97 lines
3.4 KiB
YAML
97 lines
3.4 KiB
YAML
---
|
|
# manage-sudo-rules.yml — create and maintain FreeIPA sudo rules.
|
|
#
|
|
# This playbook provisions the sudo rules that enrolled clients pick up via SSSD
|
|
# (configured by the --sudo flag in freeipa-enroll.sh). Run it once when setting
|
|
# up the domain, and again whenever you add or change a rule.
|
|
#
|
|
# Default rules created:
|
|
# allow_sudoers Members of the 'sudoers' IPA group get full sudo (password required)
|
|
# allow_sudo_nopasswd Members of 'sudo-nopasswd' get full sudo (NOPASSWD)
|
|
#
|
|
# To grant a user sudo access:
|
|
# ipa group-add-member sudoers --users=<username>
|
|
# To grant passwordless sudo:
|
|
# ipa group-add-member sudo-nopasswd --users=<username>
|
|
#
|
|
# Prerequisites:
|
|
# - Active admin Kerberos ticket on the target host: kinit admin
|
|
# - ipa CLI available (run on the IPA server or any enrolled admin workstation)
|
|
#
|
|
# Usage:
|
|
# kinit admin
|
|
# ansible-playbook -i ipa-server.example.com, manage-sudo-rules.yml
|
|
# # or, if 'ipa_server' is defined in your inventory:
|
|
# ansible-playbook -i inventory manage-sudo-rules.yml
|
|
|
|
- name: Manage FreeIPA sudo rules
|
|
hosts: "{{ ipa_admin_host | default('ipa_server') }}"
|
|
become: no
|
|
|
|
vars:
|
|
sudo_rules:
|
|
- rule_name: allow_sudoers
|
|
group: sudoers
|
|
description: "Full sudo access for members of the sudoers group (password required)"
|
|
nopasswd: false
|
|
|
|
- rule_name: allow_sudo_nopasswd
|
|
group: sudo-nopasswd
|
|
description: "Full sudo access for members of sudo-nopasswd group (no password)"
|
|
nopasswd: true
|
|
|
|
tasks:
|
|
|
|
- name: Verify ipa command is available and authenticated
|
|
command: ipa ping
|
|
changed_when: false
|
|
register: ipa_ping
|
|
failed_when: ipa_ping.rc != 0
|
|
|
|
- name: Ensure IPA user groups exist for each sudo rule
|
|
shell: >
|
|
ipa group-show "{{ item.group }}" >/dev/null 2>&1 ||
|
|
ipa group-add "{{ item.group }}"
|
|
--desc="{{ item.description }}"
|
|
register: group_result
|
|
changed_when: "'Added group' in group_result.stdout"
|
|
loop: "{{ sudo_rules }}"
|
|
|
|
- name: Ensure sudo rules exist
|
|
shell: >
|
|
ipa sudorule-show "{{ item.rule_name }}" >/dev/null 2>&1 ||
|
|
ipa sudorule-add "{{ item.rule_name }}"
|
|
--desc="{{ item.description }}"
|
|
--cmdcat=all
|
|
--hostcat=all
|
|
register: rule_result
|
|
changed_when: "'Added Sudo Rule' in rule_result.stdout"
|
|
loop: "{{ sudo_rules }}"
|
|
|
|
- name: Assign groups to their sudo rules
|
|
shell: >
|
|
ipa sudorule-show "{{ item.rule_name }}" --all 2>/dev/null |
|
|
grep -q "{{ item.group }}" ||
|
|
ipa sudorule-add-user "{{ item.rule_name }}" --groups="{{ item.group }}"
|
|
register: assign_result
|
|
changed_when: "'Number of members added' in assign_result.stdout"
|
|
loop: "{{ sudo_rules }}"
|
|
|
|
- name: Set NOPASSWD (sudooption !authenticate) on passwordless rules
|
|
shell: >
|
|
ipa sudorule-show "{{ item.rule_name }}" --all 2>/dev/null |
|
|
grep -q "!authenticate" ||
|
|
ipa sudorule-add-option "{{ item.rule_name }}" --sudooption "!authenticate"
|
|
register: nopasswd_result
|
|
changed_when: "'Added option' in nopasswd_result.stdout"
|
|
loop: "{{ sudo_rules | selectattr('nopasswd', 'equalto', true) | list }}"
|
|
|
|
- name: Show configured sudo rules
|
|
command: ipa sudorule-find --all
|
|
changed_when: false
|
|
register: sudo_summary
|
|
|
|
- name: Display sudo rules summary
|
|
debug:
|
|
msg: "{{ sudo_summary.stdout_lines }}"
|