|
|
|
@ -1,4 +1,6 @@
|
|
|
|
#!/usr/bin/python
|
|
|
|
#!/usr/bin/python
|
|
|
|
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
|
|
|
|
|
|
|
# Copyright: (c) 2017, Ansible Project
|
|
|
|
# Copyright: (c) 2017, Ansible Project
|
|
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
|
|
|
|
|
|
|
|
@ -9,7 +11,7 @@ ANSIBLE_METADATA = {'metadata_version': '1.1',
|
|
|
|
'status': ['preview'],
|
|
|
|
'status': ['preview'],
|
|
|
|
'supported_by': 'certified'}
|
|
|
|
'supported_by': 'certified'}
|
|
|
|
|
|
|
|
|
|
|
|
DOCUMENTATION = '''
|
|
|
|
DOCUMENTATION = r'''
|
|
|
|
---
|
|
|
|
---
|
|
|
|
module: cyberark_user
|
|
|
|
module: cyberark_user
|
|
|
|
short_description: Module for CyberArk User Management using PAS Web Services SDK
|
|
|
|
short_description: Module for CyberArk User Management using PAS Web Services SDK
|
|
|
|
@ -19,99 +21,109 @@ author:
|
|
|
|
- erasmix (@erasmix)
|
|
|
|
- erasmix (@erasmix)
|
|
|
|
version_added: 2.4
|
|
|
|
version_added: 2.4
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- CyberArk User Management using PAS Web Services SDK. It currently supports the following
|
|
|
|
- CyberArk User Management using PAS Web Services SDK.
|
|
|
|
actions Get User Details, Add User, Update User, Delete User.
|
|
|
|
- It currently supports the following actions Get User Details, Add User, Update User, Delete User.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
options:
|
|
|
|
options:
|
|
|
|
username:
|
|
|
|
username:
|
|
|
|
required: True
|
|
|
|
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The name of the user who will be queried (for details), added, updated or deleted.
|
|
|
|
- The name of the user who will be queried (for details), added, updated or deleted.
|
|
|
|
|
|
|
|
type: str
|
|
|
|
|
|
|
|
required: True
|
|
|
|
state:
|
|
|
|
state:
|
|
|
|
default: present
|
|
|
|
|
|
|
|
choices: [present, absent]
|
|
|
|
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Specifies the state needed for the user
|
|
|
|
- Specifies the state needed for the user present for create user, absent for delete user.
|
|
|
|
present for create user, absent for delete user.
|
|
|
|
type: str
|
|
|
|
|
|
|
|
choices: [ absent, present ]
|
|
|
|
|
|
|
|
default: present
|
|
|
|
cyberark_session:
|
|
|
|
cyberark_session:
|
|
|
|
required: True
|
|
|
|
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session,
|
|
|
|
- Dictionary set by a CyberArk authentication containing the different values to perform actions on a logged-on CyberArk session,
|
|
|
|
please see M(cyberark_authentication) module for an example of cyberark_session.
|
|
|
|
please see M(cyberark_authentication) module for an example of cyberark_session.
|
|
|
|
|
|
|
|
type: dict
|
|
|
|
|
|
|
|
required: True
|
|
|
|
initial_password:
|
|
|
|
initial_password:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The password that the new user will use to log on the first time. This password must meet the password policy requirements.
|
|
|
|
- The password that the new user will use to log on the first time.
|
|
|
|
this parameter is required when state is present -- Add User.
|
|
|
|
- This password must meet the password policy requirements.
|
|
|
|
|
|
|
|
- This parameter is required when state is present -- Add User.
|
|
|
|
|
|
|
|
type: str
|
|
|
|
new_password:
|
|
|
|
new_password:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The user updated password. Make sure that this password meets the password policy requirements.
|
|
|
|
- The user updated password. Make sure that this password meets the password policy requirements.
|
|
|
|
|
|
|
|
type: str
|
|
|
|
email:
|
|
|
|
email:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The user email address.
|
|
|
|
- The user email address.
|
|
|
|
|
|
|
|
type: str
|
|
|
|
first_name:
|
|
|
|
first_name:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The user first name.
|
|
|
|
- The user first name.
|
|
|
|
|
|
|
|
type: str
|
|
|
|
last_name:
|
|
|
|
last_name:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The user last name.
|
|
|
|
- The user last name.
|
|
|
|
|
|
|
|
type: str
|
|
|
|
change_password_on_the_next_logon:
|
|
|
|
change_password_on_the_next_logon:
|
|
|
|
type: bool
|
|
|
|
|
|
|
|
default: 'no'
|
|
|
|
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Whether or not the user must change their password in their next logon.
|
|
|
|
- Whether or not the user must change their password in their next logon.
|
|
|
|
Valid values = true/false.
|
|
|
|
type: bool
|
|
|
|
|
|
|
|
default: no
|
|
|
|
expiry_date:
|
|
|
|
expiry_date:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The date and time when the user account will expire and become disabled.
|
|
|
|
- The date and time when the user account will expire and become disabled.
|
|
|
|
|
|
|
|
type: str
|
|
|
|
user_type_name:
|
|
|
|
user_type_name:
|
|
|
|
default: EPVUser
|
|
|
|
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The type of user.
|
|
|
|
- The type of user.
|
|
|
|
|
|
|
|
- The parameter defaults to C(EPVUser).
|
|
|
|
|
|
|
|
type: str
|
|
|
|
disabled:
|
|
|
|
disabled:
|
|
|
|
type: bool
|
|
|
|
|
|
|
|
default: 'no'
|
|
|
|
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Whether or not the user will be disabled. Valid values = true/false.
|
|
|
|
- Whether or not the user will be disabled.
|
|
|
|
|
|
|
|
type: bool
|
|
|
|
|
|
|
|
default: no
|
|
|
|
location:
|
|
|
|
location:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The Vault Location for the user.
|
|
|
|
- The Vault Location for the user.
|
|
|
|
|
|
|
|
type: str
|
|
|
|
group_name:
|
|
|
|
group_name:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The name of the group the user will be added to.
|
|
|
|
- The name of the group the user will be added to.
|
|
|
|
|
|
|
|
type: str
|
|
|
|
'''
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
|
|
EXAMPLES = '''
|
|
|
|
EXAMPLES = r'''
|
|
|
|
- name: Logon to CyberArk Vault using PAS Web Services SDK
|
|
|
|
- name: Logon to CyberArk Vault using PAS Web Services SDK
|
|
|
|
cyberark_authentication:
|
|
|
|
cyberark_authentication:
|
|
|
|
api_base_url: "https://components.cyberark.local"
|
|
|
|
api_base_url: https://components.cyberark.local
|
|
|
|
use_shared_logon_authentication: true
|
|
|
|
use_shared_logon_authentication: yes
|
|
|
|
|
|
|
|
|
|
|
|
- name: Create user & immediately add it to a group
|
|
|
|
- name: Create user & immediately add it to a group
|
|
|
|
cyberark_user:
|
|
|
|
cyberark_user:
|
|
|
|
username: "username"
|
|
|
|
username: username
|
|
|
|
initial_password: "password"
|
|
|
|
initial_password: password
|
|
|
|
user_type_name: "EPVUser"
|
|
|
|
user_type_name: EPVUser
|
|
|
|
change_password_on_the_next_logon: false
|
|
|
|
change_password_on_the_next_logon: no
|
|
|
|
group_name: "GroupOfUsers"
|
|
|
|
group_name: GroupOfUser
|
|
|
|
state: present
|
|
|
|
state: present
|
|
|
|
cyberark_session: "{{ cyberark_session }}"
|
|
|
|
cyberark_session: '{{ cyberark_session }}'
|
|
|
|
|
|
|
|
|
|
|
|
- name: Make sure user is present and reset user credential if present
|
|
|
|
- name: Make sure user is present and reset user credential if present
|
|
|
|
cyberark_user:
|
|
|
|
cyberark_user:
|
|
|
|
username: "Username"
|
|
|
|
username: Username
|
|
|
|
new_password: "password"
|
|
|
|
new_password: password
|
|
|
|
disabled: false
|
|
|
|
disabled: no
|
|
|
|
state: present
|
|
|
|
state: present
|
|
|
|
cyberark_session: "{{ cyberark_session }}"
|
|
|
|
cyberark_session: '{{ cyberark_session }}'
|
|
|
|
|
|
|
|
|
|
|
|
- name: Logoff from CyberArk Vault
|
|
|
|
- name: Logoff from CyberArk Vault
|
|
|
|
cyberark_authentication:
|
|
|
|
cyberark_authentication:
|
|
|
|
state: absent
|
|
|
|
state: absent
|
|
|
|
cyberark_session: "{{ cyberark_session }}"
|
|
|
|
cyberark_session: '{{ cyberark_session }}'
|
|
|
|
'''
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
|
|
RETURN = '''
|
|
|
|
RETURN = r'''
|
|
|
|
changed:
|
|
|
|
changed:
|
|
|
|
description: Whether there was a change done.
|
|
|
|
description: Whether there was a change done.
|
|
|
|
type: bool
|
|
|
|
type: bool
|
|
|
|
@ -133,7 +145,6 @@ status_code:
|
|
|
|
'''
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
|
|
import json
|
|
|
|
import json
|
|
|
|
import traceback
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
from ansible.module_utils.basic import AnsibleModule
|
|
|
|
from ansible.module_utils.basic import AnsibleModule
|
|
|
|
from ansible.module_utils._text import to_text
|
|
|
|
from ansible.module_utils._text import to_text
|
|
|
|
@ -187,7 +198,6 @@ def user_details(module):
|
|
|
|
msg=("Unknown error while performing user_details."
|
|
|
|
msg=("Unknown error while performing user_details."
|
|
|
|
"\n*** end_point=%s%s\n%s" % (api_base_url, end_point, to_text(unknown_exception))),
|
|
|
|
"\n*** end_point=%s%s\n%s" % (api_base_url, end_point, to_text(unknown_exception))),
|
|
|
|
headers=headers,
|
|
|
|
headers=headers,
|
|
|
|
exception=traceback.format_exc(),
|
|
|
|
|
|
|
|
status_code=-1)
|
|
|
|
status_code=-1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -285,7 +295,6 @@ def user_add_or_update(module, HTTPMethod):
|
|
|
|
"\n*** end_point=%s%s\n%s" % (api_base_url, end_point, to_text(unknown_exception))),
|
|
|
|
"\n*** end_point=%s%s\n%s" % (api_base_url, end_point, to_text(unknown_exception))),
|
|
|
|
payload=payload,
|
|
|
|
payload=payload,
|
|
|
|
headers=headers,
|
|
|
|
headers=headers,
|
|
|
|
exception=traceback.format_exc(),
|
|
|
|
|
|
|
|
status_code=-1)
|
|
|
|
status_code=-1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -340,7 +349,6 @@ def user_delete(module):
|
|
|
|
msg=("Unknown error while performing user_delete."
|
|
|
|
msg=("Unknown error while performing user_delete."
|
|
|
|
"\n*** end_point=%s%s\n%s" % (api_base_url, end_point, to_text(unknown_exception))),
|
|
|
|
"\n*** end_point=%s%s\n%s" % (api_base_url, end_point, to_text(unknown_exception))),
|
|
|
|
headers=headers,
|
|
|
|
headers=headers,
|
|
|
|
exception=traceback.format_exc(),
|
|
|
|
|
|
|
|
status_code=-1)
|
|
|
|
status_code=-1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -390,7 +398,6 @@ def user_add_to_group(module):
|
|
|
|
"\n*** end_point=%s%s\n ==> %s" % (api_base_url, end_point, exception_text)),
|
|
|
|
"\n*** end_point=%s%s\n ==> %s" % (api_base_url, end_point, exception_text)),
|
|
|
|
payload=payload,
|
|
|
|
payload=payload,
|
|
|
|
headers=headers,
|
|
|
|
headers=headers,
|
|
|
|
exception=traceback.format_exc(),
|
|
|
|
|
|
|
|
status_code=http_exception.code)
|
|
|
|
status_code=http_exception.code)
|
|
|
|
|
|
|
|
|
|
|
|
except Exception as unknown_exception:
|
|
|
|
except Exception as unknown_exception:
|
|
|
|
@ -405,47 +412,51 @@ def user_add_to_group(module):
|
|
|
|
|
|
|
|
|
|
|
|
def main():
|
|
|
|
def main():
|
|
|
|
|
|
|
|
|
|
|
|
fields = {
|
|
|
|
module = AnsibleModule(
|
|
|
|
"username": {"required": True, "type": "str"},
|
|
|
|
argument_spec=dict(
|
|
|
|
"state": {"type": "str",
|
|
|
|
username=dict(type='str', required=True),
|
|
|
|
"choices": ["present", "absent"],
|
|
|
|
state=dict(type='str', default='present', choices=['absent', 'present']),
|
|
|
|
"default": "present"},
|
|
|
|
cyberark_session=dict(type='dict', required=True),
|
|
|
|
"cyberark_session": {"required": True, "type": "dict"},
|
|
|
|
initial_password=dict(type='str', no_log=True),
|
|
|
|
"initial_password": {"type": "str", "no_log": True},
|
|
|
|
new_password=dict(type='str', no_log=True),
|
|
|
|
"new_password": {"type": "str", "no_log": True},
|
|
|
|
email=dict(type='str'),
|
|
|
|
"email": {"type": "str"},
|
|
|
|
first_name=dict(type='str'),
|
|
|
|
"first_name": {"type": "str"},
|
|
|
|
last_name=dict(type='str'),
|
|
|
|
"last_name": {"type": "str"},
|
|
|
|
change_password_on_the_next_logon=dict(type='bool'),
|
|
|
|
"change_password_on_the_next_logon": {"type": "bool"},
|
|
|
|
expiry_date=dict(type='str'),
|
|
|
|
"expiry_date": {"type": "str"},
|
|
|
|
user_type_name=dict(type='str'),
|
|
|
|
"user_type_name": {"type": "str"},
|
|
|
|
disabled=dict(type='bool'),
|
|
|
|
"disabled": {"type": "bool"},
|
|
|
|
location=dict(type='str'),
|
|
|
|
"location": {"type": "str"},
|
|
|
|
group_name=dict(type='str'),
|
|
|
|
"group_name": {"type": "str"},
|
|
|
|
),
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
module = AnsibleModule(argument_spec=fields)
|
|
|
|
state = module.params['state']
|
|
|
|
|
|
|
|
new_password = module.params['new_password']
|
|
|
|
state = module.params["state"]
|
|
|
|
group_name = module.params['group_name']
|
|
|
|
|
|
|
|
|
|
|
|
changed = False
|
|
|
|
|
|
|
|
result = {}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (state == "present"):
|
|
|
|
if (state == "present"):
|
|
|
|
(changed, result, status_code) = user_details(module)
|
|
|
|
(changed, result, status_code) = user_details(module)
|
|
|
|
if (status_code == 200): # user already exists
|
|
|
|
|
|
|
|
if ("new_password" in module.params):
|
|
|
|
if (status_code == 200):
|
|
|
|
# if new_password specified, proceed to update user credential
|
|
|
|
# User already exists
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# If new_password specified, proceed to update user credential
|
|
|
|
|
|
|
|
if (new_password is not None):
|
|
|
|
(changed, result, status_code) = user_add_or_update(module, "PUT")
|
|
|
|
(changed, result, status_code) = user_add_or_update(module, "PUT")
|
|
|
|
if ("group_name" in module.params and module.params["group_name"] is not None):
|
|
|
|
|
|
|
|
# if user exists, add to group if needed
|
|
|
|
if (group_name is not None):
|
|
|
|
|
|
|
|
# If user exists, add to group if needed
|
|
|
|
(changed, ignored_result, ignored_status_code) = user_add_to_group(module)
|
|
|
|
(changed, ignored_result, ignored_status_code) = user_add_to_group(module)
|
|
|
|
|
|
|
|
|
|
|
|
elif (status_code == 404):
|
|
|
|
elif (status_code == 404):
|
|
|
|
# user does not exist, proceed to create it
|
|
|
|
# User does not exist, proceed to create it
|
|
|
|
(changed, result, status_code) = user_add_or_update(module, "POST")
|
|
|
|
(changed, result, status_code) = user_add_or_update(module, "POST")
|
|
|
|
if (status_code == 201 and "group_name" in module.params and module.params["group_name"] is not None):
|
|
|
|
|
|
|
|
# if user was created, add to group if needed
|
|
|
|
if (status_code == 201 and group_name is not None):
|
|
|
|
|
|
|
|
# If user was created, add to group if needed
|
|
|
|
(changed, ignored_result, ignored_status_code) = user_add_to_group(module)
|
|
|
|
(changed, ignored_result, ignored_status_code) = user_add_to_group(module)
|
|
|
|
|
|
|
|
|
|
|
|
elif (state == "absent"):
|
|
|
|
elif (state == "absent"):
|
|
|
|
(changed, result, status_code) = user_delete(module)
|
|
|
|
(changed, result, status_code) = user_delete(module)
|
|
|
|
|
|
|
|
|
|
|
|
|
Dag Wieers
5 years ago
committed by