Commit 97bd0b8b authored by Fabien Combernous's avatar Fabien Combernous

Merge branch '97-use-tasks-to-create-and-delete-human-admins-accounts' into 'master'

Resolve "rename task create_admin as manage_admin"

Closes #97

See merge request adullact/puppet-freeipa!102
parents 42bd36db c70087ae
Pipeline #6527 canceled with stages
in 0 seconds
......@@ -47,9 +47,10 @@ But, the module is more an idempotent installer of FreeIPA. So changing a value
## Usage
### Example usage:
### Examples of usage:
Deploy an IPA master :
Creating an IPA master :
```puppet
class {'freeipa':
ipa_role => 'master',
......@@ -66,7 +67,8 @@ class {'freeipa':
}
```
Adding a replica:
Add a replica:
```puppet
class {'freeipa':
ipa_role => 'replica',
......@@ -83,7 +85,8 @@ class {'freeipa':
}
```
Adding a client:
Add a client:
```puppet
class {'freeipa':
ipa_role => 'client',
......@@ -94,6 +97,14 @@ ipa_master_fqdn => 'ipa-server-1.example.lan',
}
```
Create an admin account with task :
`bolt task run freeipa::manage_admin operator_login='mylogin' operator_password='mysecret' ensure='present' login='jaimarre' firstname='Jean' lastname='Aimarre' password='newadminsecret' --nodes <ipamaster> --modulepath ~/modules`
Delete an admin account with task :
`bolt task run freeipa::manage_admin operator_login='mylogin' operator_password='mysecret' ensure='present' login='jaimarre' --nodes <ipamaster> --modulepath ~/modules`
### REFERENCE
A full description can be found in `REFERENCE.md`.
......
......@@ -23,7 +23,7 @@ _Private Classes_
**Tasks**
* [`create_admin`](#create_admin): Create a new FreeIPA admin account
* [`manage_admin`](#manage_admin): Create a new FreeIPA admin account
## Classes
......@@ -353,7 +353,7 @@ include freeipa::install::autofs
## Tasks
### create_admin
### manage_admin
Create a new FreeIPA admin account
......@@ -377,23 +377,29 @@ Password of operator running the task
Data type: `String[1]`
Login name of created administrator account
Login name of managed administrator account
##### `ensure`
Data type: `Enum['present','absent']`
Whether the login account should exist or not
##### `firstname`
Data type: `String[1]`
Data type: `Optional[String[1]]`
First name of created administrator account
First name of managed administrator account
##### `lastname`
Data type: `String[1]`
Data type: `Optional[String[1]]`
Last name of created administrator account
Last name of managed administrator account
##### `password`
Data type: `String[8]`
Data type: `Optional[String[8]]`
Password of created administrator account
Password of managed administrator account
......@@ -2,7 +2,7 @@ require 'spec_helper_acceptance'
require 'beaker-task_helper/inventory'
require 'bolt_spec/run'
describe 'create_admin task' do
describe 'manage_admin task' do
include Beaker::TaskHelper::Inventory
include BoltSpec::Run
......@@ -14,14 +14,29 @@ describe 'create_admin task' do
hosts_to_inventory
end
it 'creates admin account' do
# rubocop:disable Style/BracesAroundHashParameters
result = run_task(
'freeipa::create_admin',
'master',
{ 'operator_login' => 'admin', 'operator_password' => 's^ecr@et.ea;R/O*=?j!.QsAu+$', 'login' => 'jaimarre', 'firstname' => 'Jean', 'lastname' => 'Aimarre', 'password' => 'adminsecret' }
)
# rubocop:enable Style/BracesAroundHashParameters
expect(result.first).to include('status' => 'success')
context 'with ensure present' do
it 'creates admin account' do
# rubocop:disable Style/BracesAroundHashParameters
result = run_task(
'freeipa::manage_admin',
'master',
{ 'operator_login' => 'admin', 'operator_password' => 's^ecr@et.ea;R/O*=?j!.QsAu+$', 'ensure' => 'present', 'login' => 'jaimarre', 'firstname' => 'Jean', 'lastname' => 'Aimarre', 'password' => 'adminsecret' }
)
# rubocop:enable Style/BracesAroundHashParameters
expect(result.first).to include('status' => 'success')
end
end
context 'with ensure absent' do
it 'deletes admin account' do
# rubocop:disable Style/BracesAroundHashParameters
result = run_task(
'freeipa::manage_admin',
'master',
{ 'operator_login' => 'admin', 'operator_password' => 's^ecr@et.ea;R/O*=?j!.QsAu+$', 'ensure' => 'absent', 'login' => 'jaimarre' }
)
# rubocop:enable Style/BracesAroundHashParameters
expect(result.first).to include('status' => 'success')
end
end
end
{
"puppet_task_version": 1,
"supports_noop": false,
"description": "Create a new FreeIPA admin account",
"parameters": {
"operator_login": {
"description": "FreeIPA login of operator running the task",
"type": "String[1]"
},
"operator_password": {
"description": "Password of operator running the task",
"type": "String[1]"
},
"login": {
"description": "Login name of created administrator account",
"type": "String[1]"
},
"firstname": {
"description": "First name of created administrator account",
"type": "String[1]"
},
"lastname": {
"description": "Last name of created administrator account",
"type": "String[1]"
},
"password": {
"description": "Password of created administrator account",
"type": "String[8]"
}
}
}
{
"puppet_task_version": 1,
"supports_noop": false,
"description": "Create a new FreeIPA admin account",
"parameters": {
"operator_login": {
"description": "FreeIPA login of operator running the task",
"type": "String[1]"
},
"operator_password": {
"description": "Password of operator running the task",
"type": "String[1]"
},
"login": {
"description": "Login name of managed administrator account",
"type": "String[1]"
},
"ensure": {
"description": "Whether the login account should exist or not",
"type": "Enum['present','absent']"
},
"firstname": {
"description": "First name of managed administrator account",
"type": "Optional[String[1]]"
},
"lastname": {
"description": "Last name of managed administrator account",
"type": "Optional[String[1]]"
},
"password": {
"description": "Password of managed administrator account",
"type": "Optional[String[8]]"
}
}
}
#!/usr/bin/env bash
#
# Create an admin account of FreeIPA
# Create and delete an admin account of FreeIPA
KINIT_CMD='/usr/bin/kinit'
KDESTROY_CMD='/usr/bin/kdestroy'
......@@ -27,7 +27,7 @@ message() {
msg="action '${action}' on Kerberos ticket-granting ticket has failed."
fi
;;
user-add | group-add-member)
user-add | group-add-member | user-del)
if [ $status -eq 0 ]; then
msg="action '${action}' on IPA object is done."
else
......@@ -138,6 +138,26 @@ ipa_group_add_admins() {
fi
}
#
# Delete user from FreeIPA
#
ipa_del_user() {
local login= retval=
login=$1
$IPA_CMD user-del $login
retval=$?
message 'user-del' $retval
if [ $retval -ne 0 ]; then
krb_tgt destroy
exit $retval
else
return $retval
fi
}
#
# Main
......@@ -147,8 +167,18 @@ is_commands_installed $USED_COMMANDS
krb_tgt init $PT_operator_login $PT_operator_password
ipa_add_user $PT_login $PT_firstname $PT_lastname $PT_password
ipa_group_add_admins $PT_login
case $PT_ensure in
present)
ipa_add_user $PT_login $PT_firstname $PT_lastname $PT_password
ipa_group_add_admins $PT_login
;;
absent)
ipa_del_user $PT_login
;;
*)
msg="Unexpected ensure value '${PT_ensure}'"
exit 1
;;
esac
krb_tgt destroy
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment