New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
new CS module cs_role_permission #37065
Conversation
@@ -413,6 +413,7 @@ lib/ansible/modules/cloud/cloudstack/cs_project.py E325 | |||
lib/ansible/modules/cloud/cloudstack/cs_region.py E324 | |||
lib/ansible/modules/cloud/cloudstack/cs_resourcelimit.py E324 | |||
lib/ansible/modules/cloud/cloudstack/cs_role.py E324 | |||
lib/ansible/modules/cloud/cloudstack/cs_role_permission.py E324 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is ok for now, I am working on a fix for E324
@dpassante thanks for this new module. would you like to join me in maintaining the cloudstack namespace? |
@resmo Yes! I would be happy to help maintaining this namespace. |
@dpassante this PR contains the following merge commits: Please rebase your branch to remove these commits. |
@DazWorrall @jeffersongirao @marcaurele @netservers As a maintainer of a module in the same namespace this new module has been submitted to, your vote counts for shipits. Please review this module and add |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this. Looks pretty good. Hadn't had the chance to test it (especially the comp with 4.9 issue), can you explain a bit what and how it fails? Any suggestion to make it "not fail" for 4.9?
super(AnsibleCloudStackRolePermission, self).__init__(module) | ||
self.returns = { | ||
'id': 'id', | ||
'roleid': 'roleid', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i would prefer role_id
here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would you mind change this to the following?
'roleid': 'role_id',
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry! Done.
The ability to dynamically update permission of existing rules has been introduced in the 4.11 release by this issue. Trying to update a permission (e.g. from "allow" to "deny") in 4.9 now returns the following as 'ruleorder' argument is required by the 4.9 'updateRolePermission' API method:
The 'ruleid' / 'permission' couple and 'ruleorder' are mutually exclusive in Cloudstack 4.11. The options I have in mind to avoid any issue with 4.9 would be:
On the first case, the behavior of the module would be different depending on the version of Cloudstack but the new 4.11 feature would be supported. |
Another option is to return a 'skipped' result with an explicit message when the permission update fail. Or outright replace the existing rule by a new one with the updated permission for Cloudstack versions that don't natively support it ? :) |
name: "createVPC" | ||
permission: "deny" | ||
|
||
# Updade rules order. move the rule at the top of list |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo
|
||
if self._get_role_perm(): | ||
for _rule in self._get_role_perm(): | ||
if rule == _rule['rule'] or rule in _rule['id']: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't this be like the following?
if rule == _rule['rule'] or rule == _rule['id']:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it seems to be a more appropriate syntax
'name', | ||
'permission', | ||
] | ||
self.module.fail_on_missing_params(required_params=required_params) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMHO this check is not required, because name is always required and permission is defaulted to something (not None). Any thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right. I'll remove this check.
description: | ||
- The rule permission, allow or deny. Defaulted to deny. | ||
choices: [ allow, deny ] | ||
required: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not a blocker but required: false
is the default, can be omitted in the docs (was needed in the past)
Thanks for the update, waiting for the build to finish before merge |
@resmo Thanks for review! |
;) btw, I think about to update the cloudstack version for integration testing to 4.11 (once 4.11.1 is released) any concerns? Or other preferences? |
I think it's a good idea to base integration testing to the latest LTS major release. |
shipit |
SUMMARY
Add a new CloudStack module to manage role permissions.
ISSUE TYPE
New Module Pull Request
COMPONENT NAME
lib/ansible/modules/cloud/cloudstack/cs_role_permission.py
ANSIBLE VERSION
ADDITIONAL INFORMATION