|
|
fb9e9a |
From e57e4908f936c524085fb5853fe4493c7711ab3f Mon Sep 17 00:00:00 2001
|
|
|
fb9e9a |
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
|
fb9e9a |
Date: Thu, 25 Jun 2020 16:26:30 -0300
|
|
|
fb9e9a |
Subject: [PATCH] Fixes service disable when service has no certificates
|
|
|
fb9e9a |
attached.
|
|
|
fb9e9a |
|
|
|
fb9e9a |
Services without certificates, but with keytabs were not being
|
|
|
fb9e9a |
disabled. This change allows execution of service_disable if
|
|
|
fb9e9a |
there is a certificate or if has_keytab is true.
|
|
|
fb9e9a |
|
|
|
fb9e9a |
A new test was added to verify the issue:
|
|
|
fb9e9a |
|
|
|
fb9e9a |
tests/service/test_service_disable.yml
|
|
|
fb9e9a |
---
|
|
|
fb9e9a |
plugins/modules/ipaservice.py | 8 +--
|
|
|
fb9e9a |
tests/service/test_service_disable.yml | 68 ++++++++++++++++++++++++++
|
|
|
fb9e9a |
2 files changed, 73 insertions(+), 3 deletions(-)
|
|
|
fb9e9a |
create mode 100644 tests/service/test_service_disable.yml
|
|
|
fb9e9a |
|
|
|
fb9e9a |
diff --git a/plugins/modules/ipaservice.py b/plugins/modules/ipaservice.py
|
|
|
fb9e9a |
index 23a0d6b3..b0d25355 100644
|
|
|
fb9e9a |
--- a/plugins/modules/ipaservice.py
|
|
|
fb9e9a |
+++ b/plugins/modules/ipaservice.py
|
|
|
fb9e9a |
@@ -812,9 +812,11 @@ def main():
|
|
|
fb9e9a |
|
|
|
fb9e9a |
elif state == "disabled":
|
|
|
fb9e9a |
if action == "service":
|
|
|
fb9e9a |
- if res_find is not None and \
|
|
|
fb9e9a |
- len(res_find.get('usercertificate', [])) > 0:
|
|
|
fb9e9a |
- commands.append([name, 'service_disable', {}])
|
|
|
fb9e9a |
+ if res_find is not None:
|
|
|
fb9e9a |
+ has_cert = bool(res_find.get('usercertificate'))
|
|
|
fb9e9a |
+ has_keytab = res_find.get('has_keytab', False)
|
|
|
fb9e9a |
+ if has_cert or has_keytab:
|
|
|
fb9e9a |
+ commands.append([name, 'service_disable', {}])
|
|
|
fb9e9a |
else:
|
|
|
fb9e9a |
ansible_module.fail_json(
|
|
|
fb9e9a |
msg="Invalid action '%s' for state '%s'" %
|
|
|
fb9e9a |
diff --git a/tests/service/test_service_disable.yml b/tests/service/test_service_disable.yml
|
|
|
fb9e9a |
new file mode 100644
|
|
|
fb9e9a |
index 00000000..3b4a88fb
|
|
|
fb9e9a |
--- /dev/null
|
|
|
fb9e9a |
+++ b/tests/service/test_service_disable.yml
|
|
|
fb9e9a |
@@ -0,0 +1,68 @@
|
|
|
fb9e9a |
+---
|
|
|
fb9e9a |
+- name: Playbook to manage IPA service.
|
|
|
fb9e9a |
+ hosts: ipaserver
|
|
|
fb9e9a |
+ become: yes
|
|
|
fb9e9a |
+ gather_facts: yes
|
|
|
fb9e9a |
+
|
|
|
fb9e9a |
+ tasks:
|
|
|
fb9e9a |
+ - name: Ensure service is absent
|
|
|
fb9e9a |
+ ipaservice:
|
|
|
fb9e9a |
+ ipaadmin_password: SomeADMINpassword
|
|
|
fb9e9a |
+ name: "mysvc1/{{ ansible_fqdn }}"
|
|
|
fb9e9a |
+
|
|
|
fb9e9a |
+ - name: Ensure service is present
|
|
|
fb9e9a |
+ ipaservice:
|
|
|
fb9e9a |
+ ipaadmin_password: SomeADMINpassword
|
|
|
fb9e9a |
+ name: "mysvc1/{{ ansible_fqdn }}"
|
|
|
fb9e9a |
+ certificate:
|
|
|
fb9e9a |
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
|
|
|
fb9e9a |
+ force: no
|
|
|
fb9e9a |
+ register: result
|
|
|
fb9e9a |
+ failed_when: not result.changed
|
|
|
fb9e9a |
+
|
|
|
fb9e9a |
+ - name: Obtain keytab
|
|
|
fb9e9a |
+ shell: ipa-getkeytab -s "{{ ansible_fqdn }}" -p "mysvc1/{{ ansible_fqdn }}" -k mysvc1.keytab
|
|
|
fb9e9a |
+
|
|
|
fb9e9a |
+ - name: Verify keytab
|
|
|
fb9e9a |
+ shell: ipa service-find "mysvc1/{{ ansible_fqdn }}"
|
|
|
fb9e9a |
+ register: result
|
|
|
fb9e9a |
+ failed_when: result.failed or result.stdout | regex_search(" Keytab. true")
|
|
|
fb9e9a |
+
|
|
|
fb9e9a |
+ - name: Ensure service is disabled
|
|
|
fb9e9a |
+ ipaservice:
|
|
|
fb9e9a |
+ ipaadmin_password: SomeADMINpassword
|
|
|
fb9e9a |
+ name: "mysvc1/{{ ansible_fqdn }}"
|
|
|
fb9e9a |
+ state: disabled
|
|
|
fb9e9a |
+ register: result
|
|
|
fb9e9a |
+ failed_when: not result.changed
|
|
|
fb9e9a |
+
|
|
|
fb9e9a |
+ - name: Verify keytab
|
|
|
fb9e9a |
+ shell: ipa service-find "mysvc1/{{ ansible_fqdn }}"
|
|
|
fb9e9a |
+ register: result
|
|
|
fb9e9a |
+ failed_when: result.failed or result.stdout | regex_search(" Keytab. true")
|
|
|
fb9e9a |
+
|
|
|
fb9e9a |
+ - name: Obtain keytab
|
|
|
fb9e9a |
+ shell: ipa-getkeytab -s "{{ ansible_fqdn }}" -p "mysvc1/{{ ansible_fqdn }}" -k mysvc1.keytab
|
|
|
fb9e9a |
+
|
|
|
fb9e9a |
+ - name: Verify keytab
|
|
|
fb9e9a |
+ shell: ipa service-find "mysvc1/{{ ansible_fqdn }}"
|
|
|
fb9e9a |
+ register: result
|
|
|
fb9e9a |
+ failed_when: result.failed or result.stdout | regex_search(" Keytab. true")
|
|
|
fb9e9a |
+
|
|
|
fb9e9a |
+ - name: Ensure service is disabled
|
|
|
fb9e9a |
+ ipaservice:
|
|
|
fb9e9a |
+ ipaadmin_password: SomeADMINpassword
|
|
|
fb9e9a |
+ name: "mysvc1/{{ ansible_fqdn }}"
|
|
|
fb9e9a |
+ state: disabled
|
|
|
fb9e9a |
+ register: result
|
|
|
fb9e9a |
+ failed_when: not result.changed
|
|
|
fb9e9a |
+
|
|
|
fb9e9a |
+ - name: Verify keytab
|
|
|
fb9e9a |
+ shell: ipa service-find "mysvc1/{{ ansible_fqdn }}"
|
|
|
fb9e9a |
+ register: result
|
|
|
fb9e9a |
+ failed_when: result.failed or result.stdout | regex_search(" Keytab. true")
|
|
|
fb9e9a |
+
|
|
|
fb9e9a |
+ - name: Ensure service is absent
|
|
|
fb9e9a |
+ ipaservice:
|
|
|
fb9e9a |
+ ipaadmin_password: SomeADMINpassword
|
|
|
fb9e9a |
+ name: "mysvc1/{{ ansible_fqdn }}"
|