Release 1.6.8

Merge branch 'develop' into master
lae · Feb 27, 2021 · 0925560 · 0925560
2 parents 0726f60 + 2c0f021
commit 0925560
Show file tree

Hide file tree

Showing 22 changed files with 577 additions and 363 deletions.
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
@@ -1,3 +1,4 @@
+---
 ko_fi: sleepingkyoto
 custom:
   - "https://monappy.jp/u/lae"
diff --git a/.gitignore b/.gitignore
@@ -9,3 +9,4 @@
 
 fetch/
 .vagrant/
+/.settings/
diff --git a/.travis.yml b/.travis.yml
@@ -1,32 +1,25 @@
 ---
 language: python
-python:
-  - "2.7"
-  - "3.6"
 sudo: required
 dist: bionic
 cache:
   directories: [ '$HOME/lxc' ]
   pip: true
-env:
-  - ANSIBLE_VERSION='~=2.9.0'
 matrix:
   fast_finish: true
   include:
 # FIXME: Ansible 2.10.x going through major restructuring.
 # https://groups.google.com/forum/#!msg/ansible-project/eXsoOKEd0Mk/XTgbnPWbCAAJ
-#    - python: '3.6'
-#      env: ANSIBLE_GIT_VERSION='devel' # 2.10.x development branch
-    - python: '3.6'
-      env: ANSIBLE_VERSION='~=2.8.0'
-    - python: '3.6'
-      env: ANSIBLE_VERSION='~=2.7.0'
+#    - env: ANSIBLE_GIT_VERSION='devel' # 2.11.x development branch
+    - env: ANSIBLE_VERSION='~=2.10.0'
+    - env: ANSIBLE_VERSION='~=2.9.0'
+    - env: ANSIBLE_VERSION='~=2.8.0'
 install:
 - if [ "$ANSIBLE_GIT_VERSION" ]; then pip install "https://github.com/ansible/ansible/archive/${ANSIBLE_GIT_VERSION}.tar.gz";
   else pip install "ansible${ANSIBLE_VERSION}"; fi;
   pip install --pre ansible-lint; pip install jmespath netaddr
 - ansible --version
-- ansible-galaxy install lae.travis-lxc,v0.9.0
+- ansible-galaxy install lae.travis-lxc,v0.10.1
 - ansible-playbook tests/install.yml -i tests/inventory
 - git archive --format tar.gz HEAD > lae.proxmox.tar.gz && ansible-galaxy install
   lae.proxmox.tar.gz,$(git rev-parse HEAD),lae.proxmox && rm lae.proxmox.tar.gz

diff --git a/README.md b/README.md
@@ -409,6 +409,7 @@ pve_ceph_crush_rules: [] # List of CRUSH rules to create
 # pve_ssl_private_key: "" # Should be set to the contents of the private key to use for HTTPS
 # pve_ssl_certificate: "" # Should be set to the contents of the certificate to use for HTTPS
 pve_ssl_letsencrypt: false # Specifies whether or not to obtain a SSL certificate using Let's Encrypt
+pve_roles: [] # Added more roles with specific privileges. See section on User Management.
 pve_groups: [] # List of group definitions to manage in PVE. See section on User Management.
 pve_users: [] # List of user definitions to manage in PVE. See section on User Management.
 pve_storages: [] # List of storages to manage in PVE. See section on Storage Management.
@@ -513,10 +514,19 @@ pve_users:
 Refer to `library/proxmox_user.py` [link][user-module] and
 `library/proxmox_group.py` [link][group-module] for module documentation.
 
-For managing ACLs, a similar module is employed, but the main difference is that
-most of the parameters only accept lists (subject to change):
+For managing roles and ACLs, a similar module is employed, but the main
+difference is that most of the parameters only accept lists (subject to
+change):
 
 ```
+pve_roles:
+  - name: Monitoring
+    privileges:
+      - "Sys.Modify"
+      - "Sys.Audit"
+      - "Datastore.Audit"
+      - "VM.Monitor"
+      - "VM.Audit"
 pve_acls:
   - path: /
     roles: [ "Administrator" ]
@@ -529,7 +539,8 @@ pve_acls:
       - test_users
 ```
 
-Refer to `library/proxmox_acl.py` [link][acl-module] for module documentation.
+Refer to `library/proxmox_role.py` [link][user-module] and 
+`library/proxmox_acl.py` [link][acl-module] for module documentation.
 
 ## Storage Management
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -34,6 +34,8 @@ pve_cluster_clustername: "{{ pve_group }}"
 pve_datacenter_cfg: {}
 pve_cluster_ha_groups: []
 pve_ssl_letsencrypt: false
+# additional roles for your cluster (f.e. for monitoring)
+pve_roles: []
 pve_groups: []
 pve_users: []
 pve_acls: []

diff --git a/files/00_remove_checked_command_buster.patch b/files/00_remove_checked_command_buster.patch
@@ -64,17 +64,17 @@ diff -ur /usr/share/pve-manager/js/pvemanagerlib.js /usr/share/pve-manager/js/pv
 @@ -33892,7 +33892,7 @@
  	var version_btn = new Ext.Button({
  	    text: gettext('Package versions'),
- 	    handler: function(){
+ 	    handler: function() {
 -		Proxmox.Utils.checked_command(function() { me.showVersions(); });
 +		me.showVersions();
- 	    }
+ 	    },
  	});
 
 @@ -45136,7 +45136,6 @@
  		handler: function(data) {
  		    me.login = null;
  		    me.updateLoginData(data);
 -		    Proxmox.Utils.checked_command(function() {}); // display subscription status
- 		}
+ 		},
  	    });
  	}
diff --git a/library/proxmox_acl.py b/library/proxmox_acl.py
@@ -83,6 +83,11 @@ def __init__(self, module):
         except ProxmoxShellError as e:
             self.module.fail_json(msg=e.message, status_code=e.status_code)
 
+        # PVE 5.x (unnecessarily) uses a string for this value. This ensures
+        # that it's an integer for when we compare values later.
+        for acl in self.existing_acl:
+            acl['propagate'] = int(acl['propagate'])
+
         self.parse_acls()
 
     def parse_acls(self):
@@ -99,7 +104,7 @@ def parse_acls(self):
             for constituent in constituents:
                 self.acls.append({
                     "path": self.path,
-                    "propagate": "1", # possibly make this configurable in the module later
+                    "propagate": 1, # possibly make this configurable in the module later
                     "roleid": role,
                     "type": constituent[0],
                     "ugid": constituent[1]

diff --git a/library/proxmox_role.py b/library/proxmox_role.py
@@ -0,0 +1,189 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+ANSIBLE_METADATA = {
+    'metadata_version': '0.1',
+    'status': ['preview'],
+    'supported_by': 'lae'
+}
+
+DOCUMENTATION = '''
+---
+module: proxmox_role
+short_description: Manages the Access Control List in Proxmox
+options:
+    name:
+        required: true
+        description:
+            - name of the role.
+    privileges:
+        required: true
+        type: list
+        description:
+            - Specifies a list of PVE privileges for the given role.
+    state:
+        required: false
+        default: "present"
+        choices: [ "present", "absent" ]
+        description:
+            - Specifies whether this role should exist or not.
+author:
+    - Thoralf Rickert-Wendt (@trickert76)
+'''
+
+EXAMPLES = '''
+- name: Create a role for monitoring with given privileges
+  proxmox_role:
+    name: "monitoring"
+    privileges: [ "Sys.Modify", "Sys.Audit", "Datastore.Audit", "VM.Monitor", "VM.Audit" ]
+'''
+
+RETURN = '''
+'''
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+from ansible.module_utils.pvesh import ProxmoxShellError
+import ansible.module_utils.pvesh as pvesh
+
+class ProxmoxRole(object):
+    def __init__(self, module):
+        self.module = module
+        self.name = module.params['name']
+        self.privileges = module.params['privileges']
+        self.state = module.params['state']
+
+        try:
+            self.existing_roles = pvesh.get("access/roles")
+        except ProxmoxShellError as e:
+            self.module.fail_json(msg=e.message, status_code=e.status_code)
+
+        self.parse_roles()
+
+    def parse_roles(self):
+        self.roles = []
+        for existing_role in self.existing_roles:
+          self.roles.append(existing_role.get('roleid'))
+
+    def lookup(self):
+        self.roles = []
+        for existing_role in self.existing_roles:
+          if existing_role.get('roleid') == self.name:
+            args = {}
+            args['roleid'] = existing_role.get('roleid')
+            args['privs'] = ','.join(sorted(existing_role.get('privs').split(',')))
+            return args
+
+        return None
+
+    def exists(self):
+        if self.name not in self.roles:
+          return False
+
+        return True
+
+    def prepare_role_args(self, appendKey=True):
+        args = {}
+        if appendKey:
+          args['roleid'] = self.name
+        args['privs'] = ','.join(sorted(self.privileges))
+
+        return args
+
+    def remove_role(self):
+        try:
+            pvesh.delete("access/roles/{}".format(self.name))
+            return (True, None)
+        except ProxmoxShellError as e:
+            return (False, e.message)
+
+    def create_role(self):
+        new_role = self.prepare_role_args()
+
+        try:
+            pvesh.create("access/roles", **new_role)
+            return (True, None)
+        except ProxmoxShellError as e:
+            return (False, e.message)
+
+    def modify_role(self):
+        existing_role = self.lookup()
+        modified_role = self.prepare_role_args(appendKey=False)
+        updated_fields = []
+        error = None
+
+        for key in modified_role:
+            if key not in existing_role:
+                updated_fields.append(key)
+            else:
+                new_value = modified_role.get(key)
+                old_value = existing_role.get(key)
+                if isinstance(old_value, list):
+                    old_value = ','.join(sorted(old_value))
+                if isinstance(new_value, list):
+                    new_value = ','.join(sorted(new_value))
+
+                if new_value != old_value:
+                    updated_fields.append(key)
+
+        if self.module.check_mode:
+            self.module.exit_json(changed=bool(updated_fields), expected_changes=updated_fields)
+
+        if not updated_fields:
+            # No changes necessary
+            return (updated_fields, error)
+
+        try:
+            pvesh.set("access/roles/{}".format(self.name), **modified_role)
+        except ProxmoxShellError as e:
+            error = e.message
+
+        return (updated_fields, error)
+
+def main():
+    # Refer to https://pve.proxmox.com/pve-docs/api-viewer/index.html
+    module = AnsibleModule(
+        argument_spec = dict(
+            name=dict(type='str', required=True),
+            privileges=dict(type='list', required=True),
+            state=dict(default='present', choices=['present', 'absent'], type='str')
+        ),
+        supports_check_mode=True
+    )
+
+    role = ProxmoxRole(module)
+
+    changed = False
+    error = None
+    result = {}
+    result['name'] = role.name
+    result['state'] = role.state
+    result['changed'] = False
+
+    if role.state == 'absent':
+        if role.exists():
+            if module.check_mode:
+                module.exit_json(changed=True)
+
+            (changed, error) = role.remove_role()
+    elif role.state == 'present':
+        if not role.exists():
+            if module.check_mode:
+                module.exit_json(changed=True)
+
+            (changed, error) = role.create_role()
+        else:
+            (updated_fields, error) = role.modify_role()
+
+            if updated_fields:
+                changed = True
+                result['updated_fields'] = updated_fields
+
+    if error is not None:
+        module.fail_json(name=role.name, msg=error)
+
+    result['changed'] = changed
+    module.exit_json(**result)
+
+if __name__ == '__main__':
+    main()
diff --git a/meta/main.yml b/meta/main.yml
@@ -1,3 +1,4 @@
+---
 galaxy_info:
   author: Musee Ullah
   description: Installs and configures Proxmox 5.x (for clustering)
@@ -7,10 +8,10 @@ galaxy_info:
   min_ansible_version: 2.4
 
   platforms:
-  - name: Debian
-    versions:
-    - stretch
-    - buster
+    - name: Debian
+      versions:
+        - stretch
+        - buster
 
   galaxy_tags:
     - proxmox