From c4ef216ad5cedc06815e38934a9180ba9f6a205f Mon Sep 17 00:00:00 2001 From: Przemyslaw Kalitowski Date: Sun, 6 Oct 2024 11:47:26 +0200 Subject: [PATCH 1/9] feat: support of exporting access list of objects --- .../fiiletree_export_access_list.yml | 4 ++ roles/filetree_create/README.md | 2 + .../tasks/team_access_list.yml | 52 +++++++++++++++ .../tasks/user_access_list.yml | 63 +++++++++++++++++++ .../templates/current_team_access_list.j2 | 29 +++++++++ .../templates/current_user_access_list.j2 | 29 +++++++++ 6 files changed, 179 insertions(+) create mode 100644 changelogs/fragments/fiiletree_export_access_list.yml create mode 100644 roles/filetree_create/tasks/team_access_list.yml create mode 100644 roles/filetree_create/tasks/user_access_list.yml create mode 100644 roles/filetree_create/templates/current_team_access_list.j2 create mode 100644 roles/filetree_create/templates/current_user_access_list.j2 diff --git a/changelogs/fragments/fiiletree_export_access_list.yml b/changelogs/fragments/fiiletree_export_access_list.yml new file mode 100644 index 00000000..84ff6126 --- /dev/null +++ b/changelogs/fragments/fiiletree_export_access_list.yml @@ -0,0 +1,4 @@ +--- +feature_change: + - filetree_create is able to export access list of given object +... diff --git a/roles/filetree_create/README.md b/roles/filetree_create/README.md index 9bca0885..90f673f4 100644 --- a/roles/filetree_create/README.md +++ b/roles/filetree_create/README.md @@ -27,6 +27,8 @@ The following variables are required for that role to work properly: | `organization`| N/A | no | str | Default organization for all objects that have not been set in the source controller.| | `export_related_objects` | False | no | bool | Whether to export related objects (job templates related to certain workflows and the projects associated with these job templates) when a single JT or a single WFJT are being exported. | | `update_project_state` | False | no | bool | Whether the project should be updated after import to the target controller. | +| `object_id` | N/A | no | int | Specifying object id with object type exports the access list of object | +| `object_type` | N/A | no | str | Specifying object type with object id exports the access list of object | ## Dependencies diff --git a/roles/filetree_create/tasks/team_access_list.yml b/roles/filetree_create/tasks/team_access_list.yml new file mode 100644 index 00000000..a38edc20 --- /dev/null +++ b/roles/filetree_create/tasks/team_access_list.yml @@ -0,0 +1,52 @@ +--- +- name: "Get access list for object from the API" + ansible.builtin.set_fact: + access_lookvar: "{{ query(controller_api_plugin, 'api/v2/{{ object_type }}/{{ object_id }}/access_list', + host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs, + return_all=true, max_objects=query_controller_api_max_objects) + }}" + no_log: "{{ controller_configuration_filetree_create_secure_logging }}" + +- name: "Set team direct access fact" + ansible.builtin.set_fact: + team_direct_access_fact: "{{ access_lookvar | map(attribute='summary_fields.direct_access') | flatten | map(attribute='role') | selectattr('team_name', 'defined') }}" + +- name: "Set roles and object lists" + ansible.builtin.set_fact: + team_roles: "{{ team_direct_access_fact | map(attribute='name') | unique }}" + team_objects: "{{ team_direct_access_fact | map(attribute='resource_name') | unique }}" + +- name: "Set team roles matrix" + ansible.builtin.set_fact: + team_roles_matrix: >- + {{ team_roles_matrix | default([]) + [{ 'role': item.0, + 'team': team_direct_access_fact | selectattr('name','equalto', item.0) | + selectattr('resource_name','equalto', item.1) | + map(attribute='team_name') | unique, + 'resource_type': team_direct_access_fact | selectattr('name','equalto', item.0) | + selectattr('resource_name','equalto', item.1) | + map(attribute='resource_type') | unique, + 'resource_name': item.1 + }] + }} + when: team_direct_access_fact | selectattr('name','equalto', item.0) | selectattr('resource_name','equalto', item.1) | map(attribute='team_name') | length > 0 + loop: "{{ team_roles | product(team_objects) | list }}" + +- name: "Create the output directory for team roles" + ansible.builtin.file: + path: "{{ output_path }}/team_roles" + state: directory + mode: '0755' + loop: "{{ team_roles_matrix }}" + loop_control: + loop_var: team_role + +- name: "Add current roles to the output yaml file" + ansible.builtin.template: + src: "templates/current_team_access_list.j2" + dest: "{{ output_path }}/team_roles/{{ team_role.resource_name | default('current') }}_roles_{{ team_role.role | regex_replace('/', '_') }}.yaml" + mode: '0644' + loop: "{{ team_roles_matrix }}" + loop_control: + loop_var: team_role +... diff --git a/roles/filetree_create/tasks/user_access_list.yml b/roles/filetree_create/tasks/user_access_list.yml new file mode 100644 index 00000000..fa3e94b5 --- /dev/null +++ b/roles/filetree_create/tasks/user_access_list.yml @@ -0,0 +1,63 @@ +--- +- name: "Get access list for object from the API" + ansible.builtin.set_fact: + access_lookvar: "{{ query(controller_api_plugin, 'api/v2/{{ object_type }}/{{ object_id }}/access_list', + host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs, + return_all=true, max_objects=query_controller_api_max_objects) + }}" + no_log: "{{ controller_configuration_filetree_create_secure_logging }}" + +- name: "Get user list" + ansible.builtin.set_fact: + user_list: "{{ access_lookvar | selectattr('username', 'defined') | map(attribute='username') | unique }}" + +- name: "Set direct user access fact" + ansible.builtin.set_fact: + user_direct_access_fact: >- + {{ user_direct_access_fact | default([]) + access_lookvar | selectattr('username', 'equalto', item) | + rejectattr('summary_fields.direct_access', 'equalto', []) | + map(attribute='summary_fields.direct_access') | flatten | + map(attribute='role') | + rejectattr('team_name', 'defined') | + map('combine', {'username': item}) + }} + loop: "{{ user_list }}" + +- name: "Set roles and object lists" + ansible.builtin.set_fact: + user_roles: "{{ user_direct_access_fact | map(attribute='name') | unique }}" + user_objects: "{{ user_direct_access_fact | map(attribute='resource_name') | unique }}" + +- name: "Set user roles matrix" + ansible.builtin.set_fact: + user_roles_matrix: >- + {{ user_roles_matrix | default([]) + [{ 'role': item.0, + 'user': user_direct_access_fact | selectattr('name','equalto', item.0) | selectattr('resource_name','equalto', item.1) | + map(attribute='username') | unique, + 'resource_type': user_direct_access_fact | selectattr('username', 'defined') | + selectattr('name','equalto', item.0) | selectattr('resource_name','equalto', item.1) | + map(attribute='resource_type') | unique, + 'resource_name': item.1 + }] + }} + when: user_direct_access_fact | selectattr('name','equalto', item.0) | selectattr('resource_name','equalto', item.1) | map(attribute='username') | length > 0 + loop: "{{ user_roles | product(user_objects) | list }}" + +- name: "Create the output directory for user roles" + ansible.builtin.file: + path: "{{ output_path }}/user_roles" + state: directory + mode: '0755' + loop: "{{ user_roles_matrix }}" + loop_control: + loop_var: user_role + +- name: "Add current roles to the output yaml file" + ansible.builtin.template: + src: "templates/current_user_access_list.j2" + dest: "{{ output_path }}/user_roles/{{ user_role.resource_name | default('current') }}_roles_{{ user_role.role | regex_replace('/', '_') }}.yaml" + mode: '0644' + loop: "{{ user_roles_matrix }}" + loop_control: + loop_var: user_role +... diff --git a/roles/filetree_create/templates/current_team_access_list.j2 b/roles/filetree_create/templates/current_team_access_list.j2 new file mode 100644 index 00000000..905f5c5a --- /dev/null +++ b/roles/filetree_create/templates/current_team_access_list.j2 @@ -0,0 +1,29 @@ +{% if first_team_role | default(true) | bool %} +--- +controller_roles: +{% endif %} + teams: +{% for team in team_role.team %} + - "{{ team }}" +{% endfor %} +{% if team_role.resource_type[0] is match('organization') %} + organizations: + - "{{ team_role.resource_name }}" +{% elif team_role.resource_type[0] is match('team') %} + target_teams: + - "{{ team_role.resource_name }}" +{% elif team_role.resource_type[0] is match('job_template') %} + job_template: "{{ team_role.resource_name }}" +{% elif team_role.resource_type[0] is match('inventory') %} + inventory: "{{ team_role.resource_name }}" +{% elif team_role.resource_type[0] is match('workflow_job_template') %} + workflow: "{{ team_role.resource_name }}" +{% elif team_role.resource_type[0] is match('project') %} + project: "{{ team_role.resource_name }}" +{% elif team_role.resource_type[0] is match('credential') %} + credential: "{{ team_role.resource_name }}" +{% endif %} + role: "{% if team_role.role | lower == 'approve' %}approval{% else %}{{ team_role.role | lower | regex_replace(' ', '_') }}{% endif %}" +{% if last_team_role | default(true) | bool %} +... +{% endif %} diff --git a/roles/filetree_create/templates/current_user_access_list.j2 b/roles/filetree_create/templates/current_user_access_list.j2 new file mode 100644 index 00000000..61eaf89f --- /dev/null +++ b/roles/filetree_create/templates/current_user_access_list.j2 @@ -0,0 +1,29 @@ +{% if first_user_role | default(true) | bool %} +--- +controller_roles: +{% endif %} + users: +{% for user in user_role.user %} + - "{{ user }}" +{% endfor %} +{% if user_role.resource_type[0] is match('organization') %} + organizations: + - "{{ user_role.resource_name }}" +{% elif user_role.resource_type[0] is match('user') %} + target_users: + - "{{ user_role.resource_name }}" +{% elif user_role.resource_type[0] is match('job_template') %} + job_template: "{{ user_role.resource_name }}" +{% elif user_role.resource_type[0] is match('inventory') %} + inventory: "{{ user_role.resource_name }}" +{% elif user_role.resource_type[0] is match('workflow_job_template') %} + workflow: "{{ user_role.resource_name }}" +{% elif user_role.resource_type[0] is match('project') %} + project: "{{ user_role.resource_name }}" +{% elif user_role.resource_type[0] is match('credential') %} + credential: "{{ user_role.resource_name }}" +{% endif %} + role: "{% if user_role.role | lower == 'approve' %}approval{% else %}{{ user_role.role | lower | regex_replace(' ', '_') }}{% endif %}" +{% if last_user_role | default(true) | bool %} +... +{% endif %} From 001c5eef84fa9aa5b7ec1c88b92fd88216282846 Mon Sep 17 00:00:00 2001 From: Przemyslaw Kalitowski Date: Mon, 14 Oct 2024 14:50:20 +0200 Subject: [PATCH 2/9] feat: support object_name --- roles/filetree_create/README.md | 2 ++ roles/filetree_create/tasks/team_access_list.yml | 10 ++++++++++ roles/filetree_create/tasks/user_access_list.yml | 10 ++++++++++ roles/filetree_create/templates/current_schedules.j2 | 2 +- 4 files changed, 23 insertions(+), 1 deletion(-) diff --git a/roles/filetree_create/README.md b/roles/filetree_create/README.md index 90f673f4..638ae8c2 100644 --- a/roles/filetree_create/README.md +++ b/roles/filetree_create/README.md @@ -28,8 +28,10 @@ The following variables are required for that role to work properly: | `export_related_objects` | False | no | bool | Whether to export related objects (job templates related to certain workflows and the projects associated with these job templates) when a single JT or a single WFJT are being exported. | | `update_project_state` | False | no | bool | Whether the project should be updated after import to the target controller. | | `object_id` | N/A | no | int | Specifying object id with object type exports the access list of object | +| `object_name` | N/A | no | int | Specifying object name with object type exports the access list of object | | `object_type` | N/A | no | str | Specifying object type with object id exports the access list of object | + ## Dependencies A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. diff --git a/roles/filetree_create/tasks/team_access_list.yml b/roles/filetree_create/tasks/team_access_list.yml index a38edc20..4082af1a 100644 --- a/roles/filetree_create/tasks/team_access_list.yml +++ b/roles/filetree_create/tasks/team_access_list.yml @@ -1,4 +1,14 @@ --- +- name: "Get object id from API" + when: object_name is defined + ansible.builtin.set_fact: + object_id: "{{ (query(controller_api_plugin, 'api/v2/{{ object_type }}', + query_params=({'name': object_name}), + host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs, + return_all=true, max_objects=query_controller_api_max_objects) + }}).0.id" + no_log: "{{ controller_configuration_filetree_create_secure_logging }}" + - name: "Get access list for object from the API" ansible.builtin.set_fact: access_lookvar: "{{ query(controller_api_plugin, 'api/v2/{{ object_type }}/{{ object_id }}/access_list', diff --git a/roles/filetree_create/tasks/user_access_list.yml b/roles/filetree_create/tasks/user_access_list.yml index fa3e94b5..74f8577e 100644 --- a/roles/filetree_create/tasks/user_access_list.yml +++ b/roles/filetree_create/tasks/user_access_list.yml @@ -1,4 +1,14 @@ --- +- name: "Get object id from API" + when: object_name is defined + ansible.builtin.set_fact: + object_id: "{{ (query(controller_api_plugin, 'api/v2/{{ object_type }}', + query_params=({'name': object_name}), + host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs, + return_all=true, max_objects=query_controller_api_max_objects) + }}).0.id" + no_log: "{{ controller_configuration_filetree_create_secure_logging }}" + - name: "Get access list for object from the API" ansible.builtin.set_fact: access_lookvar: "{{ query(controller_api_plugin, 'api/v2/{{ object_type }}/{{ object_id }}/access_list', diff --git a/roles/filetree_create/templates/current_schedules.j2 b/roles/filetree_create/templates/current_schedules.j2 index 6d2bf87b..5dfb46d3 100644 --- a/roles/filetree_create/templates/current_schedules.j2 +++ b/roles/filetree_create/templates/current_schedules.j2 @@ -6,7 +6,7 @@ controller_schedules: {% if current_schedules_asset_value.description is defined %} description: "{{ current_schedules_asset_value.description }}" {% endif %} - enabled: {{ current_schedules_asset_value.enabled }} + enabled: {{ schedule_target_status | default(current_schedules_asset_value.enabled) }} unified_job_template: "{{ current_schedules_asset_value.summary_fields.unified_job_template.name }}" {% if current_schedules_asset_value.summary_fields.inventory is defined %} inventory: "{{ current_schedules_asset_value.summary_fields.inventory.name }}" From 57f532e864122b3c9d4a0157a80eb048ca0a2fe9 Mon Sep 17 00:00:00 2001 From: Przemyslaw Kalitowski Date: Mon, 14 Oct 2024 16:01:40 +0200 Subject: [PATCH 3/9] fix: query format --- roles/filetree_create/tasks/team_access_list.yml | 4 ++-- roles/filetree_create/tasks/user_access_list.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/filetree_create/tasks/team_access_list.yml b/roles/filetree_create/tasks/team_access_list.yml index 4082af1a..4974a6a2 100644 --- a/roles/filetree_create/tasks/team_access_list.yml +++ b/roles/filetree_create/tasks/team_access_list.yml @@ -2,7 +2,7 @@ - name: "Get object id from API" when: object_name is defined ansible.builtin.set_fact: - object_id: "{{ (query(controller_api_plugin, 'api/v2/{{ object_type }}', + object_id: "{{ (query(controller_api_plugin, 'api/v2/' + {{ object_type }}, query_params=({'name': object_name}), host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs, return_all=true, max_objects=query_controller_api_max_objects) @@ -11,7 +11,7 @@ - name: "Get access list for object from the API" ansible.builtin.set_fact: - access_lookvar: "{{ query(controller_api_plugin, 'api/v2/{{ object_type }}/{{ object_id }}/access_list', + access_lookvar: "{{ query(controller_api_plugin, 'api/v2/' + {{ object_type }} + '/' + {{ object_id }} + '/access_list', host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs, return_all=true, max_objects=query_controller_api_max_objects) }}" diff --git a/roles/filetree_create/tasks/user_access_list.yml b/roles/filetree_create/tasks/user_access_list.yml index 74f8577e..d980fdd9 100644 --- a/roles/filetree_create/tasks/user_access_list.yml +++ b/roles/filetree_create/tasks/user_access_list.yml @@ -2,7 +2,7 @@ - name: "Get object id from API" when: object_name is defined ansible.builtin.set_fact: - object_id: "{{ (query(controller_api_plugin, 'api/v2/{{ object_type }}', + object_id: "{{ (query(controller_api_plugin, 'api/v2/' + {{ object_type }}, query_params=({'name': object_name}), host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs, return_all=true, max_objects=query_controller_api_max_objects) @@ -11,7 +11,7 @@ - name: "Get access list for object from the API" ansible.builtin.set_fact: - access_lookvar: "{{ query(controller_api_plugin, 'api/v2/{{ object_type }}/{{ object_id }}/access_list', + access_lookvar: "{{ query(controller_api_plugin, 'api/v2/' + {{ object_type }} + '/' + {{ object_id }} + '/access_list', host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs, return_all=true, max_objects=query_controller_api_max_objects) }}" From 893433d475b3779a79bbf2173422003cd9747733 Mon Sep 17 00:00:00 2001 From: Przemyslaw Kalitowski Date: Mon, 14 Oct 2024 16:05:16 +0200 Subject: [PATCH 4/9] fix: remove unwanted spaces --- roles/filetree_create/tasks/team_access_list.yml | 4 ++-- roles/filetree_create/tasks/user_access_list.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/filetree_create/tasks/team_access_list.yml b/roles/filetree_create/tasks/team_access_list.yml index 4974a6a2..955d638d 100644 --- a/roles/filetree_create/tasks/team_access_list.yml +++ b/roles/filetree_create/tasks/team_access_list.yml @@ -2,7 +2,7 @@ - name: "Get object id from API" when: object_name is defined ansible.builtin.set_fact: - object_id: "{{ (query(controller_api_plugin, 'api/v2/' + {{ object_type }}, + object_id: "{{ (query(controller_api_plugin, 'api/v2/' + {{ object_type }}, query_params=({'name': object_name}), host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs, return_all=true, max_objects=query_controller_api_max_objects) @@ -11,7 +11,7 @@ - name: "Get access list for object from the API" ansible.builtin.set_fact: - access_lookvar: "{{ query(controller_api_plugin, 'api/v2/' + {{ object_type }} + '/' + {{ object_id }} + '/access_list', + access_lookvar: "{{ query(controller_api_plugin, 'api/v2/' + {{ object_type }} + '/' + {{ object_id }} + '/access_list', host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs, return_all=true, max_objects=query_controller_api_max_objects) }}" diff --git a/roles/filetree_create/tasks/user_access_list.yml b/roles/filetree_create/tasks/user_access_list.yml index d980fdd9..d8d82e0d 100644 --- a/roles/filetree_create/tasks/user_access_list.yml +++ b/roles/filetree_create/tasks/user_access_list.yml @@ -2,7 +2,7 @@ - name: "Get object id from API" when: object_name is defined ansible.builtin.set_fact: - object_id: "{{ (query(controller_api_plugin, 'api/v2/' + {{ object_type }}, + object_id: "{{ (query(controller_api_plugin, 'api/v2/' + {{ object_type }}, query_params=({'name': object_name}), host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs, return_all=true, max_objects=query_controller_api_max_objects) @@ -11,7 +11,7 @@ - name: "Get access list for object from the API" ansible.builtin.set_fact: - access_lookvar: "{{ query(controller_api_plugin, 'api/v2/' + {{ object_type }} + '/' + {{ object_id }} + '/access_list', + access_lookvar: "{{ query(controller_api_plugin, 'api/v2/' + {{ object_type }} + '/' + {{ object_id }} + '/access_list', host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs, return_all=true, max_objects=query_controller_api_max_objects) }}" From 8e2a456c49d545b2a0e8601a40b2189422a4868e Mon Sep 17 00:00:00 2001 From: Przemyslaw Kalitowski Date: Mon, 28 Oct 2024 10:39:49 +0100 Subject: [PATCH 5/9] fix: issue when there is no permissions for an object --- .../tasks/team_access_list.yml | 22 +++++++++++-------- .../tasks/user_access_list.yml | 20 ++++++++++------- 2 files changed, 25 insertions(+), 17 deletions(-) diff --git a/roles/filetree_create/tasks/team_access_list.yml b/roles/filetree_create/tasks/team_access_list.yml index 955d638d..778fc418 100644 --- a/roles/filetree_create/tasks/team_access_list.yml +++ b/roles/filetree_create/tasks/team_access_list.yml @@ -1,4 +1,8 @@ --- +- name: Define team role matrix + ansible.builtin.set_fact: + team_roles_matrix: [] + - name: "Get object id from API" when: object_name is defined ansible.builtin.set_fact: @@ -29,15 +33,15 @@ - name: "Set team roles matrix" ansible.builtin.set_fact: team_roles_matrix: >- - {{ team_roles_matrix | default([]) + [{ 'role': item.0, - 'team': team_direct_access_fact | selectattr('name','equalto', item.0) | - selectattr('resource_name','equalto', item.1) | - map(attribute='team_name') | unique, - 'resource_type': team_direct_access_fact | selectattr('name','equalto', item.0) | - selectattr('resource_name','equalto', item.1) | - map(attribute='resource_type') | unique, - 'resource_name': item.1 - }] + {{ team_roles_matrix + [{ 'role': item.0, + 'team': team_direct_access_fact | selectattr('name','equalto', item.0) | + selectattr('resource_name','equalto', item.1) | + map(attribute='team_name') | unique, + 'resource_type': team_direct_access_fact | selectattr('name','equalto', item.0) | + selectattr('resource_name','equalto', item.1) | + map(attribute='resource_type') | unique, + 'resource_name': item.1 + }] }} when: team_direct_access_fact | selectattr('name','equalto', item.0) | selectattr('resource_name','equalto', item.1) | map(attribute='team_name') | length > 0 loop: "{{ team_roles | product(team_objects) | list }}" diff --git a/roles/filetree_create/tasks/user_access_list.yml b/roles/filetree_create/tasks/user_access_list.yml index d8d82e0d..7d49cd18 100644 --- a/roles/filetree_create/tasks/user_access_list.yml +++ b/roles/filetree_create/tasks/user_access_list.yml @@ -1,4 +1,8 @@ --- +- name: "Define user role matrix" + ansible.builtin.set_fact: + user_roles_matrix: [] + - name: "Get object id from API" when: object_name is defined ansible.builtin.set_fact: @@ -41,14 +45,14 @@ - name: "Set user roles matrix" ansible.builtin.set_fact: user_roles_matrix: >- - {{ user_roles_matrix | default([]) + [{ 'role': item.0, - 'user': user_direct_access_fact | selectattr('name','equalto', item.0) | selectattr('resource_name','equalto', item.1) | - map(attribute='username') | unique, - 'resource_type': user_direct_access_fact | selectattr('username', 'defined') | - selectattr('name','equalto', item.0) | selectattr('resource_name','equalto', item.1) | - map(attribute='resource_type') | unique, - 'resource_name': item.1 - }] + {{ user_roles_matrix + [{ 'role': item.0, + 'user': user_direct_access_fact | selectattr('name','equalto', item.0) | + selectattr('resource_name','equalto', item.1) | map(attribute='username') | unique, + 'resource_type': user_direct_access_fact | selectattr('username', 'defined') | + selectattr('name','equalto', item.0) | selectattr('resource_name','equalto', item.1) | + map(attribute='resource_type') | unique, + 'resource_name': item.1 + }] }} when: user_direct_access_fact | selectattr('name','equalto', item.0) | selectattr('resource_name','equalto', item.1) | map(attribute='username') | length > 0 loop: "{{ user_roles | product(user_objects) | list }}" From 1f357784c0ddcbb2ef758d0bf95e02739e69d922 Mon Sep 17 00:00:00 2001 From: Przemyslaw Kalitowski Date: Mon, 28 Oct 2024 15:09:21 +0100 Subject: [PATCH 6/9] fix: typos --- roles/filetree_create/tasks/team_access_list.yml | 6 +++--- roles/filetree_create/tasks/user_access_list.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/filetree_create/tasks/team_access_list.yml b/roles/filetree_create/tasks/team_access_list.yml index 778fc418..9bb54682 100644 --- a/roles/filetree_create/tasks/team_access_list.yml +++ b/roles/filetree_create/tasks/team_access_list.yml @@ -6,11 +6,11 @@ - name: "Get object id from API" when: object_name is defined ansible.builtin.set_fact: - object_id: "{{ (query(controller_api_plugin, 'api/v2/' + {{ object_type }}, + object_id: "{{ (query(controller_api_plugin, 'api/v2/' + object_type, query_params=({'name': object_name}), host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs, - return_all=true, max_objects=query_controller_api_max_objects) - }}).0.id" + return_all=true, max_objects=query_controller_api_max_objects)).0.id + }}" no_log: "{{ controller_configuration_filetree_create_secure_logging }}" - name: "Get access list for object from the API" diff --git a/roles/filetree_create/tasks/user_access_list.yml b/roles/filetree_create/tasks/user_access_list.yml index 7d49cd18..3fb6996c 100644 --- a/roles/filetree_create/tasks/user_access_list.yml +++ b/roles/filetree_create/tasks/user_access_list.yml @@ -6,11 +6,11 @@ - name: "Get object id from API" when: object_name is defined ansible.builtin.set_fact: - object_id: "{{ (query(controller_api_plugin, 'api/v2/' + {{ object_type }}, + object_id: "{{ (query(controller_api_plugin, 'api/v2/' + object_type, query_params=({'name': object_name}), host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs, - return_all=true, max_objects=query_controller_api_max_objects) - }}).0.id" + return_all=true, max_objects=query_controller_api_max_objects)).0.id + }}" no_log: "{{ controller_configuration_filetree_create_secure_logging }}" - name: "Get access list for object from the API" From b4c37670f88c85f22d67edd688d763336a739dfb Mon Sep 17 00:00:00 2001 From: Przemyslaw Kalitowski Date: Tue, 29 Oct 2024 09:57:58 +0100 Subject: [PATCH 7/9] fix: dict to list --- .../templates/current_team_access_list.j2 | 24 +++++++++---------- .../templates/current_user_access_list.j2 | 24 +++++++++---------- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/roles/filetree_create/templates/current_team_access_list.j2 b/roles/filetree_create/templates/current_team_access_list.j2 index 905f5c5a..294b8f8f 100644 --- a/roles/filetree_create/templates/current_team_access_list.j2 +++ b/roles/filetree_create/templates/current_team_access_list.j2 @@ -2,28 +2,28 @@ --- controller_roles: {% endif %} - teams: + - teams: {% for team in team_role.team %} - - "{{ team }}" + - "{{ team }}" {% endfor %} {% if team_role.resource_type[0] is match('organization') %} - organizations: - - "{{ team_role.resource_name }}" + organizations: + - "{{ team_role.resource_name }}" {% elif team_role.resource_type[0] is match('team') %} - target_teams: - - "{{ team_role.resource_name }}" + target_teams: + - "{{ team_role.resource_name }}" {% elif team_role.resource_type[0] is match('job_template') %} - job_template: "{{ team_role.resource_name }}" + job_template: "{{ team_role.resource_name }}" {% elif team_role.resource_type[0] is match('inventory') %} - inventory: "{{ team_role.resource_name }}" + inventory: "{{ team_role.resource_name }}" {% elif team_role.resource_type[0] is match('workflow_job_template') %} - workflow: "{{ team_role.resource_name }}" + workflow: "{{ team_role.resource_name }}" {% elif team_role.resource_type[0] is match('project') %} - project: "{{ team_role.resource_name }}" + project: "{{ team_role.resource_name }}" {% elif team_role.resource_type[0] is match('credential') %} - credential: "{{ team_role.resource_name }}" + credential: "{{ team_role.resource_name }}" {% endif %} - role: "{% if team_role.role | lower == 'approve' %}approval{% else %}{{ team_role.role | lower | regex_replace(' ', '_') }}{% endif %}" + role: "{% if team_role.role | lower == 'approve' %}approval{% else %}{{ team_role.role | lower | regex_replace(' ', '_') }}{% endif %}" {% if last_team_role | default(true) | bool %} ... {% endif %} diff --git a/roles/filetree_create/templates/current_user_access_list.j2 b/roles/filetree_create/templates/current_user_access_list.j2 index 61eaf89f..b5b1dd38 100644 --- a/roles/filetree_create/templates/current_user_access_list.j2 +++ b/roles/filetree_create/templates/current_user_access_list.j2 @@ -2,28 +2,28 @@ --- controller_roles: {% endif %} - users: + - users: {% for user in user_role.user %} - - "{{ user }}" + - "{{ user }}" {% endfor %} {% if user_role.resource_type[0] is match('organization') %} - organizations: - - "{{ user_role.resource_name }}" + organizations: + - "{{ user_role.resource_name }}" {% elif user_role.resource_type[0] is match('user') %} - target_users: - - "{{ user_role.resource_name }}" + target_users: + - "{{ user_role.resource_name }}" {% elif user_role.resource_type[0] is match('job_template') %} - job_template: "{{ user_role.resource_name }}" + job_template: "{{ user_role.resource_name }}" {% elif user_role.resource_type[0] is match('inventory') %} - inventory: "{{ user_role.resource_name }}" + inventory: "{{ user_role.resource_name }}" {% elif user_role.resource_type[0] is match('workflow_job_template') %} - workflow: "{{ user_role.resource_name }}" + workflow: "{{ user_role.resource_name }}" {% elif user_role.resource_type[0] is match('project') %} - project: "{{ user_role.resource_name }}" + project: "{{ user_role.resource_name }}" {% elif user_role.resource_type[0] is match('credential') %} - credential: "{{ user_role.resource_name }}" + credential: "{{ user_role.resource_name }}" {% endif %} - role: "{% if user_role.role | lower == 'approve' %}approval{% else %}{{ user_role.role | lower | regex_replace(' ', '_') }}{% endif %}" + role: "{% if user_role.role | lower == 'approve' %}approval{% else %}{{ user_role.role | lower | regex_replace(' ', '_') }}{% endif %}" {% if last_user_role | default(true) | bool %} ... {% endif %} From b71c50315404d3db7c17eccec7f3afe371b1327f Mon Sep 17 00:00:00 2001 From: Przemyslaw Kalitowski Date: Tue, 29 Oct 2024 12:51:42 +0100 Subject: [PATCH 8/9] fix: remove unwanted variables --- roles/filetree_create/README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/filetree_create/README.md b/roles/filetree_create/README.md index 50ddab23..01791b8d 100644 --- a/roles/filetree_create/README.md +++ b/roles/filetree_create/README.md @@ -28,9 +28,6 @@ The following variables are required for that role to work properly: | `organization`| N/A | no | str | Default organization for all objects that have not been set in the source controller.| | `export_related_objects` | False | no | bool | Whether to export related objects (job templates related to certain workflows and the projects associated with these job templates) when a single JT or a single WFJT are being exported. | | `update_project_state` | False | no | bool | Whether the project should be updated after import to the target controller. | -| `object_id` | N/A | no | int | Specifying object id with object type exports the access list of object | -| `object_name` | N/A | no | int | Specifying object name with object type exports the access list of object | -| `object_type` | N/A | no | str | Specifying object type with object id exports the access list of object | | `skip_inventory_sources` | False | no | bool | Whether the inventory sources should be exported with inventory. | | `skip_inventory_hosts` | False | no | bool | Whether the inventory hosts should be exported with inventory. | | `skip_inventory_groups` | False | no | bool | Whether the inventory groups should be exported with inventory. | From cd3cf3bfa369c4d4599287a9a3efd5279ccc5552 Mon Sep 17 00:00:00 2001 From: Przemyslaw Kalitowski Date: Tue, 29 Oct 2024 12:57:01 +0100 Subject: [PATCH 9/9] misc: polishing the code --- .../templates/current_team_access_list.j2 | 29 +++++++++---------- .../templates/current_user_access_list.j2 | 28 ++++++++---------- 2 files changed, 25 insertions(+), 32 deletions(-) diff --git a/roles/filetree_create/templates/current_team_access_list.j2 b/roles/filetree_create/templates/current_team_access_list.j2 index 294b8f8f..ed769b17 100644 --- a/roles/filetree_create/templates/current_team_access_list.j2 +++ b/roles/filetree_create/templates/current_team_access_list.j2 @@ -1,29 +1,26 @@ -{% if first_team_role | default(true) | bool %} --- controller_roles: -{% endif %} - - teams: + - teams: {% for team in team_role.team %} - - "{{ team }}" + - "{{ team }}" {% endfor %} {% if team_role.resource_type[0] is match('organization') %} - organizations: - - "{{ team_role.resource_name }}" + organizations: + - "{{ team_role.resource_name }}" {% elif team_role.resource_type[0] is match('team') %} - target_teams: - - "{{ team_role.resource_name }}" + target_teams: + - "{{ team_role.resource_name }}" {% elif team_role.resource_type[0] is match('job_template') %} - job_template: "{{ team_role.resource_name }}" + job_template: "{{ team_role.resource_name }}" {% elif team_role.resource_type[0] is match('inventory') %} - inventory: "{{ team_role.resource_name }}" + inventory: "{{ team_role.resource_name }}" {% elif team_role.resource_type[0] is match('workflow_job_template') %} - workflow: "{{ team_role.resource_name }}" + workflow: "{{ team_role.resource_name }}" {% elif team_role.resource_type[0] is match('project') %} - project: "{{ team_role.resource_name }}" + project: "{{ team_role.resource_name }}" {% elif team_role.resource_type[0] is match('credential') %} - credential: "{{ team_role.resource_name }}" + credential: "{{ team_role.resource_name }}" {% endif %} - role: "{% if team_role.role | lower == 'approve' %}approval{% else %}{{ team_role.role | lower | regex_replace(' ', '_') }}{% endif %}" -{% if last_team_role | default(true) | bool %} + role: "{% if team_role.role | lower == 'approve' %}approval{% else %}{{ team_role.role | lower | regex_replace(' ', '_') }}{% endif %}" ... -{% endif %} + diff --git a/roles/filetree_create/templates/current_user_access_list.j2 b/roles/filetree_create/templates/current_user_access_list.j2 index b5b1dd38..b8f2c5fe 100644 --- a/roles/filetree_create/templates/current_user_access_list.j2 +++ b/roles/filetree_create/templates/current_user_access_list.j2 @@ -1,29 +1,25 @@ -{% if first_user_role | default(true) | bool %} --- controller_roles: -{% endif %} - - users: + - users: {% for user in user_role.user %} - - "{{ user }}" + - "{{ user }}" {% endfor %} {% if user_role.resource_type[0] is match('organization') %} - organizations: - - "{{ user_role.resource_name }}" + organizations: + - "{{ user_role.resource_name }}" {% elif user_role.resource_type[0] is match('user') %} - target_users: - - "{{ user_role.resource_name }}" + target_users: + - "{{ user_role.resource_name }}" {% elif user_role.resource_type[0] is match('job_template') %} - job_template: "{{ user_role.resource_name }}" + job_template: "{{ user_role.resource_name }}" {% elif user_role.resource_type[0] is match('inventory') %} - inventory: "{{ user_role.resource_name }}" + inventory: "{{ user_role.resource_name }}" {% elif user_role.resource_type[0] is match('workflow_job_template') %} - workflow: "{{ user_role.resource_name }}" + workflow: "{{ user_role.resource_name }}" {% elif user_role.resource_type[0] is match('project') %} - project: "{{ user_role.resource_name }}" + project: "{{ user_role.resource_name }}" {% elif user_role.resource_type[0] is match('credential') %} - credential: "{{ user_role.resource_name }}" + credential: "{{ user_role.resource_name }}" {% endif %} - role: "{% if user_role.role | lower == 'approve' %}approval{% else %}{{ user_role.role | lower | regex_replace(' ', '_') }}{% endif %}" -{% if last_user_role | default(true) | bool %} + role: "{% if user_role.role | lower == 'approve' %}approval{% else %}{{ user_role.role | lower | regex_replace(' ', '_') }}{% endif %}" ... -{% endif %}