new CS module cs_role_permission

[dpassante]

SUMMARY

Add a new CloudStack module to manage role permissions.

ISSUE TYPE

New Module Pull Request

COMPONENT NAME

lib/ansible/modules/cloud/cloudstack/cs_role_permission.py

ANSIBLE VERSION

$ ansible --version
ansible 2.6.0 (devel c3ee2188a9) last updated 2018/03/06 12:05:56 (GMT +200)
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/dpassante/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /mnt/filer/Github/ansible/lib/ansible
  executable location = /mnt/filer/Github/ansible/bin/ansible
  python version = 2.7.6 (default, Nov 23 2017, 15:49:48) [GCC 4.8.4]

ADDITIONAL INFORMATION

This module is working with Cloudstack 4.11. Some integration tests have been commented out to be compliant with the Cloudstack 4.9.2 integration environment.
Everything seem's to work with Cloudstack 4.9.2 except the dynamic role permission rules update.

[ansibot]

cc @mattclay @resmo
click here for bot help

[resmo]

this is ok for now, I am working on a fix for E324

[resmo]

@dpassante thanks for this new module. would you like to join me in maintaining the cloudstack namespace?

[dpassante]

@resmo Yes! I would be happy to help maintaining this namespace.

[ansibot]

@dpassante this PR contains the following merge commits:

• 25d8231

Please rebase your branch to remove these commits.

click here for bot help

[ansibot]

@DazWorrall @jeffersongirao @marcaurele @netservers

As a maintainer of a module in the same namespace this new module has been submitted to, your vote counts for shipits. Please review this module and add shipit if you would like to see it merged.

click here for bot help

[resmo]

Thanks for this. Looks pretty good. Hadn't had the chance to test it (especially the comp with 4.9 issue), can you explain a bit what and how it fails? Any suggestion to make it "not fail" for 4.9?

[resmo]

i would prefer role_id here

[resmo]

would you mind change this to the following?

'roleid': 'role_id',

[dpassante]

Sorry! Done.

[dpassante]

The ability to dynamically update permission of existing rules has been introduced in the 4.11 release by this issue.
Cloudstack 4.9 only supports updating rules order.

Trying to update a permission (e.g. from "allow" to "deny") in 4.9 now returns the following as 'ruleorder' argument is required by the 4.9 'updateRolePermission' API method:

TASK [cs_role_permission : test update role permission] *****************************************************************************************************
fatal: [testhost]: FAILED! => {"api_http_method": "get", "api_key": "ClwInp7F5FC0IFNJGGf5u9QlqecLvsK5vhs6sV9jGtYr8JOy_zxAwEUxJ6y_hW4hVUWSkqlAR9hiJfFG_8T2jw", "api_region": "cloudstack", "api_timeout": "60", "api_url": "http://localhost:8888/client/api", "changed": true, "msg": "CloudStackException: ('HTTP 431 response from CloudStack', <Response [431]>, {'uuidList': [], 'errorcode': 431, 'cserrorcode': 9999, 'errortext': 'Unable to execute API command updaterolepermission due to missing parameter ruleorder'})"}

The 'ruleid' / 'permission' couple and 'ruleorder' are mutually exclusive in Cloudstack 4.11.

The options I have in mind to avoid any issue with 4.9 would be:

• Catch the Cloudstack response and return an error like ‘Updating rule permission is not supported on cs <= 4.11’ for 4.9.
• Remove the ability to update rule permission and never do any update except if 'parent' argument is passed

On the first case, the behavior of the module would be different depending on the version of Cloudstack but the new 4.11 feature would be supported.
On the second, we would have the choice to return that nothing has been changed or to return an error when 'permission' argument of the playbook doesn't match the actual rule permission.

[dpassante]

Another option is to return a 'skipped' result with an explicit message when the permission update fail.
The task doesn't fail and the user is aware that the permission wasn't updated.
The behavior of the module would be something like this: dpassante@d25484e

Or outright replace the existing rule by a new one with the updated permission for Cloudstack versions that don't natively support it ? :)

[resmo]

typo

[resmo]

shouldn't this be like the following?

if rule == _rule['rule'] or rule == _rule['id']:

[dpassante]

Yes, it seems to be a more appropriate syntax

[resmo]

IMHO this check is not required, because name is always required and permission is defaulted to something (not None). Any thoughts?

[dpassante]

You're right. I'll remove this check.

[resmo]

not a blocker but required: false is the default, can be omitted in the docs (was needed in the past)

[resmo]

Thanks for the update, waiting for the build to finish before merge

[dpassante]

@resmo Thanks for review!

[resmo]

;) btw, I think about to update the cloudstack version for integration testing to 4.11 (once 4.11.1 is released) any concerns? Or other preferences?

[dpassante]

I think it's a good idea to base integration testing to the latest LTS major release.
The ideal would be to have the 4.11 as default but keeping the ability to run tests on the 4.9.2 to check backward compatibility. But this can already be done by managing docker images manually...

[resmo]

shipit