search

IBM-Security / isam-ansible-roles

DEPRECATED Ansible Custom Modules, Handlers and Tasks for ISAM. Requires "ibmsecurity" python package.
Apache License 2.0
24 stars 43 forks source link

Multiple duplicate entires for reverse proxy configuration #161

Open elijah-chan opened 5 years ago

elijah-chan commented 5 years ago

hi,

I have a use-case where i would need to set multiple duplicate entries for authentication levels

For example: [authentication-levels] level = unauthenticated level = ext-auth-interface level = ext-auth-interface level = ext-auth-interface level = ext-auth-interface level = ext-auth-interface

my var.yaml file currently contains:

- instances:
      - method: add
        stanza: authentication-levels
        entry_name: level
        value: unauthenticated
      - method: add
        stanza: authentication-levels
        entry_name: level
        value: ext-auth-interface
      - method: add
        stanza: "authentication-levels"
        entry_name: "level"
        value: "ext-auth-interface"
      - method: add
        stanza: authentication-levels
        entry_name: level
        value: ext-auth-interface
      - method: add
        stanza: "authentication-levels"
        entry_name: "level"
        value: "ext-auth-interface"

However this was what ansible configured after the playbook was triggered.

`TASK [web/configure_reverseproxy_instances : Configure reverse proxy instances] ***

changed: [isam.hostname.com] => (item=(inst_name:[rp], stanza: [authentication-levels], entry_name:[level], value:[unauthenticated])) changed: [isam.hostname.com] => (item=(inst_name:[rp], stanza: [authentication-levels], entry_name:[level], value:[ext-auth-interface])) ok: [isam.hostname.com] => (item=(inst_name:[rp], stanza: [authentication-levels], entry_name:[level], value:[ext-auth-interface])) ok: [isam.hostname.com] => (item=(inst_name:[rp], stanza: [authentication-levels], entry_name:[level], value:[ext-auth-interface])) ok: [isam.hostname.com] => (item=(inst_name:[rp], stanza: [authentication-levels], entry_name:[level], value:[ext-auth-interface]))`

[authentication-levels] level = unauthenticated level = ext-auth-interface

There is any advise on how I can achieve my requirement via ansible?

Thanks!

sygilber commented 5 years ago

Hi. Can you tell which specific role you are using (Add or Set role) ? I would imagine that a set role should keep the list of entries untouched where a add role would only add entries missing.

elijah-chan commented 5 years ago

Hi. Can you tell which specific role you are using (Add or Set role) ? I would imagine that a set role should keep the list of entries untouched where a add role would only add entries missing.

Hi @sygilber

I am using the add role in the role named: configure_reverseproxy_instance

I need the role to add in afew level entires with some of them having duplicate values like in this example: [authentication-levels] level = unauthenticated level = ext-auth-interface level = ext-auth-interface level = ext-auth-interface level = ext-auth-interface level = ext-auth-interface

Currently the role adds level = unauthenticated level = ext-auth-interface

however the because the remaining entries are also "level = ext-auth-interface" ansible detects that the entry is already there and did not add that in.

sygilber commented 5 years ago

Hi again.

I am not familliar with the role 'configure_reverseproxy_instance' (under web folder) but I can see that you can pass in the method such as add but also set. Have you tried using set ?

Still, I think we need to identify a way to pass in the full entries to be set at once, and not individually one entry at the time.

I was able to achieve your requirements without any code change (role or python) with this legacy role "set_reverseproxy_conf" in this fashion. It will do the trick:

- role: set_reverseproxy_conf
  set_reverseproxy_conf_reverseproxy_id: "default"
  set_reverseproxy_conf_entries:
    - stanza_id: "authentication-levels"
      entries: >
        [
          ['level','unauthenticated'],
          ['level','ext-auth-interface'],
          ['level','ext-auth-interface'],
          ['level','ext-auth-interface'],
          ['level','ext-auth-interface'],
          ['level','ext-auth-interface']
        ]

Just tested it on my end and it works. It resulted in the following in bt WRP configuration:

[authentication-levels] level = unauthenticated level = ext-auth-interface level = ext-auth-interface level = ext-auth-interface level = ext-auth-interface level = ext-auth-interface

I will let others comment if this would have been also achievable as well with the role 'configure_reverseproxy_instance'.

Hope it helps

elijah-chan commented 5 years ago

Hi @sygilber

thanks i will go try the legacy role. I would like to have some understanding on how "entries: >" work?. Is there anywhere i can read up on this?

Thanks

sygilber commented 5 years ago

Found this: https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html

"Using a “Folded Block Scalar” > will fold newlines to spaces; it’s used to make what would otherwise be a very long line easier to read and edit. In either case the indentation will be ignored"

In the sample code provided above, it was just to make the entries more readable.

sygilber commented 5 years ago

Hi again, is the proposed solution resolves this reported issue for you ? If not, please let us know, If yes, really appreciated if you could close the issue. Thanks