Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SX5-868 Add new keycloak_component_module #56031

Open
wants to merge 255 commits into
base: devel
from

Conversation

Projects
None yet
@elfelip
Copy link

commented May 2, 2019

SUMMARY

This PR is to add the keycloak_component module. This module manage Keycloak LDAP user storage components.

ISSUE TYPE
  • New Module Pull Request
COMPONENT NAME

keycloak_component

ADDITIONAL INFORMATION

module: keycloak_component
short_description: Configure a component in Keycloak
description:
- This module creates, removes or update Keycloak component.
- It can be use to create a LDAP and AD user federation to a realm in the Keycloak server
version_added: "2.9"
options:
realm:
description:
- The name of the realm in which is the component.
required: true
id:
description:
- ID of the component when it have already been created and it is known.
required: false
name:
description:
- Name of the Component
required: true
providerId:
description:
- ProviderId of the component
choices: ["ldap","allowed-client-templates","trusted-hosts","allowed-protocol-mappers","max-clients","scope","consent-required","rsa-generated"]
required: true
providerType:
description:
- Provider type of component
choices:
- org.keycloak.storage.UserStorageProvider
- org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy
- org.keycloak.keys.KeyProvider
- authenticatorConfig
- requiredActions
required: true
parentId:
description:
- Parent ID of the component. Use the realm name for top level component.
required: true
config:
description:
- Configuration of the component to create, update or delete.
required: false
suboptions:
vendor:
description:
- LDAP vendor/product
- Value must be a list of one string item.
type: list
choices:
- ad
- tivoli
- edirectory
- rhds
- other
usernameLDAPAttribute:
description:
- Name of LDAP attribute, which is mapped as Keycloak username.
- It is usually uid, for Active Directory it is sAMAccountName.
- Value must be a list of one string item.
type: list
editMode:
description:
- The Edit Mode configuration option defines the edit policy you have with your LDAP store.
- Value must be a list of one string item.
type: list
choices:
- READ_ONLY
- WRITABLE
- UNSYNCED
rdnLDAPAttribute:
description:
- Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN.
- Usually it's the same as Username LDAP attribute. For active Directory, it's usually cn.
- Value must be a list of one string item.
type: list
uuidLDAPAttribute:
description:
- Name of LDAP attribute, which is used as unique object identifier.
- For many LDAP vendor it's entryUUI.
- For Active Directory it's objectGUID.
- For Red Hat Directory Server it's nsuniqueid
- Value must be a list of one string item.
type: list
userObjectClasses:
description:
- All values of LDAP objectClasses attribute for users in LDAP.
type: list
connectionUrl:
description:
- LDAP connection URL in the format [ldap|dlaps]://server.name:port
- Value must be a list of one string item.
type: list
usersDn:
description:
- Full DN of LDAP tree where users are stored
- Value must be a list of one string item.
type: list
authType:
description:
- LDAP authentication type.
- Value must be a list of one string item.
type: list
choices:
- simple
- none
bindDn:
description:
- DN of LDAP admin used to authenticate to LDAP server
- Value must be a list of one string item.
type: list
bindCredential:
description:
- Password for the LDAP admin
- Value must be a list of one string item.
type: list
changedSyncPeriod:
description:
- Period for synchronization of changed or newly created LDAP users.
- To disable changed user synchronization, use -1
- Value must be a list of one string item.
type: list
fullSyncPeriod:
description:
- Period for full synchronization of LDAP users.
- To disable full user synchronization, use -1
- Value must be a list of one string item.
type: list
pagination:
description:
- Does the LDAP support pagination.
- Default value is false if this option is not defined
- Value must be a list of one string item.
type: list
choices:
- true
- false
connectionPooling:
description:
- Does the Keycloak should use connection pooling for accessing the LDAP server?
- Default value is true
- Value must be a list of one string item.
type: list
choices:
- true
- false
cachePolicy:
description:
- Cache policy for this user storage provider.
- Default value is ["DEFAULT"] if this option is not defined.
- Value must be a list of one string item.
type: list
choices:
- DEFAULT
- EVICT_DAILY
- EVICT_WEEKLY
- MAX_LIFESPAN
- NO_CACHE
useKerberosForPasswordAuthentication:
description:
- User Kerberos module to authenticate users to Kerberos server instead
- of authenticate against LDAP server with Active Directory Service API.
- Default value is false if this option is not defined
- Value must be a list of one string item.
type: list
choices:
- true
- false
allowKerberosAuthentication:
description:
- Enable or disable HTTP authentication of users with SPNEGO/Kerberos tokens.
- Default value is false if option is not defined
- Value must be a list of one string item.
type: list
choices:
- true
- false
importEnabled:
description:
- If true, LDAP users are imported into the Keycloak database and synchronized.
- Default value is true if not defined.
- Value must be a list of one string item.
type: list
choices:
- true
- false
syncRegistrations:
description:
- If true, user created in the Keycloak server will be synchronized to LDAP.
- Default value is true if not defined.
- Value must be a list of one string item.
type: list
choices:
- true
- false
searchScope:
description:
- For one level, users will be searched in only the usersDn. If subtree,
- users will be searched recursively in the usersDn and his children.
- For one level, use 1 as value, for subtree, use 2.
- Default value is 2 if the option is not defined.
- Value must be a list of one string item.
type: list
choices:
- 1
- 2
priority:
description:
- Order of priority for user search when multiple user storages are defined.
- Lowest first
- Default value is 0 when this option is not defined.
- Value must be a list of one string item.
type: list
validatePasswordPolicy:
description:
- If true, users password will be checked against Keycloak password policy.
- Default value is true if not defined.
- Value must be a list of one string item.
type: list
choices:
- true
- false
batchSizeForSync:
description:
- Count of LDAP users to be imported in a single transaction.
- Value must be a list of one string item.
type: list
subComponents:
description:
- List of sub components to create inside the component.
- It can be use to configure group-ldap-mapper for a User Federation.
suboptions:
org.keycloak.storage.ldap.mappers.LDAPStorageMapper:
description:
- LDAP storage mappers
type: list
suboptions:
name:
descriptions:
- Name of the sub component
type: str
providerId:
description:
- Provider ID of the subcomponent's type
type: str
choices:
- user-attribute-ldap-mapper
- group-ldap-mapper
config:
description:
- Configuration for the sub component. Structure depends on the component's type.
type: dict
suboptions:
ldap.attribute:
description:
- This is for user-attribute-ldap-mapper type.
- LDAP attrribute to map from.
- Value must be a list of one string item.
type: list
is.mandatory.in.ldap:
description:
- This is for user-attribute-ldap-mapper type.
- If true, the attribute must be in the LDAP entry for the user.
- Default value is true if the option is not defined.
- Value must be a list of one string item.
type: list
choices:
- true
- false
read.only:
description:
- This is for user-attribute-ldap-mapper type.
- If true, the attribute is read only.
- Default value is false if the option is not defined.
- Value must be a list of one string item.
type: list
choices:
- true
- false
user.model.attribute:
description:
- This is for user-attribute-ldap-mapper type.
- Attribute of keycloak user model to map to..
- Value must be a list of one string item.
type: list
always.read.value.from.ldap:
description:
- This is for user-attribute-ldap-mapper type.
- If true, the attribute from LDAP will always override Keycloak user model attribute.
- Default value is true if the option is not defined.
- Value must be a list of one string item.
type: list
choices:
- true
- false
mode:
description:
- This option is for group-ldap-mapper.
- LDAP/Keycloak groups synchronization mode.
- Value must be a list of one string item.
type: list
choices:
- LDAP_ONLY
- IMPORT
- READ_ONLY
membership.attribute.type:
description:
- This option is for group-ldap-mapper.
- Membership attribute type, DN or UID.
- Value must be a list of one string item.
type: list
choices:
- DN
- UID
user.roles.retrieve.strategy:
description:
- This option is for group-ldap-mapper.
- Specify how to retrieve group members.
- Value must be a list of one string item.
type: list
choices:
- LOAD_GROUPS_BY_MEMBER_ATTRIBUTE
- GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
- LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY
group.name.ldap.attribute:
description:
- This option is for group-ldap-mapper.
- Name of LDAP attribute which is used as the group name.
- Value must be a list of one string item.
type: list
membership.ldap.attribute:
description:
- This option is for group-ldap-mapper.
- Name of LDAP attribute which is used for membership mapping.
- Value must be a list of one string item.
type: list
membership.user.ldap.attribute:
description:
- This option is for group-ldap-mapper.
- Used only when membership attribute type is UID.
- Name of LDAP attribute which is used for membership mapping.
- Value must be a list of one string item.
type: list
memberof.ldap.attribute:
description:
- This option is for group-ldap-mapper.
- Used only when user.roles.retrieve.strategy is GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE.
- Name of LDAP attribute on LDAP user which is used for membership mapping.
- Value must be a list of one string item.
type: list
preserve.group.inheritance:
description:
- This option is for group-ldap-mapper.
- If true, the LDAP group inheritance will be replicate on the Keycloak server.
- Default value is true if the option is not defined.
- Value must be a list of one string item.
type: list
choices:
- true
- false
groups.dn:
description:
- This option is for group-ldap-mapper.
- LDAP DN where groups are.
- Value must be a list of one string item.
type: list
group.object.classes:
description:
- This option is for group-ldap-mapper.
- Object class or classes for LDAP group objects.
- Value must be a list of one string item.
type: list
drop.non.existing.groups.during.sync:
description:
- This option is for group-ldap-mapper.
- If true, the group on Keycloak server that does not exists in LDAP will be dropped.
- Default value is false if the option is not defined.
- Value must be a list of one string item.
type: list
choices:
- true
- false
syncUserStorage:
description:
- Type of user storage synchronization must be triggerd for
- org.keycloak.storage.UserStorageProvider component.
- If the parameter is absent, no sync will be triggered
required: false
choices: ["triggerFullSync", "triggerChangedUsersSync"]
syncLdapMappers:
description:
- Type of LDAP mapper synchronization must be triggerd for
- org.keycloak.storage.ldap.mappers.LDAPStorageMapper/group-ldap-mapper sub components.
- If the parameter is absent, no sync will be triggered
required: false
choices: ["fedToKeycloak", "keycloakToFed"]
state:
description:
- Control if the component must exists or not
choices: [ "present", "absent" ]
default: present
required: false
force:
choices: [ "yes", "no" ]
default: "no"
description:
- If yes, allows to remove component and recreate it.
required: false

@ansibot

This comment has been minimized.

Copy link
Contributor

commented May 2, 2019

@ansibot

This comment has been minimized.

Copy link
Contributor

commented May 3, 2019

@adamgoossens @eikef

As a maintainer of a module in the same namespace this new module has been submitted to, your vote counts for shipits. Please review this module and add shipit if you would like to see it merged.

click here for bot help

goneri and others added some commits Apr 24, 2019

vmware: refactoring of the vcenter_* test roles
Refactoring of `vcenter_folder` and `vcenter_license` to make use of the
new `prepare_vmware_tests` role.

This patch depends on: #55719

Original PR: #54882
vmware_host_config_manager: do not apply an empty list of change
In a multi-host context, `changed_list` will record all the changes
done on any host. So as soon as ONE host is changed, it will be `True`.

A host can potentially already have a parameter set, in this case
`change_option_list` will be empty.

This commit uses `change_option_list` instead of `changed_list` to
decided if a given host should be updated.
docker_container: use restart() API function instead of stop/start se…
…quence (#55894)

* Improve container restart.

* Adjust tests.

* Add changelog.

* Quote options.

* Move tests for restart/recreate options to start/stop tests.

* Fix changelog name.
Update openssl_privatekey.py (#55438)
* Update openssl_privatekey.py

<!--- Your description here -->

+label: docsite_pr

* Update lib/ansible/modules/crypto/openssl_privatekey.py

Co-Authored-By: snagoor <nagoor.s@gmail.com>

* Update lib/ansible/modules/crypto/openssl_privatekey.py

Co-Authored-By: snagoor <nagoor.s@gmail.com>
vmware_datastore_facts: empty list if none found
When `vmware_datastore_facts` does not fine any datastore, it raises an error.
This is not consistent with the other _facts modules. It should just return
an empty list instead.
Fix invalid src option return response for network config modules (#5…
…6076)

*  Add changed key in faliure case to maintain backward compatibility
Add missing selectors2 requirement for network-integration tests
Otherwise, we get the following error:

  ERROR: ncclient 0.6.4 requires selectors2>=2.0.1, which is not installed.

when running ansible-test.

Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Fix vyos_command integration test (#56091)
This has been broken for some time, but only noticed recently.  Because
vyos_command isn't supported on ansible_connection=local, update our
testing to account for that.

Signed-off-by: Paul Belanger <pabelanger@redhat.com>
oom_killer and oom_score_adj are available since docker-py 1.8.0. (#5…
…6012)

* oom_killer and oom_score_adj are available since docker-py 1.8.0.

* Add changelog.
fix documentation for docker_container publish_ports option (#56093)
The documentation for the docker_container publish_ports options
erroneously stated that container ports must be "exposed" in order to
be "published".
Add PTR Examples to nsupdate module
<!---  Add PTR Examples since Nsupdate usage may not be straight forward  -->

+label: docsite_pr

JonTheNiceGuy and others added some commits May 20, 2019

Update uri.py (#56395)
1. Note that uri doesn't honor the no_proxy environment variable (due to #52705), and suggest a work around.
2. Added an example showing a test waiting for a URL to become available (using the `until:`, `retries:` and `delay:` settings) - based on https://gist.github.com/mikeifomin/67e233cd461331de16707ef59a07e372#gistcomment-2718587

Co-Authored-By: Felix Fontein <felix@fontein.de>
Update unarchive.py (#56285)
Clarify that the unarchive module does not unpack a compressed file, only archive files.
Replace deprecated ansible-container references (#56427)
Link to ansible-bender instead of the deprecated ansible-container.

Co-Authored-By: Felix Fontein <felix@fontein.de>
Don't rely on netloc for determining hostname and port, just use host…
…name and port (#56270)

* Add changelog fragment
* Fix IPv6 address parsing for py2.6, and add tests
* make sure hostname isn't None
iam_role.py remove_policies should remove all of the requested polici…
…es (not just the first) (#56331)

The remove_policies function in iam_role.py enumerates a list of policies to remove. However, due to an indentation issue on the return True line, only the first such policy would be removed.

This change outdents the return True so that all of the the requested policies are removed.
Allow python_requirements_facts to cope with packages with dashes (#5…
…6166)

* Allow python_requirements_facts to cope with packages with dashes

```
python_requirements_facts:
  dependencies:
    - kubernetes-validate
```

should work as expected

* Ensure tests run for python_requirements_facts
[docker] support the lookup of images by digest (#56649)
* [docker] images: add support for lookup by sha256 digest

Signed-off-by: Jakob Ackermann <das7pad@outlook.com>

* [tests] docker image by digest: work on a minimal test case

Signed-off-by: Jakob Ackermann <das7pad@outlook.com>

* [docker] group branch conditions per lookup

Co-Authored-By: Felix Fontein <felix@fontein.de>

* [misc] add a news fragment for the added digest lookup for docker images

Signed-off-by: Jakob Ackermann <das7pad@outlook.com>
Raise error in case of empty hosts list in playbook (#56354)
Fixes cases of playbook contaiing:
- hosts:
  -
ERROR! Unexpected Exception, this is probably a bug: sequence item 0: expected string, NoneType found
yum: fix false error msg about autoremove support (#56459)
* yum: fix false error msg about autoremove support
Add links to quickstart guides (#56722)
* shell of quickstart

* link to existing quickstart guides
@ansibot

This comment has been minimized.

Copy link
Contributor

commented May 21, 2019

@elfelip this PR contains the following merge commits:

Please rebase your branch to remove these commits.

click here for bot help

@ansibot

This comment has been minimized.

Copy link
Contributor

commented May 21, 2019

@elfelip This PR was evaluated as a potentially problematic PR for the following reasons:

  • More than 50 changed files.
  • More than 50 commits.

Such PR can only be merged by human. Contact a Core team member to review this PR on IRC: #ansible-devel on irc.freenode.net

click here for bot help

@opendev-zuul

This comment has been minimized.

Copy link

commented May 21, 2019

Build succeeded (third-party-check pipeline).

@opendev-zuul

This comment has been minimized.

Copy link

commented May 21, 2019

Build succeeded (third-party-check pipeline).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.