-
Feature Request
-
Resolution: Unresolved
-
Undefined
-
None
-
2.4, 2.5
-
False
-
-
False
Using the ansible.controller.role module to assign a permission to a resource in automation controller, such as a job template, will lead to the addition of the desired role to the existing permissions.
Currently, it is required to first remove every permission prior to adding new permissions using ansible.controller.role.
This is especially hindering when it comes to configuration as code (CaC), as the module
ansible.controller.role only allows for the states "present" and "absent" and not a state like "replace", which would remove all permissions and only apply those that are given to the module.
Below's reproducer show cases this by first setting the "admin" permission on a job template for a user and shows the assigned roles for the given job template.
This step will be repeated with another set of permissions followed by another retrieval of the assigned roles and will show that the second set of permissions have been added to the the existing ones, instead of replacing them.
This RFE proposes a third state (or an additional option) to enforce the replacement of the complete set of permissions.
Below you'll find the reproducer:
--- - hosts: 'localhost' gather_facts: false vars: controller_username: 'admin' controller_host: 'https://controller.example.com:8443' controller_admin_password: !vault [..] gateway_host: 'https://gateway.example.com' gateway_username: 'admin' gateway_admin_password: !vault [..] reproducer_username: 'test_user' reproducer_organization_name: 'Default' # needs to exist reproducer_job_template_name: 'Demo Job Template' # needs to exist reproducer_assign_roles: - 'admin' reproducer_assign_additional_roles: - 'execute' - 'read' tasks: - name: 'Ensure user exists: {{ reproducer_username }}' ansible.platform.user: gateway_hostname: '{{ gateway_host }}' gateway_username: '{{ gateway_username }}' gateway_password: '{{ gateway_admin_password }}' gateway_validate_certs: false username: '{{ reproducer_username }}' state: 'present' - name: 'Assign roles to {{ reproducer_username }} on {{ reproducer_job_template_name }}' ansible.controller.role: controller_host: '{{ controller_host }}' controller_username: '{{ controller_username }}' controller_password: '{{ controller_admin_password }}' validate_certs: false user: '{{ reproducer_username }}' role: '{{ __t_role }}' job_templates: - '{{ reproducer_job_template_name }}' state: 'present' register: '__t_job_template_update' loop: '{{ reproducer_assign_roles }}' loop_control: loop_var: '__t_role' - name: 'Gather role IDs of {{ reproducer_job_template_name }}' ansible.builtin.set_fact: __t_roles: >- {{ __t_roles | default([]) + [ { 'name': __t_role.name, 'id': __t_role.id } ] }} loop: >- {{ query( 'ansible.controller.controller_api', 'job_templates/' ~ query( 'ansible.controller.controller_api', 'job_templates', host=controller_host, username=controller_username, password=controller_admin_password, verify_ssl=false ) | selectattr('name', 'eq', reproducer_job_template_name) | map(attribute='id') | first ~ '/object_roles/', host=controller_host, username=controller_username, password=controller_admin_password, verify_ssl=false ) }} loop_control: loop_var: '__t_role' - name: 'Gather role to user assignments for user: {{ reproducer_username }}' ansible.builtin.set_fact: __t_role_assignments: >- {{ __t_role_assignments | default([]) + [ { 'role_name': __t_role.name, 'assigned': ( query( 'ansible.controller.controller_api', 'roles/' ~ __t_role.id ~ '/users/', host=controller_host, username=controller_username, password=controller_admin_password, verify_ssl=false ) | selectattr('username', 'eq', reproducer_username) | length > 0 ) | ansible.builtin.ternary( true, false ) } ] }} loop: '{{ __t_roles }}' loop_control: loop_var: '__t_role' - name: 'Show assigned privileges for user {{ reproducer_username }} on Job Template {{ reproducer_job_template_name }}' ansible.builtin.debug: var: '__t_role_assignments' - name: 'Assign additional roles to {{ reproducer_username }} on {{ reproducer_job_template_name }}' ansible.controller.role: controller_host: '{{ controller_host }}' controller_username: '{{ controller_username }}' controller_password: '{{ controller_admin_password }}' validate_certs: false user: '{{ reproducer_username }}' role: '{{ __t_role }}' job_templates: - '{{ reproducer_job_template_name }}' state: 'present' register: '__t_job_template_update' loop: '{{ reproducer_assign_additional_roles }}' loop_control: loop_var: '__t_role' - name: 'Ensure variable __t_role_assignments is emptied' ansible.builtin.set_fact: __t_role_assignments: [] - name: 'Gather role to user assignments for user: {{ reproducer_username }}' ansible.builtin.set_fact: __t_role_assignments: >- {{ __t_role_assignments | default([]) + [ { 'role_name': __t_role.name, 'assigned': ( query( 'ansible.controller.controller_api', 'roles/' ~ __t_role.id ~ '/users/', host=controller_host, username=controller_username, password=controller_admin_password, verify_ssl=false ) | selectattr('username', 'eq', reproducer_username) | length > 0 ) | ansible.builtin.ternary( true, false ) } ] }} loop: '{{ __t_roles }}' loop_control: loop_var: '__t_role' - name: 'Show assigned privileges for user {{ reproducer_username }} on Job Template {{ reproducer_job_template_name }}' ansible.builtin.debug: var: '__t_role_assignments'
The output below is shown during the execution and shows that the roles are assigned additionally to the existing roles:
TASK [Show assigned privileges for user test_user on Job Template Demo Job Template] ************************************************************************************************************************************************* ok: [localhost] => { "__t_role_assignments": [ { "assigned": true, "role_name": "Admin" }, { "assigned": false, "role_name": "Execute" }, { "assigned": false, "role_name": "Read" } ] }TASK [Assign additional roles to test_user on Demo Job Template] ********************************************************************************************************************************************************************* ok: [localhost] => (item=execute) ok: [localhost] => (item=read)TASK [Ensure variable __t_role_assignments is emptied] ******************************************************************************************************************************************************************************* ok: [localhost]TASK [Gather role to user assignments for user: test_user] *************************************************************************************************************************************************************************** ok: [localhost] => (item={'name': 'Admin', 'id': 37}) ok: [localhost] => (item={'name': 'Execute', 'id': 38}) ok: [localhost] => (item={'name': 'Read', 'id': 39})TASK [Show assigned privileges for user test_user on Job Template Demo Job Template] ************************************************************************************************************************************************* ok: [localhost] => { "__t_role_assignments": [ { "assigned": true, "role_name": "Admin" }, { "assigned": true, "role_name": "Execute" }, { "assigned": true, "role_name": "Read" } ] }
This has been tested with both AAP 2.4 and AAP 2.5
