285 lines
7.9 KiB
Python
285 lines
7.9 KiB
Python
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
# Copyright: (c) 2018, Dag Wieers (@dagwieers) <dag@wieers.com>
|
|
# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
__metaclass__ = type
|
|
|
|
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
|
'status': ['preview'],
|
|
'supported_by': 'community'}
|
|
|
|
DOCUMENTATION = r'''
|
|
---
|
|
module: mso_user
|
|
short_description: Manage users
|
|
description:
|
|
- Manage users on Cisco ACI Multi-Site.
|
|
author:
|
|
- Dag Wieers (@dagwieers)
|
|
options:
|
|
user:
|
|
description:
|
|
- The name of the user.
|
|
type: str
|
|
aliases: [ name ]
|
|
user_password:
|
|
description:
|
|
- The password of the user.
|
|
type: str
|
|
first_name:
|
|
description:
|
|
- The first name of the user.
|
|
- This parameter is required when creating new users.
|
|
type: str
|
|
last_name:
|
|
description:
|
|
- The last name of the user.
|
|
- This parameter is required when creating new users.
|
|
type: str
|
|
email:
|
|
description:
|
|
- The email address of the user.
|
|
- This parameter is required when creating new users.
|
|
type: str
|
|
phone:
|
|
description:
|
|
- The phone number of the user.
|
|
- This parameter is required when creating new users.
|
|
type: str
|
|
account_status:
|
|
description:
|
|
- The status of the user account.
|
|
type: str
|
|
choices: [ active, inactive ]
|
|
domain:
|
|
description:
|
|
- The domain this user belongs to.
|
|
- When creating new users, this defaults to C(Local).
|
|
type: str
|
|
roles:
|
|
description:
|
|
- The roles for this user and their access types (read or write).
|
|
- Access type defaults to C(write).
|
|
type: list
|
|
elements: str
|
|
state:
|
|
description:
|
|
- Use C(present) or C(absent) for adding or removing.
|
|
- Use C(query) for listing an object or multiple objects.
|
|
type: str
|
|
choices: [ absent, present, query ]
|
|
default: present
|
|
notes:
|
|
- A default installation of ACI Multi-Site ships with admin password 'we1come!' which requires a password change on first login.
|
|
See the examples of how to change the 'admin' password using Ansible.
|
|
extends_documentation_fragment: cisco.mso.modules
|
|
'''
|
|
|
|
EXAMPLES = r'''
|
|
- name: Update initial admin password
|
|
cisco.mso.mso_user:
|
|
host: mso_host
|
|
username: admin
|
|
password: initialPassword
|
|
validate_certs: false
|
|
user: admin
|
|
user_password: newPassword
|
|
state: present
|
|
delegate_to: localhost
|
|
|
|
- name: Add a new user
|
|
cisco.mso.mso_user:
|
|
host: mso_host
|
|
username: admin
|
|
password: SomeSecretPassword
|
|
validate_certs: false
|
|
user: dag
|
|
user_password: userPassword
|
|
first_name: Dag
|
|
last_name: Wieers
|
|
email: dag@wieers.com
|
|
phone: +32 478 436 299
|
|
roles:
|
|
- name: siteManager
|
|
access_type: write
|
|
- name: schemaManager
|
|
access_type: read
|
|
state: present
|
|
delegate_to: localhost
|
|
|
|
- name: Add a new user
|
|
cisco.mso.mso_user:
|
|
host: mso_host
|
|
username: admin
|
|
password: SomeSecretPassword
|
|
validate_certs: false
|
|
user: dag
|
|
first_name: Dag
|
|
last_name: Wieers
|
|
email: dag@wieers.com
|
|
phone: +32 478 436 299
|
|
roles:
|
|
- powerUser
|
|
delegate_to: localhost
|
|
|
|
- name: Remove a user
|
|
cisco.mso.mso_user:
|
|
host: mso_host
|
|
username: admin
|
|
password: SomeSecretPassword
|
|
validate_certs: false
|
|
user: dag
|
|
state: absent
|
|
delegate_to: localhost
|
|
|
|
- name: Query a user
|
|
cisco.mso.mso_user:
|
|
host: mso_host
|
|
username: admin
|
|
password: SomeSecretPassword
|
|
validate_certs: false
|
|
user: dag
|
|
state: query
|
|
delegate_to: localhost
|
|
register: query_result
|
|
|
|
- name: Query all users
|
|
cisco.mso.mso_user:
|
|
host: mso_host
|
|
username: admin
|
|
password: SomeSecretPassword
|
|
validate_certs: false
|
|
state: query
|
|
delegate_to: localhost
|
|
register: query_result
|
|
'''
|
|
|
|
RETURN = r''' # '''
|
|
|
|
from ansible.module_utils.basic import AnsibleModule
|
|
from ansible_collections.cisco.mso.plugins.module_utils.mso import MSOModule, mso_argument_spec, issubset
|
|
|
|
|
|
def main():
|
|
argument_spec = mso_argument_spec()
|
|
argument_spec.update(
|
|
user=dict(type='str', aliases=['name']),
|
|
user_password=dict(type='str', no_log=True),
|
|
first_name=dict(type='str'),
|
|
last_name=dict(type='str'),
|
|
email=dict(type='str'),
|
|
phone=dict(type='str'),
|
|
# TODO: What possible options do we have ?
|
|
account_status=dict(type='str', choices=['active', 'inactive']),
|
|
domain=dict(type='str'),
|
|
roles=dict(type='list', elements='str'),
|
|
state=dict(type='str', default='present', choices=['absent', 'present', 'query']),
|
|
)
|
|
|
|
module = AnsibleModule(
|
|
argument_spec=argument_spec,
|
|
supports_check_mode=True,
|
|
required_if=[
|
|
['state', 'absent', ['user']],
|
|
['state', 'present', ['user']],
|
|
],
|
|
)
|
|
|
|
user_name = module.params.get('user')
|
|
user_password = module.params.get('user_password')
|
|
first_name = module.params.get('first_name')
|
|
last_name = module.params.get('last_name')
|
|
email = module.params.get('email')
|
|
phone = module.params.get('phone')
|
|
account_status = module.params.get('account_status')
|
|
state = module.params.get('state')
|
|
|
|
mso = MSOModule(module)
|
|
|
|
roles = mso.lookup_roles(module.params.get('roles'))
|
|
domain = mso.lookup_domain(module.params.get('domain'))
|
|
|
|
user_id = None
|
|
path = 'users'
|
|
|
|
# Query for existing object(s)
|
|
if user_name:
|
|
if mso.module._socket_path and mso.connection.get_platform() == "cisco.nd":
|
|
mso.existing = mso.get_obj(path, loginID=user_name, api_version='v2')
|
|
if mso.existing:
|
|
mso.existing['id'] = mso.existing.get('userID')
|
|
mso.existing['username'] = mso.existing.get('loginID')
|
|
else:
|
|
mso.existing = mso.get_obj(path, username=user_name)
|
|
if mso.existing:
|
|
user_id = mso.existing.get('id')
|
|
# If we found an existing object, continue with it
|
|
path = 'users/{id}'.format(id=user_id)
|
|
else:
|
|
mso.existing = mso.query_objs(path)
|
|
|
|
if state == 'query':
|
|
pass
|
|
|
|
elif state == 'absent':
|
|
mso.previous = mso.existing
|
|
if mso.existing:
|
|
if module.check_mode:
|
|
mso.existing = {}
|
|
else:
|
|
mso.existing = mso.request(path, method='DELETE')
|
|
|
|
elif state == 'present':
|
|
mso.previous = mso.existing
|
|
|
|
payload = dict(
|
|
id=user_id,
|
|
username=user_name,
|
|
firstName=first_name,
|
|
lastName=last_name,
|
|
emailAddress=email,
|
|
phoneNumber=phone,
|
|
accountStatus=account_status,
|
|
domainId=domain,
|
|
roles=roles,
|
|
# active=True,
|
|
# remote=True,
|
|
)
|
|
|
|
if user_password is not None:
|
|
payload.update(password=user_password)
|
|
|
|
mso.sanitize(payload, collate=True)
|
|
|
|
if mso.sent.get('accountStatus') is None:
|
|
mso.sent['accountStatus'] = 'active'
|
|
|
|
if mso.existing:
|
|
if not issubset(mso.sent, mso.existing):
|
|
# NOTE: Since MSO always returns '******' as password, we need to assume a change
|
|
if 'password' in mso.proposed:
|
|
mso.module.warn("A password change is assumed, as the MSO REST API does not return passwords we do not know.")
|
|
mso.result['changed'] = True
|
|
|
|
if module.check_mode:
|
|
mso.existing = mso.proposed
|
|
else:
|
|
mso.existing = mso.request(path, method='PUT', data=mso.sent)
|
|
|
|
else:
|
|
if user_password is None:
|
|
mso.fail_json("The user {0} does not exist. The 'user_password' attribute is required to create a new user.".format(user_name))
|
|
if module.check_mode:
|
|
mso.existing = mso.proposed
|
|
else:
|
|
mso.existing = mso.request(path, method='POST', data=mso.sent)
|
|
|
|
mso.exit_json()
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|