rabbitmq_user: Add update_password parameter (#36280)

* Add update_password parameter to rabbitmq_user Inspiration for this feature is taken from the `user` module. While `always` is the default in that module, it is not here. We default to `on_create` to avoid changing existing behaviour. Resolves #29260 * Update instructions for changing passwords * Bump version_added as requested * Check password before changing it This allows accurate reporting of changed status even though `rabbitmqctl change_password` doesn't. * Remove instruction to use 'force' to update password
6 years ago · d145dfbcf1
parent 5540a586dc
commit d145dfbcf1
1 changed files with 24 additions and 2 deletions
--- a/lib/ansible/modules/messaging/rabbitmq_user.py
+++ b/lib/ansible/modules/messaging/rabbitmq_user.py
@ -31,7 +31,7 @@ options:
    description:
      - Password of user to add.
      - To change the password of an existing user, you must also specify
-        C(force=yes).
+        C(update_password=always).
  tags:
    description:
      - User tags specified as comma delimited
@ -84,6 +84,13 @@ options:
      - Specify if user is to be added or removed
    default: present
    choices: [present, absent]
+  update_password:
+    description:
+      - C(on_create) will only set the password for newly created users.  C(always) will update passwords if they differ.
+    required: false
+    default: on_create
+    choices: [ on_create, always ]
+    version_added: "2.6"
 '''

 EXAMPLES = '''
@ -180,6 +187,9 @@ class RabbitMqUser(object):
                                       write_priv=write_priv, read_priv=read_priv))
        return perms_list

+    def check_password(self):
+        return self._exec(['authenticate_user', self.username, self.password], True)
+
    def add(self):
        if self.password is not None:
            self._exec(['add_user', self.username, self.password])
@ -190,6 +200,12 @@ class RabbitMqUser(object):
    def delete(self):
        self._exec(['delete_user', self.username])

+    def change_password(self):
+        if self.password is not None:
+            self._exec(['change_password', self.username, self.password])
+        else:
+            self._exec(['clear_password', self.username])
+
    def set_tags(self):
        self._exec(['set_user_tags', self.username] + self.tags)

@ -229,7 +245,8 @@ def main():
        read_priv=dict(default='^$'),
        force=dict(default='no', type='bool'),
        state=dict(default='present', choices=['present', 'absent']),
-        node=dict(default=None)
+        node=dict(default=None),
+        update_password=dict(default='on_create', choices=['on_create', 'always'])
    )
    module = AnsibleModule(
        argument_spec=arg_spec,
@ -247,6 +264,7 @@ def main():
    force = module.params['force']
    state = module.params['state']
    node = module.params['node']
+    update_password = module.params['update_password']

    bulk_permissions = True
    if not permissions:
@ -274,6 +292,10 @@ def main():
                rabbitmq_user.add()
                rabbitmq_user.get()
                result['changed'] = True
+            elif update_password == 'always':
+                if not rabbitmq_user.check_password():
+                    rabbitmq_user.change_password()
+                    result['changed'] = True

            if rabbitmq_user.has_tags_modifications():
                rabbitmq_user.set_tags()