oVirt · mnecas · Sep 1, 2020 · Sep 1, 2020 · Sep 1, 2020 · Sep 1, 2020
@@ -0,0 +1,3 @@
+---
+data_center_state: 'present'
+hosts_var_name: 'hosts'
@@ -0,0 +1,15 @@
+---
+- name: oVirt infra
+  hosts: localhost
+  connection: local
+  gather_facts: false
+
+  vars_files:
+    - vars/ovirt_infra_vars.yml
+    # Contains encrypted `engine_password` varibale using ansible-vault
+    - vars/passwords.yml
+
+  roles:
+    - infra
+  collections:
+    - ovirt.ovirt
@@ -0,0 +1,43 @@
+---
+- name: oVirt infra
+  hosts: localhost
+  connection: local
+  gather_facts: false
+
+  vars:
+    recursive_cleanup: true
+    format_storages: true
+    data_center_name: Default
+    data_center_state: absent
+
+    engine_fqdn: ovirt-engine.example.com
+    engine_user: admin@internal
+    engine_cafile: /etc/pki/ovirt-engine/ca.pem
+
+  vars_files:
+    # Contains encrypted `engine_password` varibale using ansible-vault
+    - vars/passwords.yml
+
+  pre_tasks:
+    - name: Login to oVirt
+      ovirt_auth:
+        hostname: "{{ engine_fqdn }}"
+        username: "{{ engine_user }}"
+        password: "{{ engine_password }}"
+        ca_file: "{{ engine_cafile | default(omit) }}"
+        insecure: "{{ engine_insecure | default(true) }}"
+      tags:
+        - always
+
+  roles:
+    - infra
+
+  post_tasks:
+    - name: Logout from oVirt
+      ovirt_auth:
+        state: absent
+        ovirt_auth: "{{ ovirt_auth }}"
+      tags:
+        - always
+  collections:
+    - ovirt.ovirt
@@ -0,0 +1,108 @@
+---
+###########################
+# REST API variables
+###########################
+engine_fqdn: ovirt-engine.example.com
+engine_user: admin@internal
+engine_cafile: /etc/pki/ovirt-engine/ca.pem
+
+###########################
+# Common
+###########################
+compatibility_version: 4.4
+
+# Data center
+data_center_name: Default
+
+###########################
+# Clusters
+###########################
+clusters:
+ - name: Default
+   cpu_type: Intel Conroe Family
+   profile: production
+
+###########################
+# Hosts
+###########################
+hosts:
+ - name: host1
+   address: 1.2.3.5
+   cluster: Default
+   password: 123456
+ - name: host2
+   address: 1.2.3.6
+   cluster: Default
+   password: 123456
+
+###########################
+# Storage
+###########################
+storages:
+ data:
+  master: true
+  state: present
+  nfs:
+   address: 1.2.3.4
+   path: /om02
+
+###########################
+# Networks
+###########################
+logical_networks:
+ - name: int_network_002
+   clusters:
+    - name: Default
+      assigned: true
+      required: true
+      display: false
+      migration: true
+      gluster: false
+
+host_networks:
+ - name: host2
+   check: true
+   save: true
+   bond:
+    name: bond0
+    mode: 2
+    interfaces:
+     - eth1
+     - eth2
+   networks:
+    - name: int_network_002
+      boot_protocol: dhcp
+
+###########################
+# Users & Groups
+###########################
+users:
+ - name: user1
+   authz_name: internal-authz
+   password: 1234568
+   valid_to: "2018-01-01 00:00:00Z"
+ - name: user2
+   authz_name: internal-authz
+   password: 1234568
+   valid_to: "2018-01-01 00:00:00Z"
+
+user_groups:
+ - name: group1
+   authz_name: internal-authz
+   users:
+    - user1
+
+permissions:
+ - state: present
+   user_name: user1
+   authz_name: internal-authz
+   role: UserRole
+   object_type: cluster
+   object_name: Default
+
+ - state: present
+   group_name: group1
+   authz_name: internal-authz
+   role: UserRole
+   object_type: cluster
+   object_name: Default
@@ -0,0 +1,12 @@
+---
+# As an example this file is keep in plaintext, if you want to
+# encrypt this file, please execute following command:
+#
+#  $ ansible-vault encrypt passwords.yml
+#
+# It will ask you for a password, which you must then pass to
+# ansible interactively when executing the playbook.
+#
+# $ ansible-playbook myplaybook.yml --ask-vault-pass
+#
+engine_password: 123456
@@ -0,0 +1,62 @@
+oVirt AAA JDBC
+==============
+
+The `aaa_jdbc` role manages users and groups in an AAA JDBC extension.
+
+Role Variables
+--------------
+
+The items in `users` list can contain the following parameters:
+
+| Name          | Default value  | Description                           |
+|---------------|----------------|---------------------------------------|
+| state         | present        | Specifies whether the user is `present` or `absent`. |
+| name          | UNDEF          | Name of the user.                      |
+| authz_name    | UNDEF          | Authorization provider of the user.    |
+| password      | UNDEF          | Password of the user.                  |
+| valid_to      | UNDEF          | Specifies the date that the account remains valid. |
+| attributes    | UNDEF          | A dict of attributes related to the user. Available attributes: <ul><li>department</li><li>description</li><li>displayName</li><li>email</li><li>firstName</li><li>lasName</li><li>title</li></ul>|
+
+The items in `user_groups` list can contain the following parameters:
+
+| Name          | Default value  | Description                           |
+|---------------|----------------|---------------------------------------|
+| state         | present        | Specifies whether the group is `present` or `absent`. |
+| name          | UNDEF          | Name of the group.                     |
+| authz_name    | UNDEF          | Authorization provider of the group.   |
+| users         | UNDEF          | List of users that belong to this group. |
+
+Example Playbook
+----------------
+
+```yaml
+- name: oVirt AAA jdbc
+  hosts: localhost
+  connection: local
+  gather_facts: false
+
+  vars:
+    users:
+     - name: user1
+       authz_name: internal-authz
+       password: 1234568
+       valid_to: "2018-01-01 00:00:00Z"
+     - name: user2
+       authz_name: internal-authz
+       password: 1234568
+       valid_to: "2018-01-01 00:00:00Z"
+       attributes:
+         firstName: 'alice'
+         department: 'Quality Engineering'
+
+    user_groups:
+     - name: group1
+       authz_name: internal-authz
+       users:
+        - user1
+
+  roles:
+    - infra/roles/aaa_jdbc
+  collections:
+    - ovirt.ovirt
+```
@@ -0,0 +1,2 @@
+---
+aaa_jdbc_prefix: /usr/bin
@@ -0,0 +1,87 @@
+---
+################################
+## User & groups internal
+################################
+- name: Check if ovirt-aaa-jdbc-tool exists
+  stat:
+    path: "{{ aaa_jdbc_prefix }}/ovirt-aaa-jdbc-tool"
+  register: aaa_jdbc_path_stat
+  tags:
+    - ovirt-aaa-jdbc
+    - users
+
+- name: Fail the role if aaa-jdbc-tool don't exist
+  fail:
+    msg: "{{ aaa_jdbc_prefix }}/ovirt-aaa-jdbc-tool doesn't exist, are you on engine machine?"
+  when: not aaa_jdbc_path_stat.stat.exists
+  tags:
+    - ovirt-aaa-jdbc
+    - users
+
+- name: Manage internal users
+  no_log: true
+  command: "{{ aaa_jdbc_prefix }}/ovirt-aaa-jdbc-tool user {{ (item.state is undefined or item.state == 'present') | ternary('add','delete') }} {{ item.name }}"
+  with_items:
+    - "{{ users | default([]) }}"
+  register: out_users
+  changed_when: "out_users.rc != 5 and out_users.rc != 4"
+  # 5 == user already exists
+  # 4 == no user to be removed
+  # 0 == all OK
+  failed_when: "out_users.rc != 5 and out_users.rc != 0 and out_users.rc != 4"
+  tags:
+    - ovirt-aaa-jdbc
+    - users
+
+- name: Update users according to attributes
+  command: "{{ aaa_jdbc_prefix }}/ovirt-aaa-jdbc-tool user edit {{ item.name }} {% for attr, value in item['attributes'].iteritems() %} --attribute={{ attr }}='{{ value }}' {% endfor %}"
+  with_items:
+    - "{{ users | default([]) }}"
+  register: out_users
+  when: "item.attributes is defined"
+  changed_when: "out_users.rc != 5 and out_users.rc != 4"
+  # 5 == user already exists
+  # 4 == no user to be removed
+  # 0 == all OK
+  failed_when: "out_users.rc != 5 and out_users.rc != 0 and out_users.rc != 4"
+  tags:
+    - ovirt-aaa-jdbc
+    - users
+
+# FIXME: when user try to change the password which was already set in history
+# but is not current password we continue with changed=false:
+- name: Manage internal users passwords
+  no_log: true
+  command: "{{ aaa_jdbc_prefix }}/ovirt-aaa-jdbc-tool user password-reset {{ item.name }} --password=\"pass:{{ item.password }}\" --password-valid-to=\"{{ item.valid_to }}\""
+  with_items:
+    - "{{ users | default([]) }}"
+  register: out_users
+  changed_when: "out_users.rc != 1"
+  failed_when: "out_users.rc != 1 and out_users.rc != 0"
+  tags:
+    - ovirt-aaa-jdbc
+    - users
+
+- name: Manage internal groups
+  command: "{{ aaa_jdbc_prefix }}/ovirt-aaa-jdbc-tool group {{ (item.state is undefined or item.state == 'present') | ternary('add','delete') }} {{ item.name }}"
+  with_items:
+    - "{{ user_groups | default([]) }}"
+  register: out_groups
+  changed_when: "out_groups.rc != 5 and out_groups.rc != 4"
+  failed_when: "out_groups.rc != 5 and out_groups.rc != 0 and out_groups.rc != 4"
+  tags:
+    - ovirt-aaa-jdbc
+    - user_groups
+
+# FIXME: Support only add, if the user is removed from list, it's not removed from the group:
+- name: Manage groups members
+  command: "{{ aaa_jdbc_prefix }}/ovirt-aaa-jdbc-tool group-manage {{ (item.state is undefined or item.state == 'present') | ternary('useradd','userdel') }} {{ item.0.name }} --user {{ item.1 }}"
+  with_subelements:
+    - "{{ user_groups | default([]) }}"
+    - users
+  register: out_group_member
+  changed_when: "out_group_member.rc != 3 "
+  failed_when: "out_group_member.rc != 3 and out_group_member.rc != 0"
+  tags:
+    - ovirt-aaa-jdbc
+    - user_groups