Adding support for arbitrary roles

Author: Alex-Welsh

roles/pulp_content_guard/README.md

@@ -15,17 +15,20 @@ Role variables
   * `name` (Required)
   * `description`
   * `ca_certificate`
-  * `state` (default is `present`. Setting this value to `absent` will delete the content guard if it exists)
+  * `state` (Default is `present`. Setting this value to `absent` will delete the content guard if it exists)
 * `pulp_content_guard_rbac`: List of groups to create/update/delete. Default is an empty list. Each item is a dict containing:
   * `name` (Required)
-  * `download_groups` (list of groups to to be added to this content guard with the download role) 
+  * `roles` List of dict containing:
+    * `role` (role name)
+    * `groups` List of groups to be assigned the role
   * `state` (default is `present`. Setting this value to `absent` will delete the content guard if it exists)
 
+Note: groups assigned roles are evaluated against the content guard's current list of roles returned from the Pulp server API. Removing a group from the list of groups defined under any role in `pulp_content_guard_rbac[*].roles` will result in the group being removed, and adding a group will result in it being added. Adding an empty `groups:` for a role will result in all groups being removed from that role.
 
 Example playbook
 ----------------
 
-```
+```yaml
 ---
 - name: Create Pulp content guards
   any_errors_fatal: True
@@ -49,19 +52,20 @@ Example playbook
       pulp_username: admin
       pulp_password: "{{ secrets_pulp_admin_password }}"
       pulp_content_guard_rbac:
-        - name: alex-test-rbac_cg-1
-          description: test-description-edited
-          download_groups:
-            - alex-test-group-1
-            - alex-test-group-2
+        - name: test_rbac_cg_1
+          description: test content guard number 1
+          roles:
+            - role: core.rbaccontentguard_downloader
+              groups:
+            - role: core.rbaccontentguard_viewer
           state: present
-        - name: alex-test-rbac_cg-2
-          description: test-description2-edited
-          download_groups:
-            - alex-test-group-2
-        - name: alex-test-rbac_cg-3
-          description: test-description3-edited
-          download_groups:
-            - alex-test-group-1
+        - name: test_rbac_cg_2
           state: absent
+        - name: test_rbac_cg_3
+          description: test content guard number 3
+          roles:
+            - role: core.rbaccontentguard_viewer
+              groups:
+                - test_group_1
+                - test_group_2
 ```

roles/pulp_content_guard/tasks/main.yml

@@ -14,4 +14,4 @@
     label: "{{ item.name }}"
 
 - name: Ensure RBAC cert guards exist
-  include_tasks: rbac/rbac.yml
+  import_tasks: rbac/rbac.yml

roles/pulp_content_guard/tasks/rbac/add_or_remove_group_roles.yml

@@ -0,0 +1,65 @@
+---
+
+- name: Initialise facts
+  set_fact:
+    new_roles: []
+    current_roles: []
+
+- name: Get RBAC content guard list
+  uri:
+    url: "{{ pulp_rbac_cg_url }}"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    method: GET
+    status_code: 200
+    force_basic_auth: true
+  no_log: true
+  register: rbac_cg_list_result
+
+- name: Get current roles associated with content guard
+  vars:
+    url_query: "[?name=='{{ content_guard.name }}'].pulp_href"
+  set_fact:
+    given_cg_href: "{{ rbac_cg_list_result.json.results | json_query(url_query) | first | default([]) }}"
+
+- name: Get role list
+  uri:
+    url: "{{ pulp_url }}{{ given_cg_href }}list_roles/"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    method: GET
+    status_code: 200
+    force_basic_auth: true
+  no_log: true
+  register: role_list_result
+
+- name: Remove unused roles
+  vars:
+    rolenames: "{{ content_guard.roles | default([]) | map(attribute='role') | list }}"
+    url_query: "[?name=='{{ content_guard.name }}'].pulp_href"
+  uri:
+    url: "{{ pulp_url }}{{ rbac_cg_list_result.json.results | json_query(url_query) | first }}remove_role/"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    force_basic_auth: true
+    method: POST
+    status_code: 201
+    body:
+      role: "{{ item.role }}"
+      groups: "{{ item.groups }}"
+    body_format: form-urlencoded
+  # debug:
+  #   msg: "{{ item.role }}"
+  loop: "{{ role_list_result.json.roles }}"
+  # no_log: true
+  register: result
+  when:
+    - item.role not in rolenames
+    - item.users == []
+  changed_when: result.status == 201
+
+- name: Loop on new roles
+  include_tasks: add_or_remove_groups_from_role.yml
+  loop: "{{ content_guard.roles | default([]) }}"
+  loop_control:
+    loop_var: rbac_cg_new_role

roles/pulp_content_guard/tasks/rbac/add_or_remove_groups.yml

@@ -0,0 +1,47 @@
+---
+
+- name: Set fact current groups
+  vars:
+    role_query: "[?role=='{{ rbac_cg_new_role.role }}'].groups"
+  set_fact:
+    current_groups: "{{ role_list_result.json.roles | json_query(role_query) | first | default([]) }}"
+
+- name: Add new group to role
+  vars:
+    url_query: "[?name=='{{ content_guard.name }}'].pulp_href"
+  uri:
+    url: "{{ pulp_url }}{{ rbac_cg_list_result.json.results | json_query(url_query) | first }}add_role/"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    force_basic_auth: true
+    method: POST
+    status_code: 201
+    body:
+      role: "{{ rbac_cg_new_role.role }}"
+      groups: "{{ item }}"
+    body_format: form-urlencoded
+  # no_log: true
+  register: result
+  loop: "{{ rbac_cg_new_role.groups | default([], true) }}"
+  when: item not in current_groups
+  changed_when: result.status == 201
+
+- name: Remove old group from role
+  vars:
+    url_query: "[?name=='{{ content_guard.name }}'].pulp_href"
+  uri:
+    url: "{{ pulp_url }}{{ rbac_cg_list_result.json.results | json_query(url_query) | first }}remove_role/"
+    user: "{{ pulp_username }}"
+    password: "{{ pulp_password }}"
+    force_basic_auth: true
+    method: POST
+    status_code: 201
+    body:
+      role: "{{ rbac_cg_new_role.role }}"
+      groups: "{{ item }}"
+    body_format: form-urlencoded
+  # no_log: true
+  register: result
+  loop: "{{ current_groups }}"
+  when: item not in (rbac_cg_new_role.groups | default([]))
+  changed_when: result.status == 201

roles/pulp_content_guard/tasks/rbac/add_or_remove_groups_from_role.yml

@@ -11,6 +11,10 @@
   no_log: true
   register: rbac_cg_list_result
 
+- name: Initialise remove_rbac_cg
+  set_fact:
+    remove_rbac_cg: []
+
 - name: Set fact remove_rbac_cg
   set_fact:
     remove_rbac_cg: "{{ (remove_rbac_cg | default([])) + [item.name] }}"
@@ -32,11 +36,9 @@
       description: "{{ item.description | default(omit) }}"
     body_format: form-urlencoded
   loop: "{{ pulp_content_guard_rbac | default([], true) }}"
-  loop_control:
-    label: "{{ item.name }}"
   # no_log: true
   register: result
-  when: 
+  when:
     - item.name not in rbaccgnames
     - item.state | default('present') != 'absent'
   changed_when: result.status == 201
@@ -58,17 +60,17 @@
   loop: "{{ pulp_content_guard_rbac | default([], true) }}"
   # no_log: true
   register: result
-  when: 
+  when:
     - item.name in rbaccgnames
     - item.state | default('present') != 'absent'
-  changed_when: 
+  changed_when:
   # The pulp API currently does not report when a change is made, so we must
   # manually check
-  - result.json not in rbac_cg_list_result.json.results
-  - result.status == 200
+    - result.json not in rbac_cg_list_result.json.results
+    - result.status == 200
 
-- name: Add or remove group(s) from content guard
-  include_tasks: add_or_remove_groups.yml
+- name: Add or remove group roles from content guard
+  include_tasks: add_or_remove_group_roles.yml
   loop: "{{ pulp_content_guard_rbac | default([], true) }}"
   loop_control:
     loop_var: content_guard

roles/pulp_content_guard/tasks/rbac/rbac.yml

@@ -25,7 +25,7 @@ Role variables
 Example playbook
 ----------------
 
-```
+```yaml
 ---
 - name: Manage Pulp distributions
   any_errors_fatal: True

roles/pulp_distribution/README.md

@@ -22,7 +22,7 @@ Note: User groups are evauluated against the user's current list of groups retur
 Example playbook
 ----------------
 
-```
+```yaml
 ---
 - name: Create Pulp Django users
   gather_facts: True

roles/pulp_django_user/README.md

@@ -3,14 +3,14 @@ pulp_group
 
 This role creates and deletes Pulp groups using the Pulp API. 
 
-To add users to groups or add groups to content guards, use the pulp_user and pulp_content_guard_rbac roles respectively.
+To add users to groups or add groups to content guards, use the pulp_user and pulp_content_guard roles respectively.
 
 Role variables
 --------------
 
 * `pulp_url`: URL of Pulp server. Default is `https://localhost:8080`
-* `pulp_admin_username`: Username used to access Pulp server. Default is `admin`
-* `pulp_admin_password`: Password used to access Pulp server. Default is unset
+* `pulp_username`: Username used to access Pulp server. Default is `admin`
+* `pulp_password`: Password used to access Pulp server. Default is unset
 * `pulp_groups`: List of groups to be created/updated/deleted. Default is an empty list. Each item is a dict containing:
   * `name` (Required)
   * `state` (default is `present`. Setting this value to `absent` will delete the use if it exists)
@@ -20,17 +20,17 @@ Role variables
 Example playbook
 ----------------
 
-```
+```yaml
 ---
 - name: Create and delete groups
   gather_facts: True
   hosts: localhost
   roles:
     - role: stackhpc.pulp.pulp_group
       pulp_url: https://pulp.example.com
-      pulp_admin_username: admin
-      pulp_admin_password: "{{ secrets_pulp_admin_password }}"
-      pulp_groups_present:
+      pulp_username: admin
+      pulp_password: "{{ secrets_pulp_admin_password }}"
+      pulp_groups:
         - name: example-group-1
           state: present
         - name: example-group-2

roles/pulp_group/README.md

@@ -1,8 +1,7 @@
 ---
 pulp_url: https://localhost:8080
-pulp_admin_username: admin
-pulp_admin_password:
+pulp_username: admin
+pulp_password:
 pulp_validate_certs: true
 
-pulp_groups_present: []
-pulp_groups_absent: []
+pulp_groups: []