forked from cloudera-labs/cloudera.cloud
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathenv_auth_info.py
274 lines (237 loc) · 8.31 KB
/
env_auth_info.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Copyright 2021 Cloudera, Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from ansible.module_utils.basic import AnsibleModule
from ansible_collections.cloudera.cloud.plugins.module_utils.cdp_common import CdpModule
ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'],
'supported_by': 'community'}
DOCUMENTATION = r'''
module: env_auth_info
short_description: Gather information about CDP environment authentication details
description:
- Gather information about CDP environment authentication details, notably the FreeIPA root certificate and
user keytabs.
- The module supports check_mode.
author:
- "Webster Mudge (@wmudge)"
- "Dan Chaffelson (@chaffelson)"
requirements:
- cdpy
options:
name:
description:
- A target list of environments or a single environment string.
- If no environments are specified, all environments are targeted.
type: list
elements: str
required: False
aliases:
- environment
root_certificate:
description:
- A flag indicating whether to retrieve the given environment's FreeIPA root certificate.
type: bool
required: False
default: True
aliases:
- root_ca
- cert
keytab:
description:
- A flag to retrieve the keytabs for the given environment or environments, governed by the value of C(user).
- If no environments are declared, all environments will be queried.
type: bool
required: False
default: True
aliases:
- keytabs
- user_keytabs
user:
description:
- A list of user IDs or a single user ID for retrieving the keytabs from the specified environment(s).
- If no user ID is declared, the current CDP user will be used.
type: list
elements: str
required: False
aliases:
- users
extends_documentation_fragment:
- cloudera.cloud.cdp_sdk_options
- cloudera.cloud.cdp_auth_options
'''
EXAMPLES = r'''
# Note: These examples do not set authentication details.
# Retrieve only the root certificate for a single environment
- cloudera.cloud.env_auth_info:
name: the-environment
root_certificate: yes
keytab: no
# Retrieve the root certificate for multiple environments
- cloudera.cloud.env_auth_info:
name:
- one-environment
- two-environment
root_certificate: yes
keytab: no
# Retrieve the keytab details for the current CDP user for selected environments
- cloudera.cloud.env_auth_info:
name:
- one-environment
- two-environment
keytab: yes
root_certificate: no
# Retrieve the keytab details for the specified users for selected environments
- cloudera.cloud.env_auth_info:
name:
- one-environment
- two-environment
user:
- UserA
- UserB
keytab: yes
root_certificate: no
'''
RETURN = r'''
authentication:
description: Returns a dictionary of the environment authentication details.
returned: always
type: dict
contains:
certificates:
description: A dictionary of environment-to-FreeIPA root certificate
returned: when supported
type: dict
contains:
_environment name_:
description: The FreeIPA root certificate for the environment
returned: always
type: str
keytabs:
description: A dictionary of the keytabs for each specified environment by user.
returned: when supported
type: dict
contains:
_workload username_:
description: The user's workload username.
returned: always
type: dict
contains:
_environment name_:
description: The keytab for the environment. The keytab is encoded in base64.
returned: always
type: str
sdk_out:
description: Returns the captured CDP SDK log.
returned: when supported
type: str
sdk_out_lines:
description: Returns a list of each line of the captured CDP SDK log.
returned: when supported
type: list
elements: str
'''
class EnvironmentAuthentication(CdpModule):
def __init__(self, module):
super(EnvironmentAuthentication, self).__init__(module)
# Set Variables
self.name = self._get_param('name')
self.user = self._get_param('user')
self.root_cert = self._get_param('root_certificate')
self.keytab = self._get_param('keytab')
# Initialize the return values
self.auth = dict()
# Execute logic process
self.process()
@CdpModule._Decorators.process_debug
def process(self):
if self.root_cert:
certs = self.get_certificates()
self.auth.update(certificates=certs)
if self.keytab:
keytabs = dict()
actors = list()
if self.user is None:
actors.append(self.cdpy.iam.get_user())
else:
for user in self.user:
actor = self.cdpy.iam.get_user(user)
if actor is None:
self.module.fail_json(msg='Invalid user: %s' % user)
actors.append(actor)
for actor in actors:
user_keytabs = self.get_keytabs_for_user(actor['crn'])
keytabs[actor['workloadUsername']] = user_keytabs
self.auth.update(keytabs=keytabs)
def get_certificates(self):
certs = dict()
if self.name is None:
env_list = self._list_all_crns()
else:
env_list = self._discover_crns()
for env in env_list:
result = self.cdpy.environments.get_root_cert(env['crn'])
certs[env['name']] = result
return certs
def get_keytabs_for_user(self, workload_user_crn):
keytabs = dict()
if self.name:
for name in self.name:
result = self.cdpy.environments.get_keytab(workload_user_crn, name)
keytabs[name] = result
else:
all_envs = self.cdpy.environments.list_environments()
for env in all_envs:
result = self.cdpy.environments.get_keytab(workload_user_crn, env['crn'])
keytabs[env['environmentName']] = result
return keytabs
def _discover_crns(self):
converted = []
for name in self.name:
env = self.cdpy.environments.describe_environment(name)
if env is not None:
converted.append(dict(name=name, crn=env['crn']))
else:
self.module.fail_json(msg="Environment '%s' not found" % name)
return converted
def _list_all_crns(self):
converted = []
discovered = self.cdpy.environments.list_environments()
for env in discovered:
converted.append(dict(name=env['environmentName'], crn=env['crn']))
return converted
def main():
module = AnsibleModule(
argument_spec=CdpModule.argument_spec(
name=dict(required=False, type='list', elements='str', aliases=['environment']),
user=dict(required=False, type='list', elements='str', aliases=['users']),
root_certificate=dict(required=False, type='bool', aliases=['root_ca', 'cert'], default=True),
keytab=dict(required=False, type='bool', aliases=['keytabs', 'user_keytabs'], default=True)
),
supports_check_mode=True
)
result = EnvironmentAuthentication(module)
output = dict(
changed=False,
authentication=result.auth,
)
if result.debug:
output.update(
sdk_out=result.log_out,
sdk_out_lines=result.log_lines
)
module.exit_json(**output)
if __name__ == '__main__':
main()