Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New module: aix_chsec #60976

Open
wants to merge 41 commits into
base: devel
from

Conversation

@d-little
Copy link
Contributor

commented Aug 20, 2019

SUMMARY

Updated code from stale PR #49057 : adds stanzas to aix config files using the chsec command.

Features:

  • Fully idempotent
  • Check mode
  • Updated docs

Full details below.

ISSUE TYPE
  • New Module Pull Request
COMPONENT NAME

aix_chsec.py

ADDITIONAL INFORMATION
Idempotency

We make the tool idempotent by first checking the output of lssec before running chsec

Using the module

One example implementation with multiple key/value being set within a single file+stanza:

- name: Name of Task
  aix_chsec:
    file: filename
    stanza: stanzaname
    attrs:
      key1: value1
      key2: value2
      keyN: valueN
    state: [ present, absent ]

NB: attr are changes made one at a time in code

This would return Changed if any number of the above key/value pairs were changed. If none were changed status would be OK. Failure to change any key:value pair would constitute as a failure at the time of failure regardless of how many attributes were successfully set.

  • attrs has the alias options
  • Valid attrs formats:
attrs:
  key: value
  key2: value2

[key=value, key=value]

"key=value, key=value"

Real world use:

  • Allow logins from 8:00 a.m. until 5:00 p.m. for all users
  • Change the CPU time limit of user joe AND charlie to 1 hour (3600 seconds):
---
- hosts: targetserver
  gather_facts: no
  vars:
    example_chsec:
      - file: /etc/security/user
        stanza: default
        attrs:
          logintimes: ":0800-1700"
      - file: /etc/security/limits
        stanza: joe
        attrs: cpu=3600
      - file: /etc/security/limits
        stanza: charlie
        attrs:
          cpu: 3600
  remote_user: deploy
- tasks:
  name: Example chsec
    aix_chsec:
      file: "{{ item.file }}"
      stanza: "{{ item.stanza }}"
      attrs: "{{ item.attrs }}"
    loop:
      - "{{ example_chsec }}"

Future Ideas

Backup

Have a flag backup=true to create a backup of the file before making changes

'Nested' Stanzas

We could 'nest' stanzas for a single file within a single module call. This increases the chances of any one attribute failing. We can keep the stanza option available in addition to stanzas, mutually exclusive.

- name: Name of Task
  aix_chsec:
    file: filename
    stanzas:
      - stanza1:
          key1: value1
          key2: value2
          keyN: valueN
        state: [ present|absent ]
      - stanza2:
          key1: value1
          key2: value2
          keyN: valueN
        state: [ present|absent ]
    backup: bool (default no, timestamped backup before making changes.)
flynn1973 and others added 30 commits Nov 23, 2018
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
Update lib/ansible/modules/system/aix_chsec.py
Co-Authored-By: flynn1973 <christian.tremel@itsv.at>
@ansibot

This comment has been minimized.

Copy link
Contributor

commented Aug 20, 2019

The test ansible-test sanity --test ansible-doc [explain] failed with the error:

Command "ansible-doc -t module aix_chsec" returned exit status 1.
>>> Standard Error
ERROR! module aix_chsec missing documentation (or could not parse documentation): mapping values are not allowed in this context
  in "<unicode string>", line 22, column 54

The test ansible-test sanity --test docs-build [explain] failed with the error:

Command "/usr/bin/python3.6 /root/ansible/test/sanity/code-smell/docs-build.py" returned exit status 1.
>>> Standard Error
Command 'make singlehtmldocs' failed with status code: 2
--> Standard Output
PYTHONPATH=../../lib ../../hacking/build-ansible.py collection-meta --template-file=../templates/collections_galaxy_meta.rst.j2 --output-dir=rst/dev_guide/ ../../lib/ansible/galaxy/data/collections_galaxy_meta.yml
PYTHONPATH=../../lib ../../hacking/build-ansible.py document-config --template-file=../templates/config.rst.j2 --output-dir=rst/reference_appendices/ ../../lib/ansible/config/base.yml
mkdir -p rst/cli
PYTHONPATH=../../lib ../../hacking/build-ansible.py generate-man --template-file=../templates/cli_rst.j2 --output-dir=rst/cli/ --output-format rst ../../lib/ansible/cli/*.py
PYTHONPATH=../../lib ../../hacking/build-ansible.py document-keywords --template-dir=../templates --output-dir=rst/reference_appendices/ ./keyword_desc.yml
PYTHONPATH=../../lib ../../hacking/build-ansible.py document-plugins -t rst --template-dir=../templates --module-dir=../../lib/ansible/modules -o rst/modules/ 
Evaluating module files...
Makefile:98: recipe for target 'modules' failed
--> Standard Error
Traceback (most recent call last):
  File "../../hacking/build-ansible.py", line 88, in <module>
    main()
  File "../../hacking/build-ansible.py", line 79, in main
    retval = command.main(args)
  File "/root/ansible/hacking/build_library/build_ansible/command_plugins/plugin_formatter.py", line 711, in main
    plugin_info, categories = get_plugin_info(args.module_dir, limit_to=args.limit_to, verbose=(args.verbosity > 0))
  File "/root/ansible/hacking/build_library/build_ansible/command_plugins/plugin_formatter.py", line 225, in get_plugin_info
    doc, examples, returndocs, metadata = plugin_docs.get_docstring(module_path, fragment_loader, verbose=verbose)
  File "/root/ansible/lib/ansible/utils/plugin_docs.py", line 111, in get_docstring
    data = read_docstring(filename, verbose=verbose, ignore_errors=ignore_errors)
  File "/root/ansible/lib/ansible/parsing/plugin_docs.py", line 59, in read_docstring
    data[varkey] = AnsibleLoader(child.value.s, file_name=filename).get_single_data()
  File "/usr/local/lib/python3.6/dist-packages/yaml/constructor.py", line 41, in get_single_data
    node = self.get_single_node()
  File "ext/_yaml.pyx", line 707, in _yaml.CParser.get_single_node
  File "ext/_yaml.pyx", line 725, in _yaml.CParser._compose_document
  File "ext/_yaml.pyx", line 776, in _yaml.CParser._compose_node
  File "ext/_yaml.pyx", line 890, in _yaml.CParser._compose_mapping_node
  File "ext/_yaml.pyx", line 776, in _yaml.CParser._compose_node
  File "ext/_yaml.pyx", line 890, in _yaml.CParser._compose_mapping_node
  File "ext/_yaml.pyx", line 776, in _yaml.CParser._compose_node
  File "ext/_yaml.pyx", line 890, in _yaml.CParser._compose_mapping_node
  File "ext/_yaml.pyx", line 774, in _yaml.CParser._compose_node
  File "ext/_yaml.pyx", line 851, in _yaml.CParser._compose_sequence_node
  File "ext/_yaml.pyx", line 776, in _yaml.CParser._compose_node
  File "ext/_yaml.pyx", line 892, in _yaml.CParser._compose_mapping_node
  File "ext/_yaml.pyx", line 905, in _yaml.CParser._parse_next_event
yaml.scanner.ScannerError: mapping values are not allowed in this context
  in "<unicode string>", line 22, column 54
make: *** [modules] Error 1

The test ansible-test sanity --test validate-modules [explain] failed with 10 errors:

lib/ansible/modules/system/aix_chsec.py:0:0: E324 Argument 'state' in argument_spec defines default as ('present') but documentation defines default as (None)
lib/ansible/modules/system/aix_chsec.py:0:0: E326 Argument 'state' in argument_spec defines choices as (['absent', 'present']) but documentation defines choices as ([])
lib/ansible/modules/system/aix_chsec.py:0:0: E337 Argument 'attrs' in argument_spec defines type as 'raw' but documentation doesn't define type
lib/ansible/modules/system/aix_chsec.py:0:0: E337 Argument 'path' in argument_spec defines type as 'path' but documentation doesn't define type
lib/ansible/modules/system/aix_chsec.py:0:0: E337 Argument 'stanza' in argument_spec defines type as 'str' but documentation doesn't define type
lib/ansible/modules/system/aix_chsec.py:0:0: E337 Argument 'state' in argument_spec defines type as 'str' but documentation doesn't define type
lib/ansible/modules/system/aix_chsec.py:41:54: E302 DOCUMENTATION is not valid YAML
lib/ansible/modules/system/aix_chsec.py:110:0: E403 Type comparison using type() found. Use isinstance() instead
lib/ansible/modules/system/aix_chsec.py:116:0: E403 Type comparison using type() found. Use isinstance() instead
lib/ansible/modules/system/aix_chsec.py:124:0: E403 Type comparison using type() found. Use isinstance() instead

The test ansible-test sanity --test yamllint [explain] failed with 1 error:

lib/ansible/modules/system/aix_chsec.py:41:54: error DOCUMENTATION: syntax error: mapping values are not allowed here

click here for bot help

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Aug 20, 2019

The test ansible-test sanity --test validate-modules [explain] failed with 14 errors:

lib/ansible/modules/system/aix_chsec.py:0:0: E305 DOCUMENTATION.attrs: extra keys not allowed @ data['attrs']. Got {'path': {'description': ['Path to the stanza file.'], 'type': 'path', 'required': True, 'aliases': ['dest']}, 'stanza': {'description': ['Name of stanza.'], 'type': 'str', 'required': True}, 'attrs': {'description': ['A list of key/value pairs'], 'type': 'list', 'aliases': ['options']}, 'state': {'description': ['If set to C(present) all given attrs values will be set.', 'If set to C(absent) all attrs provided will be un-set, regardless of value provided.', {'NB': 'This does not remove the e...
lib/ansible/modules/system/aix_chsec.py:0:0: E307 version_added should be '2.9'. Currently '2.8'
lib/ansible/modules/system/aix_chsec.py:0:0: E322 Argument 'attrs' is listed in the argument_spec, but not documented in the module documentation
lib/ansible/modules/system/aix_chsec.py:0:0: E322 Argument 'dest' is listed in the argument_spec, but not documented in the module documentation
lib/ansible/modules/system/aix_chsec.py:0:0: E322 Argument 'options' is listed in the argument_spec, but not documented in the module documentation
lib/ansible/modules/system/aix_chsec.py:0:0: E322 Argument 'path' is listed in the argument_spec, but not documented in the module documentation
lib/ansible/modules/system/aix_chsec.py:0:0: E322 Argument 'stanza' is listed in the argument_spec, but not documented in the module documentation
lib/ansible/modules/system/aix_chsec.py:0:0: E322 Argument 'state' is listed in the argument_spec, but not documented in the module documentation
lib/ansible/modules/system/aix_chsec.py:0:0: E324 Argument 'state' in argument_spec defines default as ('present') but documentation defines default as (None)
lib/ansible/modules/system/aix_chsec.py:0:0: E326 Argument 'state' in argument_spec defines choices as (['absent', 'present']) but documentation defines choices as ([])
lib/ansible/modules/system/aix_chsec.py:0:0: E337 Argument 'attrs' in argument_spec defines type as 'raw' but documentation doesn't define type
lib/ansible/modules/system/aix_chsec.py:0:0: E337 Argument 'path' in argument_spec defines type as 'path' but documentation doesn't define type
lib/ansible/modules/system/aix_chsec.py:0:0: E337 Argument 'stanza' in argument_spec defines type as 'str' but documentation doesn't define type
lib/ansible/modules/system/aix_chsec.py:0:0: E337 Argument 'state' in argument_spec defines type as 'str' but documentation doesn't define type

click here for bot help

@ansibot ansibot added the ci_verified label Aug 20, 2019

@ansibot ansibot removed the ci_verified label Aug 20, 2019

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Aug 20, 2019

@AugustusKling @ColOfAbRiX @EvanK @LinusU @Mogztter @MorrisA @abulimov @adejoux @ahtik @Akasurde @azaghal @bachradsusi @bgurney-rh @bushvin @dankeder @danowar2k @davixx @dirtyharrycallahan @dougluce @dsummersl @fishman @flynn1973 @gforster @giovannisciortino @goozbach @groks @haad @hryamzik @indrajitr @jamescassell @jasperla @jbenden @jdauphant @jhoekx @jpdasma @jsumners @jtyr @kairoaraujo @kevensen @kyleabenson @lberruti @martinm82 @marvin-sinister @mator @mattjeffery @matze @mcv21 @molekuul @mpdehaan @mulby @natefoo @nibalizer @obourdon @ovcharenko @pilou- @pmarkham @precurse @pyykkis @ramooncamacho @rhaido @risaacson @saito-hideki @saranyasridharan @scathatheworm @sebastiendarocha @sfromm @srvg @tacatac @tdtrask @tmshn @troy2914 @wtcross @xen0l

As a maintainer of a module in the same namespace this new module has been submitted to, your vote counts for shipits. Please review this module and add shipit if you would like to see it merged.

click here for bot help

@ansibot ansibot removed the needs_triage label Aug 26, 2019

@d-little

This comment has been minimized.

Copy link
Contributor Author

commented Aug 26, 2019

Thanks @flynn1973

These changes were made to build upon the great work you're already done and get it into core Ansible 2.9 (at least until collections change everything!)

I believe the changes I've made should be fully backwards compatible with your existing code, just added a few more nice-to-haves to get it accepted and into Ansible! If you like the look of this and there arent outstanding concerns, let's try to shipit! :)

(I've also got a number of other PRs open if you're looking to get more support into Ansible... I'll be bumping all of those today ;) )

@ansibot ansibot added the stale_ci label Sep 3, 2019

@d-little

This comment has been minimized.

Copy link
Contributor Author

commented Sep 10, 2019

Bugfix pushed

I've been using this module in anger now on production and it's working as expected :)

@ansibot ansibot removed the stale_ci label Sep 10, 2019

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Sep 10, 2019

The test ansible-test sanity --test validate-modules [explain] failed with 1 error:

lib/ansible/modules/system/aix_chsec.py:0:0: module-incorrect-version-added: version_added should be '2.10'. Currently '2.9'

click here for bot help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.