diff --git a/lib/ansible/modules/cloud/ovirt/ovirt_role.py b/lib/ansible/modules/cloud/ovirt/ovirt_role.py new file mode 100644 index 00000000000..9f1d94e79aa --- /dev/null +++ b/lib/ansible/modules/cloud/ovirt/ovirt_role.py @@ -0,0 +1,190 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# +# Copyright (c) 2016 Red Hat, Inc. +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community'} + +DOCUMENTATION = ''' +--- +module: ovirt_role +short_description: Module to manage roles in oVirt/RHV +version_added: "2.8" +author: "Martin Necas (@mnecas)" +description: + - "Module to manage roles in oVirt/RHV." +options: + name: + description: + - "Name of the role to manage." + id: + description: + - "ID of the role to manage." + description: + description: + - "Description of the role." + state: + description: + - "Should the role be present/absent." + choices: ['present', 'absent'] + default: present + administrative: + description: + - "Defines the role as administrative-only or not." + type: bool + permits: + description: + - "List of permits which role will have" + - "Permit 'login' is default and all roles will have it." + - "List can contain name of permit." +extends_documentation_fragment: ovirt +''' + +EXAMPLES = ''' +# Examples don't contain auth parameter for simplicity, +# look at ovirt_auth module to see how to reuse authentication: + +# Create administrative role with two permits +- ovirt_role: + name: role + administrative: true + permits: + - manipulate_permissions + - create_instance + +# Remove role +- ovirt_role: + name: role + state: absent + +# Remove all permit +- ovirt_role: + name: role + administrative: ture + permits: + - login +''' + +RETURN = ''' +ovirt_role: + description: "List of dictionaries describing the Roles. Role attributes are mapped to dictionary keys, + all Roles attributes can be found at following url: http://ovirt.github.io/ovirt-engine-api-model/master/#types/role." + returned: On success. + type: list +''' + +from ansible.module_utils.ovirt import ( + BaseModule, + check_sdk, + convert_to_bytes, + create_connection, + equal, + get_dict_of_struct, + get_link_name, + get_id_by_name, + ovirt_full_argument_spec, + search_by_attributes, + search_by_name, +) +from ansible.module_utils.basic import AnsibleModule +import traceback + +try: + import ovirtsdk4.types as otypes +except ImportError: + pass + + +class RoleModule(BaseModule): + def build_entity(self): + if 'login' not in self.param('permits'): + self.param('permits').append('login') + all_permits = self.get_all_permits() + return otypes.Role( + id=self.param('id'), + name=self.param('name'), + administrative=self.param('administrative') if self.param( + 'administrative') else None, + permits=[ + otypes.Permit(id=all_permits.get(new_permit)) for new_permit in self.param('permits') + ] if self.param('permits') else None, + description=self.param('description') if self.param('administrative') else None, + ) + + def get_all_permits(self): + return dict((permit.name, permit.id) for permit in self._connection.system_service().cluster_levels_service().level_service('4.3').get().permits) + + def update_check(self, entity): + def check_permits(): + if self.param('permits'): + if 'login' not in self.param('permits'): + self.param('permits').append('login') + permits_service = self._service.service(entity.id).permits_service() + current = [er.name for er in permits_service.list()] + passed = [pr for pr in self.param('permits')] + if not sorted(current) == sorted(passed): + if self._module.check_mode: + return False + # remove all + for permit in permits_service.list(): + permits_service.permit_service(permit.id).remove() + # add passed permits + all_permits = self.get_all_permits() + for new_permit in passed: + permits_service.add(otypes.Permit(id=all_permits.get(new_permit))) + return False + return True + + return ( + check_permits() and + equal(self.param('administrative'), entity.administrative) and + equal(self.param('description'), entity.description) + ) + + +def main(): + argument_spec = ovirt_full_argument_spec( + state=dict( + choices=['present', 'absent'], + default='present', + ), + id=dict(default=None), + name=dict(default=None), + description=dict(default=None), + administrative=dict(type='bool', default=False), + permits=dict(type='list', default=[]), + ) + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + required_one_of=[['id', 'name']], + ) + + check_sdk(module) + + try: + auth = module.params.pop('auth') + connection = create_connection(auth) + roles_service = connection.system_service().roles_service() + roles_module = RoleModule( + connection=connection, + module=module, + service=roles_service, + ) + state = module.params['state'] + if state == 'present': + ret = roles_module.create() + elif state == 'absent': + ret = roles_module.remove() + module.exit_json(**ret) + except Exception as e: + module.fail_json(msg=str(e), exception=traceback.format_exc()) + finally: + connection.close(logout=auth.get('token') is None) + + +if __name__ == "__main__": + main()