Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-68439

[ansible-freeipa] ipasudorule module fails to remove members

XMLWordPrintable

    • Yes
    • None
    • rhel-sst-idm-ipa
    • ssg_idm
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      When using the ipasudorule module with the 'action: member' and 'state: absent' to remove members (e.g., hosts, user groups, hostmask, or other rule attributes) from a sudo rule, the playbook executes successfully but does not remove all specified members from the rule.

      Steps:

      [root@master ~]# ipa sudorule-show sudorule_5a
  Rule name: sudorule_5a
  Description: Sudo rule 5a
  Enabled: True
  Host Masks: 192.168.220.0/24, 192.168.110.0/24
  External host: mytesthost1.ipadomain.test

      Trying to add additional host mask '192.168.221.0/24'  and external host 'mytesthost1a.ipadomain.test'

      # cat sudorule_member_add.yaml 
---
- name: Playbook to ensure that sudorule remains present after updating their members(using action member).
  hosts: ipaserver
  become: true
  tasks:
  - name: Get Domain from server name
    set_fact:
      ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"

  - name: Ensure that sudorule remain present after updating their members(using action member).
    ipasudorule:
      ipaadmin_password: <xxxxxxxx>
      name: sudorule_5a
      hostmask:
        - 192.168.221.0/24
      host: "{{ 'mytesthost1a.' + ipaserver_domain }}"
      action: member

      The playbook was executed successfully

      [root@master ~]# ipa sudorule-show sudorule_5a
  Rule name: sudorule_5a
  Description: Sudo rule 5a
  Enabled: True
  Host Masks: 192.168.220.0/24, 192.168.110.0/24, 192.168.221.0/24
  External host: mytesthost1.ipadomain.test, mytesthost1a.ipadomain.test

       Now removing host mask '192.168.221.0/24' and the external host 'mytesthost1a.ipadomain.test' form the sudorule_5a

      # cat sudorule_member_remove.yaml
---
- name: Playbook to ensure that sudorule remain present after remove their members(using action member).
  hosts: ipaserver
  become: true
  tasks:
  - name: Get Domain from server name
    set_fact:
      ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"

  - name: Ensure that sudorule remain present after remove their members(using action member).
      ipaadmin_password: <xxxxxxxx>
      name: sudorule_5a
      hostmask:
        - 192.168.221.0/24
      host: "{{ 'mytesthost1a.' + ipaserver_domain }}"
      action: member
      state: absent

      The playbook executed successfully, but it removed only the hostmask '192.168.221.0/24'. The external host 'mytesthost1a.ipadomain.test' is still present.

      [root@master ~]# ipa sudorule-show sudorule_5a
  Rule name: sudorule_5a
  Description: Sudo rule 5a
  Enabled: True
  Host Masks: 192.168.220.0/24, 192.168.110.0/24, 192.168.221.0/24
  External host: mytesthost1.ipadomain.test, mytesthost1a.ipadomain.test

      Expected results

      hostmask and the external host should removed in this case

       

       

              rjeffman@redhat.com Rafael Jeffman
              mvarun@redhat.com Varun Mylaraiah
              Thomas Woerner Thomas Woerner
              Varun Mylaraiah Varun Mylaraiah
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: