summaryrefslogtreecommitdiff
path: root/lib/ansible/modules/cloud/ovirt/ovirt_permission.py
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ansible/modules/cloud/ovirt/ovirt_permission.py')
-rw-r--r--lib/ansible/modules/cloud/ovirt/ovirt_permission.py320
1 files changed, 0 insertions, 320 deletions
diff --git a/lib/ansible/modules/cloud/ovirt/ovirt_permission.py b/lib/ansible/modules/cloud/ovirt/ovirt_permission.py
deleted file mode 100644
index f494bdbb4f..0000000000
--- a/lib/ansible/modules/cloud/ovirt/ovirt_permission.py
+++ /dev/null
@@ -1,320 +0,0 @@
-#!/usr/bin/python
-# -*- coding: utf-8 -*-
-
-# Copyright: (c) 2017, Ansible Project
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
-
-ANSIBLE_METADATA = {'metadata_version': '1.1',
- 'status': ['preview'],
- 'supported_by': 'community'}
-
-DOCUMENTATION = '''
----
-module: ovirt_permission
-short_description: Module to manage permissions of users/groups in oVirt/RHV
-version_added: "2.3"
-author:
-- Ondra Machacek (@machacekondra)
-description:
- - Module to manage permissions of users/groups in oVirt/RHV.
-options:
- role:
- description:
- - Name of the role to be assigned to user/group on specific object.
- default: UserRole
- state:
- description:
- - Should the permission be present/absent.
- choices: [ absent, present ]
- default: present
- object_id:
- description:
- - ID of the object where the permissions should be managed.
- object_name:
- description:
- - Name of the object where the permissions should be managed.
- object_type:
- description:
- - The object where the permissions should be managed.
- choices:
- - cluster
- - cpu_profile
- - data_center
- - disk
- - disk_profile
- - host
- - network
- - storage_domain
- - system
- - template
- - vm
- - vm_pool
- - vnic_profile
- default: vm
- user_name:
- description:
- - Username of the user to manage. In most LDAPs it's I(uid) of the user,
- but in Active Directory you must specify I(UPN) of the user.
- - Note that if user does not exist in the system this module will fail,
- you should ensure the user exists by using M(ovirt_users) module.
- group_name:
- description:
- - Name of the group to manage.
- - Note that if group does not exist in the system this module will fail,
- you should ensure the group exists by using M(ovirt_groups) module.
- authz_name:
- description:
- - Authorization provider of the user/group.
- required: true
- aliases: [ domain ]
- namespace:
- description:
- - Namespace of the authorization provider, where user/group resides.
- quota_name:
- description:
- - Name of the quota to assign permission. Works only with C(object_type) I(data_center).
- version_added: "2.7"
-extends_documentation_fragment: ovirt
-'''
-
-EXAMPLES = '''
-# Examples don't contain auth parameter for simplicity,
-# look at ovirt_auth module to see how to reuse authentication:
-
-- name: Add user user1 from authorization provider example.com-authz
- ovirt_permission:
- user_name: user1
- authz_name: example.com-authz
- object_type: vm
- object_name: myvm
- role: UserVmManager
-
-- name: Remove permission from user
- ovirt_permission:
- state: absent
- user_name: user1
- authz_name: example.com-authz
- object_type: cluster
- object_name: mycluster
- role: ClusterAdmin
-
-- name: Assign QuotaConsumer role to user
- ovirt_permissions:
- state: present
- user_name: user1
- authz_name: example.com-authz
- object_type: data_center
- object_name: mydatacenter
- quota_name: myquota
- role: QuotaConsumer
-
-- name: Assign QuotaConsumer role to group
- ovirt_permissions:
- state: present
- group_name: group1
- authz_name: example.com-authz
- object_type: data_center
- object_name: mydatacenter
- quota_name: myquota
- role: QuotaConsumer
-'''
-
-RETURN = '''
-id:
- description: ID of the permission which is managed
- returned: On success if permission is found.
- type: str
- sample: 7de90f31-222c-436c-a1ca-7e655bd5b60c
-permission:
- description: "Dictionary of all the permission attributes. Permission attributes can be found on your oVirt/RHV instance
- at following url: http://ovirt.github.io/ovirt-engine-api-model/master/#types/permission."
- returned: On success if permission is found.
- type: dict
-'''
-
-try:
- import ovirtsdk4.types as otypes
-except ImportError:
- pass
-
-import traceback
-
-from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.ovirt import (
- BaseModule,
- check_sdk,
- create_connection,
- equal,
- follow_link,
- get_link_name,
- ovirt_full_argument_spec,
- search_by_attributes,
- search_by_name,
- get_id_by_name
-)
-
-
-def _objects_service(connection, object_type):
- if object_type == 'system':
- return connection.system_service()
-
- return getattr(
- connection.system_service(),
- '%ss_service' % object_type,
- None,
- )()
-
-
-def _object_service(connection, module):
- object_type = module.params['object_type']
- objects_service = _objects_service(connection, object_type)
- if object_type == 'system':
- return objects_service
-
- object_id = module.params['object_id']
- if object_id is None:
- sdk_object = search_by_name(objects_service, module.params['object_name'])
- if sdk_object is None:
- raise Exception(
- "'%s' object '%s' was not found." % (
- module.params['object_type'],
- module.params['object_name']
- )
- )
- object_id = sdk_object.id
-
- object_service = objects_service.service(object_id)
- if module.params['quota_name'] and object_type == 'data_center':
- quotas_service = object_service.quotas_service()
- return quotas_service.quota_service(get_id_by_name(quotas_service, module.params['quota_name']))
- return object_service
-
-
-def _permission(module, permissions_service, connection):
- for permission in permissions_service.list():
- user = follow_link(connection, permission.user)
- if (
- equal(module.params['user_name'], user.principal if user else None) and
- equal(module.params['group_name'], get_link_name(connection, permission.group)) and
- equal(module.params['role'], get_link_name(connection, permission.role))
- ):
- return permission
-
-
-class PermissionsModule(BaseModule):
-
- def _user(self):
- user = search_by_attributes(
- self._connection.system_service().users_service(),
- usrname="{name}@{authz_name}".format(
- name=self._module.params['user_name'],
- authz_name=self._module.params['authz_name'],
- ),
- )
- if user is None:
- raise Exception("User '%s' was not found." % self._module.params['user_name'])
- return user
-
- def _group(self):
- groups = self._connection.system_service().groups_service().list(
- search="name={name}".format(
- name=self._module.params['group_name'],
- )
- )
-
- # If found more groups, filter them by namespace and authz name:
- # (filtering here, as oVirt/RHV backend doesn't support it)
- if len(groups) > 1:
- groups = [
- g for g in groups if (
- equal(self._module.params['namespace'], g.namespace) and
- equal(self._module.params['authz_name'], g.domain.name)
- )
- ]
- if not groups:
- raise Exception("Group '%s' was not found." % self._module.params['group_name'])
- return groups[0]
-
- def build_entity(self):
- entity = self._group() if self._module.params['group_name'] else self._user()
-
- return otypes.Permission(
- user=otypes.User(
- id=entity.id
- ) if self._module.params['user_name'] else None,
- group=otypes.Group(
- id=entity.id
- ) if self._module.params['group_name'] else None,
- role=otypes.Role(
- name=self._module.params['role']
- ),
- )
-
-
-def main():
- argument_spec = ovirt_full_argument_spec(
- state=dict(type='str', default='present', choices=['absent', 'present']),
- role=dict(type='str', default='UserRole'),
- object_type=dict(type='str', default='vm',
- choices=[
- 'cluster',
- 'cpu_profile',
- 'data_center',
- 'disk',
- 'disk_profile',
- 'host',
- 'network',
- 'storage_domain',
- 'system',
- 'template',
- 'vm',
- 'vm_pool',
- 'vnic_profile',
- ]),
- authz_name=dict(type='str', required=True, aliases=['domain']),
- object_id=dict(type='str'),
- object_name=dict(type='str'),
- user_name=dict(type='str'),
- group_name=dict(type='str'),
- namespace=dict(type='str'),
- quota_name=dict(type='str'),
- )
- module = AnsibleModule(
- argument_spec=argument_spec,
- supports_check_mode=True,
- )
-
- check_sdk(module)
-
- if (module.params['object_name'] is None and module.params['object_id'] is None) and module.params['object_type'] != 'system':
- module.fail_json(msg='"object_name" or "object_id" is required')
-
- if module.params['user_name'] is None and module.params['group_name'] is None:
- module.fail_json(msg='"user_name" or "group_name" is required')
-
- try:
- auth = module.params.pop('auth')
- connection = create_connection(auth)
- permissions_service = _object_service(connection, module).permissions_service()
- permissions_module = PermissionsModule(
- connection=connection,
- module=module,
- service=permissions_service,
- )
-
- permission = _permission(module, permissions_service, connection)
- state = module.params['state']
- if state == 'present':
- ret = permissions_module.create(entity=permission)
- elif state == 'absent':
- ret = permissions_module.remove(entity=permission)
-
- module.exit_json(**ret)
- except Exception as e:
- module.fail_json(msg=str(e), exception=traceback.format_exc())
- finally:
- connection.close(logout=auth.get('token') is None)
-
-
-if __name__ == "__main__":
- main()
View Lorry Controller Status