eigenstate-ipa

Sudo Plugin

Related docs:

  SUDO CAPABILITIES     SUDO USE CASES     HBAC RULE PLUGIN     DOCS MAP  

Purpose

eigenstate.ipa.sudo is the read-only sudo policy lookup for this collection. It exposes three IdM sudo object types through one plugin surface:

Use it when playbooks need to inspect sudo policy before running work, audit the current policy model, or assert that a required command or command group exists. This plugin is read-only. Use the official FreeIPA modules for write paths: ipasudorule, ipasudocmd, and ipasudocmdgroup.

Contents

Lookup Model

flowchart LR
    task["Ansible task or assert"]
    auth["Kerberos auth"]
    lookup["eigenstate.ipa.sudo"]
    ipa["ipalib sudo APIs"]
    out["Rule, command,\nor command-group record"]

    task --> lookup
    auth --> lookup
    lookup --> ipa
    ipa --> out

Authentication Model

Authentication follows the same pattern as the other eigenstate.ipa lookup plugins:

  1. kerberos_keytab: preferred for non-interactive and AAP use.
  2. ipaadmin_password: uses password-backed kinit.
  3. ambient Kerberos ticket: used when neither password nor keytab is passed.

verify defaults to /etc/ipa/ca.crt when present.

Operations

show (default)

Queries one or more named sudo objects and returns one record per object. Missing objects return exists: false instead of raising.

vars:
  rule: "{{ lookup('eigenstate.ipa.sudo',
            'ops-maintenance',
            sudo_object='rule',
            server='idm-01.example.com',
            kerberos_keytab='/etc/admin.keytab') }}"

find

Searches all objects of the selected sudo_object type. Use criteria when you want a filtered search.

vars:
  groups: "{{ lookup('eigenstate.ipa.sudo',
              operation='find',
              sudo_object='commandgroup',
              server='idm-01.example.com',
              kerberos_keytab='/etc/admin.keytab') }}"

Object Types

rule

Returns sudo-rule policy state: enablement, direct membership, category-wide scope, allowed and denied commands, RunAs assignments, options, and order.

Key fields:

command

Returns the command path and description for one sudo command object.

Key fields:

commandgroup

Returns the command-group name, description, and member command list.

Key fields:

Return Shapes

result_format=record

Returns a list with one dict per object. A single-term show lookup is unwrapped by Ansible to a plain dict.

result_format=map_record

Returns a single dict keyed by object name. This is the better shape when you load multiple rules or command groups and reference them by name later.

Minimal Examples

Assert a sudo rule exists and is enabled:

- ansible.builtin.assert:
    that:
      - sudo_rule.exists
      - sudo_rule.enabled
    fail_msg: "Required sudo rule is missing or disabled"
  vars:
    sudo_rule: "{{ lookup('eigenstate.ipa.sudo',
                    'ops-maintenance',
                    sudo_object='rule',
                    server='idm-01.example.com',
                    kerberos_keytab='/etc/admin.keytab') }}"

Inspect a sudo command group:

- ansible.builtin.debug:
    var: system_ops
  vars:
    system_ops: "{{ lookup('eigenstate.ipa.sudo',
                    'system-ops',
                    sudo_object='commandgroup',
                    server='idm-01.example.com',
                    kerberos_keytab='/etc/admin.keytab') }}"

Failure Boundaries

This site is open source. Improve this page.