Add roles option to roles role to allow setting multiple roles in one…

… item rather than repeating entire sections of code
redhat-cop · Aug 1, 2023 · 6d8f87a · 6d8f87a
1 parent d9f0c2d
commit 6d8f87a
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 6 deletions.
diff --git a/changelogs/fragments/roles.yml b/changelogs/fragments/roles.yml
@@ -0,0 +1,4 @@
+---
+minor_changes:
+  - Added roles option to roles role to allow setting multiple roles in one item rather than repeating entire sections of code
+...
diff --git a/roles/roles/README.md b/roles/roles/README.md
@@ -79,6 +79,7 @@ This also speeds up the overall role.
 |`users`|""|no|list|The users for which the role applies|
 |`team`|""|no|str|The team for which the role applies|
 |`teams`|""|no|list|The teams for which the role applies|
+|`roles`|""|no|str (see note below)|The roles which are applied to one of {`target_team`, `inventory`, `job_template`, `target_team`, `inventory`, `job_template`} for either `user` or `team` |
 |`role`|""|no|str (see note below)|The role which is applied to one of {`target_team`, `inventory`, `job_template`, `target_team`, `inventory`, `job_template`} for either `user` or `team` |
 |`target_team`|""|no|str|The team the role applies against|
 |`target_teams`|""|no|list|The teams the role applies against|
@@ -100,7 +101,7 @@ This also speeds up the overall role.
 
 #### Role
 
-`role` must be one of the following:
+`role` must be one of the following (or roles must contain a list made up from the following):
 
 - `admin`
 - `read`
@@ -117,6 +118,8 @@ This also speeds up the overall role.
 - `notification_admin`
 - `job_template_admin`
 
+Note that the `roles` option takes precedence over the `role` option and simply allows to specify multiple roles for a user or team (or set of users or teams).
+
 ### Standard RBAC Data Structure
 
 #### Json Example
@@ -132,13 +135,16 @@ This also speeds up the overall role.
     {
       "team": "My Team",
       "organization": "Default",
-      "role": "execute"
+      "role": [
+        "execute",
+        "read"
+      ]
     }
   ]
 }
 ```
 
-#### Yaml Example
+git check
 
 ```yaml
 ---
@@ -151,7 +157,9 @@ controller_roles:
   role: member
 - team: "My Team"
   organization: "Default"
-  role: execute
+  roles:
+    - execute
+    - read
 ```
 
 ## Playbook Examples

diff --git a/roles/roles/tasks/main.yml b/roles/roles/tasks/main.yml
@@ -1,4 +1,47 @@
 ---
+- name: Create Roles Based Access Entry on Controller
+  role:
+    user:                           "{{ __controller_role_item.0.user | default(omit, true) }}"
+    users:                          "{{ __controller_role_item.0.users | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}"
+    team:                           "{{ __controller_role_item.0.team | default(omit, true) }}"
+    teams:                          "{{ __controller_role_item.0.teams | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}"
+    role:                           "{{ __controller_role_item.1 | mandatory }}"
+    target_team:                    "{{ __controller_role_item.0.target_team | default(omit, true) }}"
+    target_teams:                   "{{ __controller_role_item.0.target_teams | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}"
+    inventory:                      "{{ __controller_role_item.0.inventory | default(omit, true) }}"
+    inventories:                    "{{ __controller_role_item.0.inventories | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}"
+    job_template:                   "{{ __controller_role_item.0.job_template | default(omit, true) }}"
+    job_templates:                  "{{ __controller_role_item.0.job_templates | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}"
+    workflow:                       "{{ __controller_role_item.0.workflow | default(omit, true) }}"
+    workflows:                      "{{ __controller_role_item.0.workflows | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}"
+    credential:                     "{{ __controller_role_item.0.credential | default(omit, true) }}"
+    credentials:                    "{{ __controller_role_item.0.credentials | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}"
+    organization:                   "{{ __controller_role_item.0.organization | default(omit, true) }}"
+    organizations:                  "{{ __controller_role_item.0.organizations | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}"
+    lookup_organization:            "{{ __controller_role_item.0.lookup_organization | default(omit, true) }}"
+    project:                        "{{ __controller_role_item.0.project | default(omit, true) }}"
+    projects:                       "{{ __controller_role_item.0.projects | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}"
+    instance_groups:                "{{ __controller_role_item.0.instance_groups | default(( [] if controller_configuration_role_enforce_defaults else omit), true) }}"
+    state:                          "{{ __controller_role_item.0.state | default(controller_state | default('present')) }}"
+
+    # Role Standard Options
+    controller_username:            "{{ controller_username | default(omit, true) }}"
+    controller_password:            "{{ controller_password | default(omit, true) }}"
+    controller_oauthtoken:          "{{ controller_oauthtoken | default(omit, true) }}"
+    controller_host:                "{{ controller_hostname | default(omit, true) }}"
+    controller_config_file:         "{{ controller_config_file | default(omit, true) }}"
+    validate_certs:                 "{{ controller_validate_certs | default(omit) }}"
+  loop: "{{ controller_roles | subelements('roles', skip_missing=true) }}"
+  loop_control:
+    loop_var: __controller_role_item
+  no_log: "{{ controller_configuration_role_secure_logging }}"
+  async: 1000
+  poll: 0
+  register: __controller_role_job_async
+  changed_when: not __controller_role_job_async.changed
+  vars:
+    ansible_async_dir: '/tmp/.ansible_async'
+
 - name: Create Role Based Access Entry on Controller
   role:
     user:                           "{{ __controller_role_item.user | default(omit, true) }}"
@@ -32,6 +75,7 @@
     controller_config_file:         "{{ controller_config_file | default(omit, true) }}"
     validate_certs:                 "{{ controller_validate_certs | default(omit) }}"
   loop: "{{ controller_roles }}"
+  when: not __controller_role_item.roles is defined
   loop_control:
     loop_var: __controller_role_item
   no_log: "{{ controller_configuration_role_secure_logging }}"

diff --git a/roles/roles/tests/configs/roles.yml b/roles/roles/tests/configs/roles.yml
@@ -2,7 +2,9 @@
 controller_roles:
   - user: admin
     job_template: Demo Job Template
-    role: read
+    roles:
+      - read
+      - execute
   - inventory: Demo Inventory
     user: admin
     role: read

diff --git a/tests/configs/roles.yml b/tests/configs/roles.yml
@@ -8,7 +8,9 @@ controller_roles:
     role: use
   - inventory:  RHVM-02
     team: satlab-admin
-    role: admin
+    roles:
+      - admin
+      - use
   # - workflow:  Test workflow 1
   #   team: satellite-qe
   #   role: execute