin_password }}"
+    method: GET
+    status_code: 200
+    force_basic_auth: true
+  no_log: true
+  register: rbac_cg_list_result
+
+- name: Set fact new groups names
+  set_fact:
+    new_groups: "{{ (new_groups | default([])) + [item] }}"
+  with_items: "{{ content_guard.download_groups | default([]) }}"
+
+- name: get current groups associated with content guard
+  vars:
+    url_query: "[?name=='{{ content_guard.name }}'].groups"
+  set_fact:
+    current_groups_full: "{{ rbac_cg_list_result.json.results | json_query(url_query) | first | default([]) }}"
+
+- name: Set fact current groups names
+  set_fact:
+    current_groups: "{{ (current_groups | default([])) + [item.name] }}"
+  with_items: "{{ current_groups_full }}"
+
+- name: Add groups to RBAC content guards
+  vars:
+    url_query: "[?name=='{{ content_guard.name }}'].pulp_href"
+  uri:
+    url: "{{ pulp_url }}{{ rbac_cg_list_result.json.results | json_query(url_query) | first }}add_role/"
+    user: "{{ pulp_admin_username }}"
+    password: "{{ pulp_admin_password }}"
+    force_basic_auth: true
+    method: POST
+    status_code: 201
+    body:
+      groups: "{{ item }}"
+      role: core.rbaccontentguard_downloader
+    body_format: form-urlencoded
+  loop: "{{ new_groups }}"
+  loop_control:
+    label: "{{ item }}"
+  # no_log: true
+  register: result
+  when: item not in current_groups
+  changed_when: result.status == 201
+
+- name: Remove groups from RBAC content guards
+  vars:
+    url_query: "[?name=='{{ content_guard.name }}'].pulp_href"
+  uri:
+    url: "{{ pulp_url }}{{ rbac_cg_list_result.json.results | json_query(url_query) | first }}remove_role/"
+    user: "{{ pulp_admin_username }}"
+    password: "{{ pulp_admin_password }}"
+    force_basic_auth: true
+    method: POST
+    status_code: 201
+    body:
+      groups: "{{ item }}"
+      role: core.rbaccontentguard_downloader
+    body_format: form-urlencoded
+  loop: "{{ current_groups }}"
+  loop_control:
+    label: "{{ item }}"
+  no_log: true
+  register: result
+  when: item not in new_groups
+  changed_when: result.status == 201

roles/pulp_content_guard_rbac/vars/main.yml

@@ -0,0 +1,2 @@
+---
+pulp_rbac_cg_url: "{{ pulp_url }}/pulp/api/v3/contentguards/core/rbac/"

roles/pulp_group/README.md

@@ -0,0 +1,37 @@
+pulp_group
+================
+
+This role creates and deletes Pulp groups using the Pulp API. 
+
+To add users to groups or add groups to content guards, use the pulp_user and pulp_content_guard_rbac roles respectively.
+
+Role variables
+--------------
+
+* `pulp_url`: URL of Pulp server. Default is `https://localhost:8080`
+* `pulp_admin_username`: Username used to access Pulp server. Default is `admin`
+* `pulp_admin_password`: Password used to access Pulp server. Default is unset
+* `pulp_groups_present`: List of groups to be present. Default is an empty list.
+* `pulp_groups_absent`: List of groups to be absent. Default is an empty list.
+
+
+
+Example playbook
+----------------
+
+```
+---
+- name: Create and delete groups
+  gather_facts: True
+  hosts: localhost
+  roles:
+    - role: stackhpc.pulp.pulp_group
+      pulp_url: https://pulp.example.com
+      pulp_admin_username: admin
+      pulp_admin_password: "{{ secrets_pulp_admin_password }}"
+      pulp_groups_present:
+        - example-group-1
+        - example-group-2
+      pulp_groups_absent:
+        - example-group-3
+```

roles/pulp_group/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+pulp_url: https://localhost:8080
+pulp_admin_username: admin
+pulp_admin_password:
+pulp_validate_certs: true
+
+pulp_groups_present: []
+pulp_groups_absent: []

roles/pulp_group/tasks/main.yml

@@ -0,0 +1,61 @@
+---
+
+- name: Get group list
+  uri:
+    url: "{{ pulp_group_url }}"
+    user: "{{ pulp_admin_username }}"
+    password: "{{ pulp_admin_password }}"
+    method: GET
+    status_code: 200
+    force_basic_auth: true
+  no_log: true
+  register: groups_list_result
+
+- name: Set fact groupnames
+  set_fact:
+    groupnames: "{{ (groupnames | default([])) + [item.name] }}"
+  with_items: "{{ groups_list_result.json.results }}"
+
+- name: Create groups
+  uri:
+    url: "{{ pulp_group_url }}"
+    user: "{{ pulp_admin_username }}"
+    password: "{{ pulp_admin_password }}"
+    force_basic_auth: true
+    method: POST
+    status_code: 201
+    body:
+      name: "{{ item }}"
+    body_format: form-urlencoded
+  loop: "{{ pulp_groups_present | default([], true) }}"
+  no_log: true
+  register: result
+  when: 
+    - item not in groupnames
+  changed_when: result.status == 201
+
+- name: Initialise hrefs
+  set_fact:
+    hrefs: []
+
+- name: Set fact hrefs
+  set_fact:
+    hrefs: "{{ (hrefs|default([])) + [item.pulp_href] }}"
+  when: item.name in (pulp_groups_absent | default([], true))
+  with_items: "{{ groups_list_result.json.results }}"
+
+- name: Remove groups
+  uri:
+    url: "{{ pulp_url }}{{ item }}"
+    user: "{{ pulp_admin_username }}"
+    password: "{{ pulp_admin_password }}"
+    force_basic_auth: true
+    method: DELETE
+    status_code: 204
+    body_format: form-urlencoded
+  loop: "{{ hrefs | default([]) }}"
+  loop_control:
+    label: "{{ item }}"
+  no_log: true
+  register: result
+  changed_when: result.status == 204

roles/pulp_group/vars/main.yml

@@ -0,0 +1,2 @@
+---
+pulp_group_url: "{{ pulp_url }}/pulp/api/v3/groups/"

roles/pulp_user/README.md

@@ -0,0 +1,42 @@
+pulp_user
+================
+
+This role creates and deletes Pulp users using the Pulp API.
+
+Role variables
+--------------
+
+* `pulp_url`: URL of Pulp server. Default is `https://localhost:8080`
+* `pulp_admin_username`: Username used to access Pulp server. Default is `admin`
+* `pulp_admin_password`: Password used to access Pulp server. Default is unset
+* `pulp_users_present`: List of users to be present. Default is an empty list.
+* `pulp_users_absent`: List of users to be absent. Default is an empty list.
+
+Note: User groups are evaluated against the user's current list of groups returned from the Pulp server API. Removing a group from the list of groups defined in `pulp_users_present[*].groups` will result in the user being removed from that group, and adding a group will result in the user being added to that group. Adding an empty `groups:` for a user will result in that user being removed from all groups.
+
+Example playbook
+----------------
+
+```
+---
+- name: Create and delete users
+  gather_facts: True
+  hosts: localhost
+  roles:
+    - role: stackhpc.pulp.pulp_user
+      pulp_url: https://pulp.example.com
+      pulp_admin_username: admin
+      pulp_admin_password: "{{ secrets_pulp_admin_password }}"
+      pulp_users_present:
+        - username: example-user-1
+          password: correct horse battery staple
+          groups:
+            - existing.container.namespace.consumers.one
+            - existing.container.namespace.consumers.two
+        - username: example-user-2
+          password: germany ansible rain farmer
+          groups:
+            - existing.container.namespace.consumers.one
+      pulp_users_absent:
+        - example-user-3
+```