FreeIPA: Fix ipa_user password option (#48453)

Maintain idempotency in ipa_user while user update.
2019-03-11 06:14:06 -04:00 · 2019-03-11 06:14:06 -04:00 · cd5c64c818
commit cd5c64c818
parent 8d00ccf60f
2 changed files with 28 additions and 2 deletions
--- a/docs/docsite/rst/porting_guides/porting_guide_2.8.rst
+++ b/docs/docsite/rst/porting_guides/porting_guide_2.8.rst
@ -314,6 +314,7 @@ Noteworthy module changes
  <https://galaxy.ansible.com/PaloAltoNetworks/paloaltonetworks>`_.  Contributions to the role can be made
  `here <https://github.com/PaloAltoNetworks/ansible-pan>`_.

+* The ``ipa_user`` module originally always sent ``password`` to FreeIPA regardless of whether the password changed. Now the module only sends ``password`` if ``update_password`` is set to ``always``, which is the default.

 Plugins
 =======
--- a/lib/ansible/modules/identity/ipa/ipa_user.py
+++ b/lib/ansible/modules/identity/ipa/ipa_user.py
@ -21,6 +21,13 @@ description:
 options:
  displayname:
    description: Display name
+  update_password:
+    description:
+    - Set password for a user.
+    type: str
+    default: 'always'
+    choices: [ always, on_create ]
+    version_added: 2.8
  givenname:
    description: First name
  krbpasswordexpiration:
@ -38,7 +45,7 @@ options:
    - If None is passed email addresses will not be checked or changed.
  password:
    description:
-    - Password for new user
+    - Password for a user. Will not be set for an existing user unless C(update_password) is set to C(always), which is the default.
  sn:
    description: Surname
  sshpubkey:
@ -77,7 +84,7 @@ requirements:
 '''

 EXAMPLES = '''
-# Ensure pinky is present
+# Ensure pinky is present and always reset password
 - ipa_user:
    name: pinky
    state: present
@ -104,6 +111,19 @@ EXAMPLES = '''
    ipa_host: ipa.example.com
    ipa_user: admin
    ipa_pass: topsecret
+
+# Ensure pinky is present but don't reset password if already exists
+- ipa_user:
+    name: pinky
+    state: present
+    givenname: Pinky
+    sn: Acme
+    password: zounds
+    ipa_host: ipa.example.com
+    ipa_user: admin
+    ipa_pass: topsecret
+    update_password: on_create
+
 '''

 RETURN = '''
@ -257,6 +277,7 @@ def ensure(module, client):
                                userpassword=module.params['password'],
                                gidnumber=module.params.get('gidnumber'), uidnumber=module.params.get('uidnumber'))

+    update_password = module.params.get('update_password')
    ipa_user = client.user_find(name=name)

    changed = False
@ -266,6 +287,8 @@ def ensure(module, client):
            if not module.check_mode:
                ipa_user = client.user_add(name=name, item=module_user)
        else:
+            if update_password == 'on_create':
+                module_user.pop('userpassword', None)
            diff = get_user_diff(client, ipa_user, module_user)
            if len(diff) > 0:
                changed = True
@ -284,6 +307,8 @@ def main():
    argument_spec = ipa_argument_spec()
    argument_spec.update(displayname=dict(type='str'),
                         givenname=dict(type='str'),
+                         update_password=dict(type='str', default="always",
+                                              choices=['always', 'on_create']),
                         krbpasswordexpiration=dict(type='str'),
                         loginshell=dict(type='str'),
                         mail=dict(type='list'),