1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
|
#!/usr/bin/python
# -*- coding: utf-8 -*-
# (c) 2021, Simon Dodsley (simon@purestorage.com)
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
ANSIBLE_METADATA = {
"metadata_version": "1.1",
"status": ["preview"],
"supported_by": "community",
}
DOCUMENTATION = r"""
---
module: purefb_userpolicy
version_added: '1.6.0'
short_description: Manage FlashBlade Object Store User Access Policies
description:
- Add or Remove FlashBlade Object Store Access Policies for Account User
author:
- Pure Storage Ansible Team (@sdodsley) <pure-ansible-team@purestorage.com>
options:
name:
description:
- Name of the Object Store User
- The user to have the policy request applied to
type: str
account:
description:
- Name of the Object Store Account associated with the user
type: str
state:
description:
- Define whether the Access Policy should be added or deleted
- Option to list all available policies
default: present
choices: [ absent, present, show ]
type: str
policy:
description:
- Policies to added or deleted from the Object Store User
- Only valid policies can be used
- use I(list) to see available policies
type: list
elements: str
extends_documentation_fragment:
- purestorage.flashblade.purestorage.fb
"""
EXAMPLES = r"""
- name: List existng ruser access policies for a specific user
purestorage.flashblade.purefb_userpolicy:
state: show
account: foo
name: bar
fb_url: 10.10.10.2
api_token: T-68618f31-0c9e-4e57-aa44-5306a2cf10e3
register: policy_list
- name: List all available user access policies
purestorage.flashblade.purefb_userpolicy:
state: show
fb_url: 10.10.10.2
api_token: T-68618f31-0c9e-4e57-aa44-5306a2cf10e3
register: policy_list
- name: Add user access policies to account user foo/bar
purestorage.flashblade.purefb_userpolicy:
name: bar
account: foo
policy:
- pure:policy/bucket-create
- pure:policy/bucket-delete
fb_url: 10.10.10.2
api_token: T-68618f31-0c9e-4e57-aa44-5306a2cf10e3
- name: Delete user access policies to account user foo/bar
purestorage.flashblade.purefb_userpolicy:
name: bar
account: foo
policy:
- pure:policy/bucket-create
- pure:policy/bucket-delete
state: absent
fb_url: 10.10.10.2
api_token: T-68618f31-0c9e-4e57-aa44-5306a2cf10e3
"""
RETURN = r"""
policy_list:
description:
- Returns the list of access policies for a user
- If no user specified returns all available access policies
returned: always
type: list
elements: str
sample: ['pure:policy/object-list', 'pure:policy/bucket-list', 'pure:policy/object-read', 'pure:policy/bucket-delete', 'pure:policy/full-access']
"""
from ansible.module_utils.basic import AnsibleModule
from ansible_collections.purestorage.flashblade.plugins.module_utils.purefb import (
get_system,
purefb_argument_spec,
)
MIN_REQUIRED_API_VERSION = "2.0"
def _check_valid_policy(blade, policy):
try:
return bool(blade.get_object_store_access_policies(names=[policy]))
except AttributeError:
return False
def add_policy(module, blade):
"""Add a single or list of policies to an account user"""
changed = False
user_policy_list = []
policy_list = module.params["policy"]
for policy in range(0, len(policy_list)):
if not _check_valid_policy(blade, policy_list[policy]):
module.fail_json(msg="Policy {0} is not valid.".format(policy_list[policy]))
username = module.params["account"] + "/" + module.params["name"]
for policy in range(0, len(policy_list)):
if not (
blade.get_object_store_users_object_store_access_policies(
member_names=[username], policy_names=[policy_list[policy]]
).items
):
if not module.check_mode:
changed = True
res = blade.post_object_store_access_policies_object_store_users(
member_names=[username], policy_names=[policy_list[policy]]
)
user_policies = list(
blade.get_object_store_access_policies_object_store_users(
member_names=[username]
).items
)
for user_policy in range(0, len(user_policies)):
user_policy_list.append(user_policies[user_policy].policy.name)
if res.status_code != 200:
module.fail_json(
msg="Failed to add policy {0} to account user {1}. Error: {2}".format(
policy_list[policy], username, res.errors[0].message
)
)
module.exit_json(changed=changed, policy_list=user_policy_list)
def remove_policy(module, blade):
"""Remove a single or list of policies to an account user"""
changed = False
user_policy_list = []
policy_list = module.params["policy"]
for policy in range(0, len(policy_list)):
if not _check_valid_policy(blade, policy):
module.fail_json(msg="Policy {0} is not valid.".format(policy))
username = module.params["account"] + "/" + module.params["name"]
for policy in range(0, len(policy_list)):
if (
blade.get_object_store_users_object_store_access_policies(
member_names=[username], policy_names=[policy_list[policy]]
).total_item_count
== 1
):
if not module.check_mode:
changed = True
res = blade.delete_object_store_access_policies_object_store_users(
member_names=[username], policy_names=[policy_list[policy]]
)
user_policies = list(
blade.get_object_store_access_policies_object_store_users(
member_names=[username]
).items
)
for user_policy in range(0, len(user_policies)):
user_policy_list.append(user_policies[user_policy].policy.name)
if res.status_code != 200:
module.fail_json(
msg="Failed to remove policy {0} from account user {1}. Error: {2}".format(
policy_list[policy], username, res.errors[0].message
)
)
module.exit_json(changed=changed, policy_list=user_policy_list)
def list_policy(module, blade):
"""List Object Store User Access Policies"""
changed = True
policy_list = []
if not module.check_mode:
if module.params["account"] and module.params["name"]:
username = module.params["account"] + "/" + module.params["name"]
user_policies = list(
blade.get_object_store_access_policies_object_store_users(
member_names=[username]
).items
)
for user_policy in range(0, len(user_policies)):
policy_list.append(user_policies[user_policy].policy.name)
else:
policies = blade.get_object_store_access_policies()
p_list = list(policies.items)
if policies.status_code != 200:
module.fail_json(msg="Failed to get Object Store User Access Policies")
for policy in range(0, len(p_list)):
policy_list.append(p_list[policy].name)
module.exit_json(changed=changed, policy_list=policy_list)
def main():
argument_spec = purefb_argument_spec()
argument_spec.update(
dict(
state=dict(
type="str", default="present", choices=["absent", "present", "show"]
),
name=dict(type="str"),
account=dict(type="str"),
policy=dict(type="list", elements="str"),
)
)
required_if = [
["state", "present", ["name", "account", "policy"]],
["state", "absent", ["name", "account", "policy"]],
]
module = AnsibleModule(
argument_spec, required_if=required_if, supports_check_mode=True
)
blade = get_system(module)
api_version = list(blade.get_versions().items)
if MIN_REQUIRED_API_VERSION not in api_version:
module.fail_json(
msg="FlashBlade REST version not supported. "
"Minimum version required: {0}".format(MIN_REQUIRED_API_VERSION)
)
state = module.params["state"]
if (
blade.get_object_store_users(
names=[module.params["account"] + "/" + module.params["name"]]
).status_code
!= 200
and state != "show"
):
module.fail_json(
msg="Account User {0}/{1} does not exist".format(
module.params["account"], module.params["name"]
)
)
if state == "show":
list_policy(module, blade)
elif state == "present":
add_policy(module, blade)
elif state == "absent":
remove_policy(module, blade)
module.exit_json(changed=False)
if __name__ == "__main__":
main()
|
