New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FreeIPA/RHIdM API dynamic inventory script & plugin (Mk II) #41766

Open
wants to merge 5 commits into
base: devel
from

Conversation

Projects
None yet
6 participants
@Aethylred

Aethylred commented Jun 21, 2018

A dynamic inventory script that uses the FreeIPA API with HTTPS authentication. No Kerberos required. Requires the python_freeipa module.

This is a duplicate of #41570 because I forgot to branch before developing a new feature.

SUMMARY
Adds a dynamic inventory script and inventory plugin that uses the FreeIPA/RHIdM API with HTTPS authentication. The inventory should be the same with using either the script or the plugin.

Dynamic Inventory Script

  • dynamic inventory script works when run as a user with Kerberos authentication (requires a Kerberos ticket for the user/process calling the script)
  • dynamic inventory script works when run with:
    -- correct command line arguments
    -- correct environment variables set either from the command line or Ansible variables
    -- can be cut-pasted into Ansible AWX/Tower

Inventory Plugins

  • has to be whitelisted in an ansible.cgf somewhere
  • works with an appropriate inventory YAML file
  • Kerberos version requires the user/role/process to have a valid Kerberos ticket*

* um... I don't have a sensible method for that... I suspect it's one of the reasons the original ipalib based dynamic inventory script wasn't converted into a plugin.

Dependencies

  • HTTPS connections requires python_freeipa and urllib3 for HTTPS authentication
  • Kerberos authentication requires ipalib and ipaclient to use Kerberos authentication
    -- Kerberos authentication requires that the Ansible user/process environment has valid Kerberos authentication & keytab

ISSUE TYPE
Feature Pull Request
COMPONENT NAME
Dynamic Inventory Script
Inventory Plugin

ANSIBLE VERSION
ansible 2.4.1.0
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /bin/ansible
python version = 2.7.5 (default, Nov 6 2016, 00:28:07) [GCC 4.8.5 20150623 (Red Hat 4.8.5-11)]

@Aethylred Aethylred changed the title from Ipa inventory to FreeIPA/RHIdM API dynamic inventory script & plugin (Mk II) Jun 21, 2018

@Aethylred Aethylred force-pushed the Aethylred:ipa-inventory branch Jun 21, 2018

@jborean93 jborean93 removed the needs_triage label Jun 21, 2018

@Aethylred Aethylred force-pushed the Aethylred:ipa-inventory branch Jun 22, 2018

@Aethylred

This comment has been minimized.

Aethylred commented Jun 24, 2018

Tests failing due to a TLS certificate error in an area of the code not related to this PR. https://app.shippable.com/github/ansible/ansible/runs/70931/28/tests

I'm going to try and do the rebase to reduce the number of commits.

@Aethylred Aethylred force-pushed the Aethylred:ipa-inventory branch Jun 24, 2018

@Aethylred

This comment has been minimized.

Aethylred commented Jun 24, 2018

Tests now failing due to a failure in obtaining Docker images. Is there a way of re-running shippable jobs?

@Aethylred Aethylred force-pushed the Aethylred:ipa-inventory branch to ef42717 Jun 26, 2018

@mattclay

This comment has been minimized.

Member

mattclay commented Jun 27, 2018

CI jobs have been restarted.

@ansibot ansibot removed the needs_revision label Jun 27, 2018

@ansibot ansibot added the stale_ci label Jul 5, 2018

@mkrupcale

This comment has been minimized.

Contributor

mkrupcale commented Aug 3, 2018

cc @Akasurde

This dependency on python_freeipa, which itself depends on Python Requests, for a FreeIPA HTTP(S) client seems unnecessary given that Ansible already has ansible.module_utils.ipa.IPAClient. On quick inspection, these clients do more or less the same thing[1,2]. See ipa_user module for example usage.

See also #36326 which requests Kerberos authentication for current FreeIPA modules ipa_* which only use HTTP(S) authentication. Perhaps this is an opportunity to address this request as well, since you appear to have done some work on the Kerberos side here.

[1] ansible.module_utils.ipa.IPAClient.login
[2] python_freeipa.Client.login

@ansibot ansibot removed the support:core label Sep 20, 2018

@Aethylred

This comment has been minimized.

Aethylred commented Oct 23, 2018

@mkrupcale I think that ansible.module_utils.ipa.IPAClient could be used and would eliminate the dependency. I'm coming around to look at this again soonish (we need to trim the number of nodes in our Ansible Tower inventory), but if I did that I'd drop the Kerberos support in the plugin as I don't have an environment in which I can test it.

I didn't do any of the Kerberos work, it already existed before this PR, I just replicated what was in the old inventory script into the new plugin, I'd have left it out if it wasn't important to preserve existing functionality.

@jamescassell

This comment has been minimized.

Contributor

jamescassell commented Oct 23, 2018

FWIW, i'm a huge fan of keeping the kerberos auth feature. Thanks for leaving it in!

@ansibot

This comment has been minimized.

Contributor

ansibot commented Nov 26, 2018

The test ansible-test sanity --test pylint [explain] failed with 1 error:

lib/ansible/plugins/inventory/ipa.py:88:0: ansible-bad-import-from Import MutableMapping from ansible.module_utils.common._collections_compat instead of collections

click here for bot help

Aethylred added some commits Jun 14, 2018

FreeIPA/RHIdM API dynamic inventory script
A dynamic inventory script that uses the FreeIPA API with HTTPS authentication. No Kerberos required. Requires the python_freeipa module.
Single freeipa.py Inventory Script
Merge freeipa.py and freeipa-api.py
Create a FreeIPA/RHIdM IPA inventory plugin
My first plugin
Now testing Kerberos auth with ipalib
Changing the parent class to BaseInventoryPlugin
FreeIPA/RHIdM API dynamic inventory script

A dynamic inventory script that uses the FreeIPA API with HTTPS authentication. No Kerberos required. Requires the python_freeipa module.
Debugging


Documentation

...and remove all_members
Cleaning lint

@Aethylred Aethylred force-pushed the Aethylred:ipa-inventory branch from ef42717 to ceb66de Dec 12, 2018

@ansibot

This comment has been minimized.

Contributor

ansibot commented Dec 12, 2018

The test ansible-test sanity --test pylint [explain] failed with 1 error:

lib/ansible/plugins/inventory/ipa.py:88:0: ansible-bad-import-from Import MutableMapping from ansible.module_utils.common._collections_compat instead of collections

click here for bot help

@ansibot ansibot removed the stale_ci label Dec 12, 2018

@Aethylred

This comment has been minimized.

Aethylred commented Dec 13, 2018

TL;DR: ansible.module_utils.ipa.IPAClient is not a generic IPA connection object, it's specificly for Ansible modules connecting to an IPA server

OK, I've looked at using ansible.module_utils.ipa.IPAClient however, it's targeted specifically at being executed from an Ansible module (which an inventory plugin is not)

I'd have to build a dummy AnsibleModule object with the ipa_argument_spec() to pass to the IPAClient initialiser which requires 5 parameters, including module. To work in this way correctly IPAClient and ansible.module_utils.urls.fetch_url would need to be able to handle an AnsiblePlugin object in the same 'role' as the parent object, like AnsibleModule is, to get information from the IPA server.

If there was documentation or an example of ansible.module_utils.ipa.IPAClient being used in an AnsiblePlugin that I could have followed I may have made more progress.

Pass hostgroup to IPA inventory script
pass it to kerberos sessions too
cast hostgroup as a str
that was a bad idea
but needs to be unicode for kerberos method


decode string to utf-8 not encode
grab ipahostgroup from the environment
Ah! use hostgroup to test not args.hostgroup
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment