salt/states/rbac_solaris.py
# -*- coding: utf-8 -*-
'''
Management of Solaris RBAC
:maintainer: Jorge Schrauwen <sjorge@blackdot.be>
:maturity: new
:depends: rbac_solaris,solaris_user
:platform: solaris,illumos
.. versionadded:: 2016.11.0
.. code-block:: yaml
sjorge:
rbac.managed:
- roles:
- netcfg
- profiles:
- System Power
- authorizations:
- solaris.audit.*
'''
from __future__ import absolute_import, unicode_literals, print_function
# Import Python libs
import logging
log = logging.getLogger(__name__)
# Define the state's virtual name
__virtualname__ = 'rbac'
def __virtual__():
'''
Provides rbac on Solaris like platforms
'''
if 'rbac.profile_list' in __salt__ and \
'user.list_users' in __salt__ and \
__grains__.get('kernel') == 'SunOS':
return True
else:
return (
False,
'{0} state module can only be loaded on Solaris'.format(
__virtualname__
)
)
def managed(name, roles=None, profiles=None, authorizations=None):
'''
Manage RBAC properties for user
name : string
username
roles : list
list of roles for user
profiles : list
list of profiles for user
authorizations : list
list of authorizations for user
.. warning::
All existing roles, profiles and authorizations will be replaced!
An empty list will remove everything.
Set the property to `None` to not manage it.
'''
ret = {'name': name,
'changes': {},
'result': True,
'comment': ''}
## check properties
if name not in __salt__['user.list_users']():
ret['result'] = False
ret['comment'] = 'User {0} does not exist!'.format(name)
return ret
if roles and not isinstance(roles, (list)):
ret['result'] = False
ret['comment'] = 'Property roles is not None or list!'
return ret
if profiles and not isinstance(profiles, (list)):
ret['result'] = False
ret['comment'] = 'Property profiles is not None or list!'
return ret
if authorizations and not isinstance(authorizations, (list)):
ret['result'] = False
ret['comment'] = 'Property authorizations is not None or list!'
return ret
log.debug('rbac.managed - roles=%s, profiles=%s, authorizations=%s',
roles, profiles, authorizations
)
## update roles
if isinstance(roles, (list)):
# compute changed
roles_current = __salt__['rbac.role_get'](name)
roles_add = [r for r in roles if r not in roles_current]
roles_rm = [r for r in roles_current if r not in roles]
# execute and verify changes
if roles_add:
res_roles_add = __salt__['rbac.role_add'](name, ','.join(roles_add).strip())
roles_current = __salt__['rbac.role_get'](name)
for role in roles_add:
if 'roles' not in ret['changes']:
ret['changes']['roles'] = {}
ret['changes']['roles'][role] = 'Added' if role in roles_current else 'Failed'
if ret['changes']['roles'][role] == 'Failed':
ret['result'] = False
if roles_rm:
res_roles_rm = __salt__['rbac.role_rm'](name, ','.join(roles_rm).strip())
roles_current = __salt__['rbac.role_get'](name)
for role in roles_rm:
if 'roles' not in ret['changes']:
ret['changes']['roles'] = {}
ret['changes']['roles'][role] = 'Removed' if role not in roles_current else 'Failed'
if ret['changes']['roles'][role] == 'Failed':
ret['result'] = False
## update profiles
if isinstance(profiles, (list)):
# compute changed
profiles_current = __salt__['rbac.profile_get'](name)
profiles_add = [r for r in profiles if r not in profiles_current]
profiles_rm = [r for r in profiles_current if r not in profiles]
# execute and verify changes
if profiles_add:
res_profiles_add = __salt__['rbac.profile_add'](name, ','.join(profiles_add).strip())
profiles_current = __salt__['rbac.profile_get'](name)
for profile in profiles_add:
if 'profiles' not in ret['changes']:
ret['changes']['profiles'] = {}
ret['changes']['profiles'][profile] = 'Added' if profile in profiles_current else 'Failed'
if ret['changes']['profiles'][profile] == 'Failed':
ret['result'] = False
if profiles_rm:
res_profiles_rm = __salt__['rbac.profile_rm'](name, ','.join(profiles_rm).strip())
profiles_current = __salt__['rbac.profile_get'](name)
for profile in profiles_rm:
if 'profiles' not in ret['changes']:
ret['changes']['profiles'] = {}
ret['changes']['profiles'][profile] = 'Removed' if profile not in profiles_current else 'Failed'
if ret['changes']['profiles'][profile] == 'Failed':
ret['result'] = False
## update auths
if isinstance(authorizations, (list)):
# compute changed
auths_current = __salt__['rbac.auth_get'](name, False)
auths_add = [r for r in authorizations if r not in auths_current]
auths_rm = [r for r in auths_current if r not in authorizations]
# execute and verify changes
if auths_add:
res_auths_add = __salt__['rbac.auth_add'](name, ','.join(auths_add).strip())
auths_current = __salt__['rbac.auth_get'](name)
for auth in auths_add:
if 'authorizations' not in ret['changes']:
ret['changes']['authorizations'] = {}
ret['changes']['authorizations'][auth] = 'Added' if auth in auths_current else 'Failed'
if ret['changes']['authorizations'][auth] == 'Failed':
ret['result'] = False
if auths_rm:
res_auths_rm = __salt__['rbac.auth_rm'](name, ','.join(auths_rm).strip())
auths_current = __salt__['rbac.auth_get'](name)
for auth in auths_rm:
if 'authorizations' not in ret['changes']:
ret['changes']['authorizations'] = {}
ret['changes']['authorizations'][auth] = 'Removed' if auth not in auths_current else 'Failed'
if ret['changes']['authorizations'][auth] == 'Failed':
ret['result'] = False
return ret
# vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4