ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-04-05 18:20:30 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

k*.py: normalize docs (#9391)

Browse source 
* k*.py: normalize docs

* Update plugins/modules/keycloak_realm_keys_metadata_info.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/kibana_plugin.py

Co-authored-by: Felix Fontein <felix@fontein.de>

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
This commit is contained in:
Alexei Znamensky 2024-12-27 01:42:44 +13:00 committed by GitHub
parent 6aadcc72d1
commit 49ed3d4acf
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
34 changed files with 4402 additions and 4882 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
plugins/modules/kdeconfig.py
View file

@ -7,15 +7,13 @@ from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
DOCUMENTATION = r'''
---
DOCUMENTATION = r"""
module: kdeconfig
short_description: Manage KDE configuration files
version_added: "6.5.0"
description:
- Add or change individual settings in KDE configuration files.
- It uses B(kwriteconfig) under the hood.
options:
path:
description:
@ -24,8 +22,7 @@ options:
required: true
kwriteconfig_path:
description:
- Path to the kwriteconfig executable. If not specified, Ansible will try
to discover it.
- Path to the kwriteconfig executable. If not specified, Ansible will try to discover it.
type: path
values:
description:
@ -74,9 +71,9 @@ requirements:
- kwriteconfig
author:
- Salvatore Mesoraca (@smeso)
'''
"""
EXAMPLES = r'''
EXAMPLES = r"""
- name: Ensure "Homepage=https://www.ansible.com/" in group "Branding"
community.general.kdeconfig:
path: /etc/xdg/kickoffrc
@ -97,9 +94,9 @@ EXAMPLES = r'''
key: KEY
value: VALUE
backup: true
'''
"""
RETURN = r''' # '''
RETURN = r""" # """
import os
import shutil

12
plugins/modules/kernel_blacklist.py
View file

@ -9,8 +9,7 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: kernel_blacklist
author:
- Matthias Vogelgesang (@matze)
@ -39,17 +38,16 @@ options:
blacklist_file:
type: str
description:
- If specified, use this blacklist file instead of
C(/etc/modprobe.d/blacklist-ansible.conf).
- If specified, use this blacklist file instead of C(/etc/modprobe.d/blacklist-ansible.conf).
default: /etc/modprobe.d/blacklist-ansible.conf
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Blacklist the nouveau driver module
community.general.kernel_blacklist:
name: nouveau
state: present
'''
"""
import os
import re

15
plugins/modules/keycloak_authentication.py
View file

@ -7,8 +7,7 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_authentication
short_description: Configure authentication in Keycloak
@ -16,7 +15,6 @@ short_description: Configure authentication in Keycloak
description:
- This module actually can only make a copy of an existing authentication flow, add an execution to it and configure it.
- It can also delete the flow.
version_added: "3.3.0"
attributes:
@ -101,7 +99,6 @@ options:
default: false
description:
- If V(true), allows to remove the authentication flow and recreate it.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
@ -110,9 +107,9 @@ extends_documentation_fragment:
author:
- Philippe Gauthier (@elfelip)
- Gaëtan Daubresse (@Gaetan2907)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create an authentication flow from first broker login and add an execution to it.
community.general.keycloak_authentication:
auth_keycloak_url: http://localhost:8080/auth
@ -184,9 +181,9 @@ EXAMPLES = '''
realm: master
alias: "Copy of first broker login"
state: absent
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -222,7 +219,7 @@ end_state:
"providerId": "basic-flow",
"topLevel": true
}
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak \
import KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError, is_struct_included

15
plugins/modules/keycloak_authentication_required_actions.py
View file

@ -9,8 +9,7 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_authentication_required_actions
short_description: Allows administration of Keycloak authentication required actions
@ -18,7 +17,6 @@ short_description: Allows administration of Keycloak authentication required act
description:
- This module can register, update and delete required actions.
- It also filters out any duplicate required actions by their alias. The first occurrence is preserved.
version_added: 7.1.0
attributes:
@ -84,9 +82,9 @@ extends_documentation_fragment:
author:
- Skrekulko (@Skrekulko)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Register a new required action.
community.general.keycloak_authentication_required_actions:
auth_client_id: "admin-cli"
@ -126,9 +124,9 @@ EXAMPLES = '''
required_action:
- alias: "TERMS_AND_CONDITIONS"
state: "absent"
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -174,8 +172,7 @@ end_state:
- Provider ID of the required action. Required for registration.
sample: test-provider-id
type: str
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError

33
plugins/modules/keycloak_authz_authorization_scope.py
View file

@ -9,27 +9,21 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_authz_authorization_scope
short_description: Allows administration of Keycloak client authorization scopes via Keycloak API
short_description: Allows administration of Keycloak client authorization scopes using Keycloak API
version_added: 6.6.0
description:
- This module allows the administration of Keycloak client Authorization Scopes via the Keycloak REST
API. Authorization Scopes are only available if a client has Authorization enabled.
- This module requires access to the REST API via OpenID Connect; the user connecting and the realm
being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate realm definition with the scope tailored
- This module allows the administration of Keycloak client Authorization Scopes using the Keycloak REST API. Authorization Scopes are only available
if a client has Authorization enabled.
- This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access
rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak.
The Authorization Services paths and payloads have not officially been documented by the Keycloak project.
U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
- The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads
have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
attributes:
check_mode:
support: full
@ -81,9 +75,9 @@ extends_documentation_fragment:
author:
- Samuli Seppänen (@mattock)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Manage Keycloak file:delete authorization scope
keycloak_authz_authorization_scope:
name: file:delete
@ -95,9 +89,9 @@ EXAMPLES = '''
auth_username: keycloak
auth_password: keycloak
auth_realm: master
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -128,8 +122,7 @@ end_state:
type: str
returned: when O(state=present)
sample: http://localhost/icon.png
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError

34
plugins/modules/keycloak_authz_custom_policy.py
View file

@ -9,28 +9,21 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_authz_custom_policy
short_description: Allows administration of Keycloak client custom Javascript policies via Keycloak API
short_description: Allows administration of Keycloak client custom Javascript policies using Keycloak API
version_added: 7.5.0
description:
- This module allows the administration of Keycloak client custom Javascript via the Keycloak REST
API. Custom Javascript policies are only available if a client has Authorization enabled and if
they have been deployed to the Keycloak server as JAR files.
- This module requires access to the REST API via OpenID Connect; the user connecting and the realm
being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate realm definition with the scope tailored
- This module allows the administration of Keycloak client custom Javascript using the Keycloak REST API. Custom Javascript policies are only
available if a client has Authorization enabled and if they have been deployed to the Keycloak server as JAR files.
- This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access
rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak.
The Authorization Services paths and payloads have not officially been documented by the Keycloak project.
U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
- The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads
have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
attributes:
check_mode:
support: full
@ -78,9 +71,9 @@ extends_documentation_fragment:
author:
- Samuli Seppänen (@mattock)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Manage Keycloak custom authorization policy
community.general.keycloak_authz_custom_policy:
name: OnlyOwner
@ -92,9 +85,9 @@ EXAMPLES = '''
auth_username: keycloak
auth_password: keycloak
auth_realm: master
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -115,8 +108,7 @@ end_state:
type: str
returned: when I(state=present)
sample: File delete
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError

45
plugins/modules/keycloak_authz_permission.py
View file

@ -9,35 +9,26 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_authz_permission
version_added: 7.2.0
short_description: Allows administration of Keycloak client authorization permissions via Keycloak API
short_description: Allows administration of Keycloak client authorization permissions using Keycloak API
description:
- This module allows the administration of Keycloak client authorization permissions via the Keycloak REST
API. Authorization permissions are only available if a client has Authorization enabled.
- There are some peculiarities in JSON paths and payloads for authorization permissions. In particular
POST and PUT operations are targeted at permission endpoints, whereas GET requests go to policies
endpoint. To make matters more interesting the JSON responses from GET requests return data in a
different format than what is expected for POST and PUT. The end result is that it is not possible to
detect changes to things like policies, scopes or resources - at least not without a large number of
additional API calls. Therefore this module always updates authorization permissions instead of
attempting to determine if changes are truly needed.
- This module requires access to the REST API via OpenID Connect; the user connecting and the realm
being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate realm definition with the scope tailored
- This module allows the administration of Keycloak client authorization permissions using the Keycloak REST API. Authorization permissions are
only available if a client has Authorization enabled.
- There are some peculiarities in JSON paths and payloads for authorization permissions. In particular POST and PUT operations are targeted
at permission endpoints, whereas GET requests go to policies endpoint. To make matters more interesting the JSON responses from GET requests
return data in a different format than what is expected for POST and PUT. The end result is that it is not possible to detect changes to things
like policies, scopes or resources - at least not without a large number of additional API calls. Therefore this module always updates authorization
permissions instead of attempting to determine if changes are truly needed.
- This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access
rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak.
The Authorization Services paths and payloads have not officially been documented by the Keycloak project.
U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
- The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads
have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
attributes:
check_mode:
support: full
@ -128,9 +119,9 @@ extends_documentation_fragment:
author:
- Samuli Seppänen (@mattock)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Manage scope-based Keycloak authorization permission
community.general.keycloak_authz_permission:
name: ScopePermission
@ -164,9 +155,9 @@ EXAMPLES = '''
auth_username: keycloak
auth_password: keycloak
auth_realm: master
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -225,7 +216,7 @@ end_state:
returned: when O(state=present)
sample:
- 9da05cd2-b273-4354-bbd8-0c133918a454
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError

31
plugins/modules/keycloak_authz_permission_info.py
View file

@ -9,8 +9,7 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_authz_permission_info
version_added: 7.2.0
@ -18,19 +17,13 @@ version_added: 7.2.0
short_description: Query Keycloak client authorization permissions information
description:
- This module allows querying information about Keycloak client authorization permissions from the
resources endpoint via the Keycloak REST API. Authorization permissions are only available if a
client has Authorization enabled.
- This module requires access to the REST API via OpenID Connect; the user connecting and the realm
being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate realm definition with the scope tailored
- This module allows querying information about Keycloak client authorization permissions from the resources endpoint using the Keycloak REST
API. Authorization permissions are only available if a client has Authorization enabled.
- This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access
rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak.
The Authorization Services paths and payloads have not officially been documented by the Keycloak project.
U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/)
- The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads
have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
attributes:
action_group:
version_added: 10.2.0
@ -61,9 +54,9 @@ extends_documentation_fragment:
author:
- Samuli Seppänen (@mattock)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Query Keycloak authorization permission
community.general.keycloak_authz_permission_info:
name: ScopePermission
@ -73,9 +66,9 @@ EXAMPLES = '''
auth_username: keycloak
auth_password: keycloak
auth_realm: master
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -114,7 +107,7 @@ queried_state:
description: Configuration of the permission (empty in all observed cases).
type: dict
sample: {}
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError

315
plugins/modules/keycloak_client.py
View file

@ -8,28 +8,21 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_client
short_description: Allows administration of Keycloak clients via Keycloak API
short_description: Allows administration of Keycloak clients using Keycloak API
description:
- This module allows the administration of Keycloak clients via the Keycloak REST API. It
requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- This module allows the administration of Keycloak clients using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an
admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
Aliases are provided so camelCased versions can be used as well.
- The Keycloak API does not always sanity check inputs e.g. you can set
SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful.
If you do not specify a setting, usually a sensible default is chosen.
- The Keycloak API does not always sanity check inputs, for example you can set SAML-specific settings on an OpenID Connect client for instance and
the other way around. Be careful. If you do not specify a setting, usually a sensible default is chosen.
attributes:
check_mode:
support: full
@ -41,9 +34,9 @@ attributes:
options:
state:
description:
- State of the client
- State of the client.
- On V(present), the client will be created (or updated if it exists already).
- On V(absent), the client will be removed if it exists
- On V(absent), the client will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
@ -56,17 +49,15 @@ options:
client_id:
description:
- Client id of client to be worked on. This is usually an alphanumeric name chosen by
you. Either this or O(id) is required. If you specify both, O(id) takes precedence.
This is 'clientId' in the Keycloak REST API.
- Client id of client to be worked on. This is usually an alphanumeric name chosen by you. Either this or O(id) is required. If you specify
both, O(id) takes precedence. This is C(clientId) in the Keycloak REST API.
aliases:
- clientId
type: str
id:
description:
- Id of client to be worked on. This is usually an UUID. Either this or O(client_id)
is required. If you specify both, this takes precedence.
- Id of client to be worked on. This is usually an UUID. Either this or O(client_id) is required. If you specify both, this takes precedence.
type: str
name:
@ -81,24 +72,21 @@ options:
root_url:
description:
- Root URL appended to relative URLs for this client.
This is 'rootUrl' in the Keycloak REST API.
- Root URL appended to relative URLs for this client. This is C(rootUrl) in the Keycloak REST API.
aliases:
- rootUrl
type: str
admin_url:
description:
- URL to the admin interface of the client.
This is 'adminUrl' in the Keycloak REST API.
- URL to the admin interface of the client. This is C(adminUrl) in the Keycloak REST API.
aliases:
- adminUrl
type: str
base_url:
description:
- Default URL to use when the auth server needs to redirect or link back to the client
This is 'baseUrl' in the Keycloak REST API.
- Default URL to use when the auth server needs to redirect or link back to the client This is C(baseUrl) in the Keycloak REST API.
aliases:
- baseUrl
type: str
@ -110,13 +98,12 @@ options:
client_authenticator_type:
description:
- How do clients authenticate with the auth server? Either V(client-secret),
V(client-jwt), or V(client-x509) can be chosen. When using V(client-secret), the module parameter
O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url),
C(jwks.url), and C(jwt.credential.certificate) in the O(attributes) module parameter
to configure its behavior. For V(client-x509) you can use the keys C(x509.allow.regex.pattern.comparison)
and C(x509.subjectdn) in the O(attributes) module parameter to configure which certificate(s) to accept.
- This is 'clientAuthenticatorType' in the Keycloak REST API.
- How do clients authenticate with the auth server? Either V(client-secret), V(client-jwt), or V(client-x509) can be chosen. When using
V(client-secret), the module parameter O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url), C(jwks.url), and
C(jwt.credential.certificate) in the O(attributes) module parameter to configure its behavior. For V(client-x509) you can use the keys
C(x509.allow.regex.pattern.comparison) and C(x509.subjectdn) in the O(attributes) module parameter to configure which certificate(s) to
accept.
- This is C(clientAuthenticatorType) in the Keycloak REST API.
choices: ['client-secret', 'client-jwt', 'client-x509']
aliases:
- clientAuthenticatorType
@ -124,26 +111,22 @@ options:
secret:
description:
- When using O(client_authenticator_type=client-secret) (the default), you can
specify a secret here (otherwise one will be generated if it does not exit). If
changing this secret, the module will not register a change currently (but the
changed secret will be saved).
- When using O(client_authenticator_type=client-secret) (the default), you can specify a secret here (otherwise one will be generated if
it does not exit). If changing this secret, the module will not register a change currently (but the changed secret will be saved).
type: str
registration_access_token:
description:
- The registration access token provides access for clients to the client registration
service.
This is 'registrationAccessToken' in the Keycloak REST API.
- The registration access token provides access for clients to the client registration service. This is C(registrationAccessToken) in the
Keycloak REST API.
aliases:
- registrationAccessToken
type: str
default_roles:
description:
- list of default roles for this client. If the client roles referenced do not exist
yet, they will be created.
This is 'defaultRoles' in the Keycloak REST API.
- List of default roles for this client. If the client roles referenced do not exist yet, they will be created. This is C(defaultRoles) in
the Keycloak REST API.
aliases:
- defaultRoles
type: list
@ -151,8 +134,7 @@ options:
redirect_uris:
description:
- Acceptable redirect URIs for this client.
This is 'redirectUris' in the Keycloak REST API.
- Acceptable redirect URIs for this client. This is C(redirectUris) in the Keycloak REST API.
aliases:
- redirectUris
type: list
@ -160,8 +142,7 @@ options:
web_origins:
description:
- List of allowed CORS origins.
This is 'webOrigins' in the Keycloak REST API.
- List of allowed CORS origins. This is C(webOrigins) in the Keycloak REST API.
aliases:
- webOrigins
type: list
@ -169,80 +150,71 @@ options:
not_before:
description:
- Revoke any tokens issued before this date for this client (this is a UNIX timestamp).
This is 'notBefore' in the Keycloak REST API.
- Revoke any tokens issued before this date for this client (this is a UNIX timestamp). This is C(notBefore) in the Keycloak REST API.
type: int
aliases:
- notBefore
bearer_only:
description:
- The access type of this client is bearer-only.
This is 'bearerOnly' in the Keycloak REST API.
- The access type of this client is bearer-only. This is C(bearerOnly) in the Keycloak REST API.
aliases:
- bearerOnly
type: bool
consent_required:
description:
- If enabled, users have to consent to client access.
This is 'consentRequired' in the Keycloak REST API.
- If enabled, users have to consent to client access. This is C(consentRequired) in the Keycloak REST API.
aliases:
- consentRequired
type: bool
standard_flow_enabled:
description:
- Enable standard flow for this client or not (OpenID connect).
This is 'standardFlowEnabled' in the Keycloak REST API.
- Enable standard flow for this client or not (OpenID connect). This is C(standardFlowEnabled) in the Keycloak REST API.
aliases:
- standardFlowEnabled
type: bool
implicit_flow_enabled:
description:
- Enable implicit flow for this client or not (OpenID connect).
This is 'implicitFlowEnabled' in the Keycloak REST API.
- Enable implicit flow for this client or not (OpenID connect). This is C(implicitFlowEnabled) in the Keycloak REST API.
aliases:
- implicitFlowEnabled
type: bool
direct_access_grants_enabled:
description:
- Are direct access grants enabled for this client or not (OpenID connect).
This is 'directAccessGrantsEnabled' in the Keycloak REST API.
- Are direct access grants enabled for this client or not (OpenID connect). This is C(directAccessGrantsEnabled) in the Keycloak REST API.
aliases:
- directAccessGrantsEnabled
type: bool
service_accounts_enabled:
description:
- Are service accounts enabled for this client or not (OpenID connect).
This is 'serviceAccountsEnabled' in the Keycloak REST API.
- Are service accounts enabled for this client or not (OpenID connect). This is C(serviceAccountsEnabled) in the Keycloak REST API.
aliases:
- serviceAccountsEnabled
type: bool
authorization_services_enabled:
description:
- Are authorization services enabled for this client or not (OpenID connect).
This is 'authorizationServicesEnabled' in the Keycloak REST API.
- Are authorization services enabled for this client or not (OpenID connect). This is C(authorizationServicesEnabled) in the Keycloak REST
API.
aliases:
- authorizationServicesEnabled
type: bool
public_client:
description:
- Is the access type for this client public or not.
This is 'publicClient' in the Keycloak REST API.
- Is the access type for this client public or not. This is C(publicClient) in the Keycloak REST API.
aliases:
- publicClient
type: bool
frontchannel_logout:
description:
- Is frontchannel logout enabled for this client or not.
This is 'frontchannelLogout' in the Keycloak REST API.
- Is frontchannel logout enabled for this client or not. This is C(frontchannelLogout) in the Keycloak REST API.
aliases:
- frontchannelLogout
type: bool
@ -257,66 +229,58 @@ options:
full_scope_allowed:
description:
- Is the "Full Scope Allowed" feature set for this client or not.
This is 'fullScopeAllowed' in the Keycloak REST API.
- Is the "Full Scope Allowed" feature set for this client or not. This is C(fullScopeAllowed) in the Keycloak REST API.
aliases:
- fullScopeAllowed
type: bool
node_re_registration_timeout:
description:
- Cluster node re-registration timeout for this client.
This is 'nodeReRegistrationTimeout' in the Keycloak REST API.
- Cluster node re-registration timeout for this client. This is C(nodeReRegistrationTimeout) in the Keycloak REST API.
type: int
aliases:
- nodeReRegistrationTimeout
registered_nodes:
description:
- dict of registered cluster nodes (with C(nodename) as the key and last registration
time as the value).
This is 'registeredNodes' in the Keycloak REST API.
- Dict of registered cluster nodes (with C(nodename) as the key and last registration time as the value). This is C(registeredNodes) in the
Keycloak REST API.
type: dict
aliases:
- registeredNodes
client_template:
description:
- Client template to use for this client. If it does not exist this field will silently
be dropped.
This is 'clientTemplate' in the Keycloak REST API.
- Client template to use for this client. If it does not exist this field will silently be dropped. This is C(clientTemplate) in the Keycloak
REST API.
type: str
aliases:
- clientTemplate
use_template_config:
description:
- Whether or not to use configuration from the O(client_template).
This is 'useTemplateConfig' in the Keycloak REST API.
- Whether or not to use configuration from the O(client_template). This is C(useTemplateConfig) in the Keycloak REST API.
aliases:
- useTemplateConfig
type: bool
use_template_scope:
description:
- Whether or not to use scope configuration from the O(client_template).
This is 'useTemplateScope' in the Keycloak REST API.
- Whether or not to use scope configuration from the O(client_template). This is C(useTemplateScope) in the Keycloak REST API.
aliases:
- useTemplateScope
type: bool
use_template_mappers:
description:
- Whether or not to use mapper configuration from the O(client_template).
This is 'useTemplateMappers' in the Keycloak REST API.
- Whether or not to use mapper configuration from the O(client_template). This is C(useTemplateMappers) in the Keycloak REST API.
aliases:
- useTemplateMappers
type: bool
always_display_in_console:
description:
- Whether or not to display this client in account console, even if the
user does not have an active session.
- Whether or not to display this client in account console, even if the user does not have an active session.
aliases:
- alwaysDisplayInConsole
type: bool
@ -324,17 +288,16 @@ options:
surrogate_auth_required:
description:
- Whether or not surrogate auth is required.
This is 'surrogateAuthRequired' in the Keycloak REST API.
- Whether or not surrogate auth is required. This is C(surrogateAuthRequired) in the Keycloak REST API.
aliases:
- surrogateAuthRequired
type: bool
authorization_settings:
description:
- a data structure defining the authorization settings for this client. For reference,
please see the Keycloak API docs at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html#_resourceserverrepresentation).
This is 'authorizationSettings' in the Keycloak REST API.
- A data structure defining the authorization settings for this client. For reference, please see the Keycloak API docs at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html#_resourceserverrepresentation).
This is C(authorizationSettings) in the Keycloak REST API.
type: dict
aliases:
- authorizationSettings
@ -347,15 +310,13 @@ options:
browser:
description:
- Flow ID of the browser authentication flow.
- O(authentication_flow_binding_overrides.browser)
and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive.
- O(authentication_flow_binding_overrides.browser) and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive.
type: str
browser_name:
description:
- Flow name of the browser authentication flow.
- O(authentication_flow_binding_overrides.browser)
and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive.
- O(authentication_flow_binding_overrides.browser) and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive.
aliases:
- browserName
type: str
@ -364,8 +325,8 @@ options:
direct_grant:
description:
- Flow ID of the direct grant authentication flow.
- O(authentication_flow_binding_overrides.direct_grant)
and O(authentication_flow_binding_overrides.direct_grant_name) are mutually exclusive.
- O(authentication_flow_binding_overrides.direct_grant) and O(authentication_flow_binding_overrides.direct_grant_name) are mutually
exclusive.
aliases:
- directGrant
type: str
@ -373,8 +334,8 @@ options:
direct_grant_name:
description:
- Flow name of the direct grant authentication flow.
- O(authentication_flow_binding_overrides.direct_grant)
and O(authentication_flow_binding_overrides.direct_grant_name) are mutually exclusive.
- O(authentication_flow_binding_overrides.direct_grant) and O(authentication_flow_binding_overrides.direct_grant_name) are mutually
exclusive.
aliases:
- directGrantName
type: str
@ -403,8 +364,7 @@ options:
protocol_mappers:
description:
- a list of dicts defining protocol mappers for this client.
This is 'protocolMappers' in the Keycloak REST API.
- A list of dicts defining protocol mappers for this client. This is C(protocolMappers) in the Keycloak REST API.
aliases:
- protocolMappers
type: list
@ -438,151 +398,120 @@ options:
protocolMapper:
description:
- "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is
impossible to provide since this may be extended through SPIs by the user of Keycloak,
by default Keycloak as of 3.4 ships with at least:"
- V(docker-v2-allow-all-mapper)
- V(oidc-address-mapper)
- V(oidc-full-name-mapper)
- V(oidc-group-membership-mapper)
- V(oidc-hardcoded-claim-mapper)
- V(oidc-hardcoded-role-mapper)
- V(oidc-role-name-mapper)
- V(oidc-script-based-protocol-mapper)
- V(oidc-sha256-pairwise-sub-mapper)
- V(oidc-usermodel-attribute-mapper)
- V(oidc-usermodel-client-role-mapper)
- V(oidc-usermodel-property-mapper)
- V(oidc-usermodel-realm-role-mapper)
- V(oidc-usersessionmodel-note-mapper)
- V(saml-group-membership-mapper)
- V(saml-hardcode-attribute-mapper)
- V(saml-hardcode-role-mapper)
- V(saml-role-list-mapper)
- V(saml-role-name-mapper)
- V(saml-user-attribute-mapper)
- V(saml-user-property-mapper)
- V(saml-user-session-note-mapper)
- An exhaustive list of available mappers on your installation can be obtained on
the admin console by going to Server Info -> Providers and looking under
'protocol-mapper'.
- 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may
be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:'
- V(docker-v2-allow-all-mapper).
- V(oidc-address-mapper).
- V(oidc-full-name-mapper).
- V(oidc-group-membership-mapper).
- V(oidc-hardcoded-claim-mapper).
- V(oidc-hardcoded-role-mapper).
- V(oidc-role-name-mapper).
- V(oidc-script-based-protocol-mapper).
- V(oidc-sha256-pairwise-sub-mapper).
- V(oidc-usermodel-attribute-mapper).
- V(oidc-usermodel-client-role-mapper).
- V(oidc-usermodel-property-mapper).
- V(oidc-usermodel-realm-role-mapper).
- V(oidc-usersessionmodel-note-mapper).
- V(saml-group-membership-mapper).
- V(saml-hardcode-attribute-mapper).
- V(saml-hardcode-role-mapper).
- V(saml-role-list-mapper).
- V(saml-role-name-mapper).
- V(saml-user-attribute-mapper).
- V(saml-user-property-mapper).
- V(saml-user-session-note-mapper).
- An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -> Providers
and looking under 'protocol-mapper'.
type: str
config:
description:
- Dict specifying the configuration options for the protocol mapper; the
contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented
other than by the source of the mappers and its parent class(es). An example is given
below. It is easiest to obtain valid config values by dumping an already-existing
protocol mapper configuration through check-mode in the RV(existing) field.
- Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of
O(protocol_mappers[].protocolMapper)
and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest
to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the RV(existing)
field.
type: dict
attributes:
description:
- A dict of further attributes for this client. This can contain various configuration
settings; an example is given in the examples section. While an exhaustive list of
permissible options is not available; possible options as of Keycloak 3.4 are listed below. The Keycloak
API does not validate whether a given option is appropriate for the protocol used; if specified
anyway, Keycloak will simply not use it.
- A dict of further attributes for this client. This can contain various configuration settings; an example is given in the examples section.
While an exhaustive list of permissible options is not available; possible options as of Keycloak 3.4 are listed below. The Keycloak API
does not validate whether a given option is appropriate for the protocol used; if specified anyway, Keycloak will simply not use it.
type: dict
suboptions:
saml.authnstatement:
description:
- For SAML clients, boolean specifying whether or not a statement containing method and timestamp
should be included in the login response.
- For SAML clients, boolean specifying whether or not a statement containing method and timestamp should be included in the login response.
saml.client.signature:
description:
- For SAML clients, boolean specifying whether a client signature is required and validated.
saml.encrypt:
description:
- Boolean specifying whether SAML assertions should be encrypted with the client's public key.
saml.force.post.binding:
description:
- For SAML clients, boolean specifying whether always to use POST binding for responses.
saml.onetimeuse.condition:
description:
- For SAML clients, boolean specifying whether a OneTimeUse condition should be included in login responses.
saml.server.signature:
description:
- Boolean specifying whether SAML documents should be signed by the realm.
saml.server.signature.keyinfo.ext:
description:
- For SAML clients, boolean specifying whether REDIRECT signing key lookup should be optimized through inclusion
of the signing key id in the SAML Extensions element.
- For SAML clients, boolean specifying whether REDIRECT signing key lookup should be optimized through inclusion of the signing key
id in the SAML Extensions element.
saml.signature.algorithm:
description:
- Signature algorithm used to sign SAML documents. One of V(RSA_SHA256), V(RSA_SHA1), V(RSA_SHA512), or V(DSA_SHA1).
saml.signing.certificate:
description:
- SAML signing key certificate, base64-encoded.
saml.signing.private.key:
description:
- SAML signing key private key, base64-encoded.
saml_assertion_consumer_url_post:
description:
- SAML POST Binding URL for the client's assertion consumer service (login responses).
saml_assertion_consumer_url_redirect:
description:
- SAML Redirect Binding URL for the client's assertion consumer service (login responses).
saml_force_name_id_format:
description:
- For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead.
saml_name_id_format:
description:
- For SAML clients, the NameID format to use (one of V(username), V(email), V(transient), or V(persistent))
- For SAML clients, the NameID format to use (one of V(username), V(email), V(transient), or V(persistent)).
saml_signature_canonicalization_method:
description:
- SAML signature canonicalization method. This is one of four values, namely
V(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE,
V(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS,
V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315) for INCLUSIVE, and
V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS.
- SAML signature canonicalization method. This is one of four values, namely V(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE,
V(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS, V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
for INCLUSIVE, and V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS.
saml_single_logout_service_url_post:
description:
- SAML POST binding url for the client's single logout service.
saml_single_logout_service_url_redirect:
description:
- SAML redirect binding url for the client's single logout service.
user.info.response.signature.alg:
description:
- For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of V(RS256) or V(unsigned).
request.object.signature.alg:
description:
- For OpenID-Connect clients, JWA algorithm which the client needs to use when sending
OIDC request object. One of V(any), V(none), V(RS256).
- For OpenID-Connect clients, JWA algorithm which the client needs to use when sending OIDC request object. One of V(any), V(none),
V(RS256).
use.jwks.url:
description:
- For OpenID-Connect clients, boolean specifying whether to use a JWKS URL to obtain client
public keys.
- For OpenID-Connect clients, boolean specifying whether to use a JWKS URL to obtain client public keys.
jwks.url:
description:
- For OpenID-Connect clients, URL where client keys in JWK are stored.
jwt.credential.certificate:
description:
- For OpenID-Connect clients, client certificate for validating JWT issued by
client and signed by its key, base64-encoded.
- For OpenID-Connect clients, client certificate for validating JWT issued by client and signed by its key, base64-encoded.
x509.subjectdn:
description:
- For OpenID-Connect clients, subject which will be used to authenticate the client.
@ -602,9 +531,9 @@ extends_documentation_fragment:
author:
- Eike Frost (@eikef)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create or update Keycloak client (minimal example), authentication with credentials
community.general.keycloak_client:
auth_keycloak_url: https://auth.example.com/auth
@ -744,9 +673,9 @@ EXAMPLES = '''
jwks.url: JWKS_URL_FOR_CLIENT_AUTH_JWT
jwt.credential.certificate: JWT_CREDENTIAL_CERTIFICATE_FOR_CLIENT_AUTH
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -757,32 +686,20 @@ proposed:
description: Representation of proposed client.
returned: always
type: dict
sample: {
clientId: "test"
}
sample: {clientId: "test"}
existing:
description: Representation of existing client (sample is truncated).
returned: always
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
end_state:
description: Representation of client after module execution (sample is truncated).
returned: on success
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
'''
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError, is_struct_included

86
plugins/modules/keycloak_client_rolemapping.py
View file

@ -8,8 +8,7 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_client_rolemapping
short_description: Allows administration of Keycloak client_rolemapping with the Keycloak API
@ -17,22 +16,16 @@ short_description: Allows administration of Keycloak client_rolemapping with the
version_added: 3.5.0
description:
- This module allows you to add, remove or modify Keycloak client_rolemapping with the Keycloak REST API.
It requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- When updating a client_rolemapping, where possible provide the role ID to the module. This removes a lookup
to the API to translate the name into the role ID.
- This module allows you to add, remove or modify Keycloak client_rolemapping with the Keycloak REST API. It requires access to the REST API
using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation,
admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the
expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
- When updating a client_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name
into the role ID.
attributes:
check_mode:
support: full
@ -64,14 +57,12 @@ options:
description:
- Name of the group to be mapped.
- This parameter is required (can be replaced by gid for less API call).
parents:
version_added: "7.1.0"
type: list
description:
- List of parent groups for the group to handle sorted top to bottom.
- >-
Set this if your group is a subgroup and you do not provide the GID in O(gid).
- Set this if your group is a subgroup and you do not provide the GID in O(gid).
elements: dict
suboptions:
id:
@ -80,38 +71,31 @@ options:
- Identify parent by ID.
- Needs less API calls than using O(parents[].name).
- A deep parent chain can be started at any point when first given parent is given as ID.
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
with ID being preferred.
name:
type: str
description:
- Identify parent by name.
- Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top.
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
with ID being preferred.
gid:
type: str
description:
- Id of the group to be mapped.
- This parameter is not required for updating or deleting the rolemapping but
providing it will reduce the number of API calls required.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
client_id:
type: str
description:
- Name of the client to be mapped (different than O(cid)).
- This parameter is required (can be replaced by cid for less API call).
cid:
type: str
description:
- Id of the client to be mapped.
- This parameter is not required for updating or deleting the rolemapping but
providing it will reduce the number of API calls required.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
roles:
description:
- Roles to be mapped to the group.
@ -127,9 +111,8 @@ options:
type: str
description:
- The unique identifier for this role_representation.
- This parameter is not required for updating or deleting a role_representation but
providing it will reduce the number of API calls required.
- This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls
required.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
@ -137,9 +120,9 @@ extends_documentation_fragment:
author:
- Gaëtan Daubresse (@Gaetan2907)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Map a client role to a group, authentication with credentials
community.general.keycloak_client_rolemapping:
realm: MyCustomRealm
@ -209,10 +192,9 @@ EXAMPLES = '''
- name: role_name2
id: role_id2
delegate_to: localhost
"""
'''
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -223,9 +205,7 @@ proposed:
description: Representation of proposed client role mapping.
returned: always
type: dict
sample: {
clientId: "test"
}
sample: {clientId: "test"}
existing:
description:
@ -233,12 +213,7 @@ existing:
- The sample is truncated.
returned: always
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
end_state:
description:
@ -246,13 +221,8 @@ end_state:
- The sample is truncated.
returned: on success
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
'''
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError,

34
plugins/modules/keycloak_client_rolescope.py
View file

@ -8,27 +8,20 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_client_rolescope
short_description: Allows administration of Keycloak client roles scope to restrict the usage of certain roles to a other specific client applications.
short_description: Allows administration of Keycloak client roles scope to restrict the usage of certain roles to a other specific client applications
version_added: 8.6.0
description:
- This module allows you to add or remove Keycloak roles from clients scope via the Keycloak REST API.
It requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- This module allows you to add or remove Keycloak roles from clients scope using the Keycloak REST API. It requires access to the REST API using
OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- Client O(client_id) must have O(community.general.keycloak_client#module:full_scope_allowed) set to V(false).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
attributes:
check_mode:
support: full
@ -60,7 +53,6 @@ options:
required: true
description:
- Roles provided in O(role_names) while be added to this client scope.
client_scope_id:
type: str
description:
@ -74,8 +66,6 @@ options:
- Names of roles to manipulate.
- If O(client_scope_id) is present, all roles must be under this client.
- If O(client_scope_id) is absent, all roles must be under the realm.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
@ -83,9 +73,9 @@ extends_documentation_fragment:
author:
- Andre Desrosiers (@desand01)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Add roles to public client scope
community.general.keycloak_client_rolescope:
auth_keycloak_url: https://auth.example.com/auth
@ -123,9 +113,9 @@ EXAMPLES = '''
role_names:
- realm-role-admin
- realm-role-user
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -153,7 +143,7 @@ end_state:
"name": "backend-role-user"
}
]
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError

133
plugins/modules/keycloak_clientscope.py
View file

@ -8,31 +8,23 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_clientscope
short_description: Allows administration of Keycloak client_scopes via Keycloak API
short_description: Allows administration of Keycloak client_scopes using Keycloak API
version_added: 3.4.0
description:
- This module allows you to add, remove or modify Keycloak client_scopes via the Keycloak REST API.
It requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- When updating a client_scope, where possible provide the client_scope ID to the module. This removes a lookup
to the API to translate the name into the client_scope ID.
- This module allows you to add, remove or modify Keycloak client_scopes using the Keycloak REST API. It requires access to the REST API using OpenID
Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
- When updating a client_scope, where possible provide the client_scope ID to the module. This removes a lookup to the API to translate the
name into the client_scope ID.
attributes:
check_mode:
support: full
@ -58,7 +50,6 @@ options:
description:
- Name of the client_scope.
- This parameter is required only when creating or updating the client_scope.
realm:
type: str
description:
@ -69,15 +60,12 @@ options:
type: str
description:
- The unique identifier for this client_scope.
- This parameter is not required for updating or deleting a client_scope but
providing it will reduce the number of API calls required.
- This parameter is not required for updating or deleting a client_scope but providing it will reduce the number of API calls required.
description:
type: str
description:
- Description for this client_scope.
- This parameter is not required for updating or deleting a client_scope.
protocol:
description:
- Type of client.
@ -88,7 +76,7 @@ options:
protocol_mappers:
description:
- A list of dicts defining protocol mappers for this client.
- This is 'protocolMappers' in the Keycloak REST API.
- This is C(protocolMappers) in the Keycloak REST API.
aliases:
- protocolMappers
type: list
@ -97,40 +85,38 @@ options:
protocol:
description:
- This specifies for which protocol this protocol mapper.
- is active.
- Is active.
choices: ['openid-connect', 'saml', 'wsfed', 'docker-v2']
type: str
protocolMapper:
description:
- "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is
impossible to provide since this may be extended through SPIs by the user of Keycloak,
by default Keycloak as of 3.4 ships with at least:"
- V(docker-v2-allow-all-mapper)
- V(oidc-address-mapper)
- V(oidc-full-name-mapper)
- V(oidc-group-membership-mapper)
- V(oidc-hardcoded-claim-mapper)
- V(oidc-hardcoded-role-mapper)
- V(oidc-role-name-mapper)
- V(oidc-script-based-protocol-mapper)
- V(oidc-sha256-pairwise-sub-mapper)
- V(oidc-usermodel-attribute-mapper)
- V(oidc-usermodel-client-role-mapper)
- V(oidc-usermodel-property-mapper)
- V(oidc-usermodel-realm-role-mapper)
- V(oidc-usersessionmodel-note-mapper)
- V(saml-group-membership-mapper)
- V(saml-hardcode-attribute-mapper)
- V(saml-hardcode-role-mapper)
- V(saml-role-list-mapper)
- V(saml-role-name-mapper)
- V(saml-user-attribute-mapper)
- V(saml-user-property-mapper)
- V(saml-user-session-note-mapper)
- An exhaustive list of available mappers on your installation can be obtained on
the admin console by going to Server Info -> Providers and looking under
'protocol-mapper'.
- 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may
be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:'
- V(docker-v2-allow-all-mapper).
- V(oidc-address-mapper).
- V(oidc-full-name-mapper).
- V(oidc-group-membership-mapper).
- V(oidc-hardcoded-claim-mapper).
- V(oidc-hardcoded-role-mapper).
- V(oidc-role-name-mapper).
- V(oidc-script-based-protocol-mapper).
- V(oidc-sha256-pairwise-sub-mapper).
- V(oidc-usermodel-attribute-mapper).
- V(oidc-usermodel-client-role-mapper).
- V(oidc-usermodel-property-mapper).
- V(oidc-usermodel-realm-role-mapper).
- V(oidc-usersessionmodel-note-mapper).
- V(saml-group-membership-mapper).
- V(saml-hardcode-attribute-mapper).
- V(saml-hardcode-role-mapper).
- V(saml-role-list-mapper).
- V(saml-role-name-mapper).
- V(saml-user-attribute-mapper).
- V(saml-user-property-mapper).
- V(saml-user-session-note-mapper).
- An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -> Providers
and looking under 'protocol-mapper'.
type: str
name:
@ -145,11 +131,11 @@ options:
config:
description:
- Dict specifying the configuration options for the protocol mapper; the
contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented
other than by the source of the mappers and its parent class(es). An example is given
below. It is easiest to obtain valid config values by dumping an already-existing
protocol mapper configuration through check-mode in the RV(existing) return value.
- Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of
O(protocol_mappers[].protocolMapper)
and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest
to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the RV(existing)
return value.
type: dict
attributes:
@ -157,7 +143,6 @@ options:
description:
- A dict of key/value pairs to set as custom attributes for the client_scope.
- Values may be single values (for example a string) or a list of strings.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
@ -165,9 +150,9 @@ extends_documentation_fragment:
author:
- Gaëtan Daubresse (@Gaetan2907)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create a Keycloak client_scopes, authentication with credentials
community.general.keycloak_clientscope:
name: my-new-kc-clientscope
@ -263,9 +248,9 @@ EXAMPLES = '''
- list
- items
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -276,32 +261,20 @@ proposed:
description: Representation of proposed client scope.
returned: always
type: dict
sample: {
clientId: "test"
}
sample: {clientId: "test"}
existing:
description: Representation of existing client scope (sample is truncated).
returned: always
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
end_state:
description: Representation of client scope after module execution (sample is truncated).
returned: on success
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
'''
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError, is_struct_included

40
plugins/modules/keycloak_clientscope_type.py
View file

@ -9,22 +9,17 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_clientscope_type
short_description: Set the type of aclientscope in realm or client via Keycloak API
short_description: Set the type of aclientscope in realm or client using Keycloak API
version_added: 6.6.0
description:
- This module allows you to set the type (optional, default) of clientscopes
via the Keycloak REST API. It requires access to the REST API via OpenID
Connect; the user connecting and the client being used must have the
requisite access rights. In a default Keycloak installation, admin-cli and
an admin user would work, as would a separate client definition with the
scope tailored to your needs and a user having the expected roles.
- This module allows you to set the type (optional, default) of clientscopes using the Keycloak REST API. It requires access to the REST API using
OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
attributes:
check_mode:
support: full
@ -66,9 +61,9 @@ extends_documentation_fragment:
author:
- Simon Pahl (@simonpahl)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Set default client scopes on realm level
community.general.keycloak_clientscope_type:
auth_client_id: admin-cli
@ -91,9 +86,9 @@ EXAMPLES = '''
default_clientscopes: ['profile', 'roles']
optional_clientscopes: ['phone']
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -103,30 +98,21 @@ proposed:
description: Representation of proposed client-scope types mapping.
returned: always
type: dict
sample: {
default_clientscopes: ["profile", "role"],
optional_clientscopes: []
}
sample: {default_clientscopes: ["profile", "role"], optional_clientscopes: []}
existing:
description:
- Representation of client scopes before module execution.
returned: always
type: dict
sample: {
default_clientscopes: ["profile", "role"],
optional_clientscopes: ["phone"]
}
sample: {default_clientscopes: ["profile", "role"], optional_clientscopes: ["phone"]}
end_state:
description:
- Representation of client scopes after module execution.
- The sample is truncated.
returned: on success
type: dict
sample: {
default_clientscopes: ["profile", "role"],
optional_clientscopes: []
}
'''
sample: {default_clientscopes: ["profile", "role"], optional_clientscopes: []}
"""
from ansible.module_utils.basic import AnsibleModule

45
plugins/modules/keycloak_clientsecret_info.py
View file

@ -9,29 +9,20 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_clientsecret_info
short_description: Retrieve client secret via Keycloak API
short_description: Retrieve client secret using Keycloak API
version_added: 6.1.0
description:
- This module allows you to get a Keycloak client secret via the Keycloak
REST API. It requires access to the REST API via OpenID Connect; the user
connecting and the client being used must have the requisite access rights.
In a default Keycloak installation, admin-cli and an admin user would work,
as would a separate client definition with the scope tailored to your needs
and a user having the expected roles.
- When retrieving a new client secret, where possible provide the client's
O(id) (not O(client_id)) to the module. This removes a lookup to the API to
translate the O(client_id) into the client ID.
- "Note that this module returns the client secret. To avoid this showing up in the logs,
please add C(no_log: true) to the task."
- This module allows you to get a Keycloak client secret using the Keycloak REST API. It requires access to the REST API using OpenID Connect; the
user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin
user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- When retrieving a new client secret, where possible provide the client's O(id) (not O(client_id)) to the module. This removes a lookup to
the API to translate the O(client_id) into the client ID.
- 'Note that this module returns the client secret. To avoid this showing up in the logs, please add C(no_log: true) to the task.'
attributes:
action_group:
version_added: 10.2.0
@ -46,14 +37,12 @@ options:
id:
description:
- The unique identifier for this client.
- This parameter is not required for getting or generating a client secret but
providing it will reduce the number of API calls required.
- This parameter is not required for getting or generating a client secret but providing it will reduce the number of API calls required.
type: str
client_id:
description:
- The O(client_id) of the client. Passing this instead of O(id) results in an
extra API call.
- The O(client_id) of the client. Passing this instead of O(id) results in an extra API call.
aliases:
- clientId
type: str
@ -68,9 +57,9 @@ extends_documentation_fragment:
author:
- Fynn Chen (@fynncfchen)
- John Cant (@johncant)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Get a Keycloak client secret, authentication with credentials
community.general.keycloak_clientsecret_info:
id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
@ -102,16 +91,16 @@ EXAMPLES = '''
token: TOKEN
delegate_to: localhost
no_log: true
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Textual description of whether we succeeded or failed
description: Textual description of whether we succeeded or failed.
returned: always
type: str
clientsecret_info:
description: Representation of the client secret
description: Representation of the client secret.
returned: on success
type: complex
contains:
@ -125,7 +114,7 @@ clientsecret_info:
type: str
returned: always
sample: cUGnX1EIeTtPPAkcyGMv0ncyqDPu68P1
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
KeycloakAPI, KeycloakError, get_token)

44
plugins/modules/keycloak_clientsecret_regenerate.py
View file

@ -9,29 +9,20 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_clientsecret_regenerate
short_description: Regenerate Keycloak client secret via Keycloak API
short_description: Regenerate Keycloak client secret using Keycloak API
version_added: 6.1.0
description:
- This module allows you to regenerate a Keycloak client secret via the
Keycloak REST API. It requires access to the REST API via OpenID Connect;
the user connecting and the client being used must have the requisite access
rights. In a default Keycloak installation, admin-cli and an admin user
would work, as would a separate client definition with the scope tailored to
your needs and a user having the expected roles.
- When regenerating a client secret, where possible provide the client's id
(not client_id) to the module. This removes a lookup to the API to
translate the client_id into the client ID.
- "Note that this module returns the client secret. To avoid this showing up in the logs,
please add C(no_log: true) to the task."
- This module allows you to regenerate a Keycloak client secret using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an
admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- When regenerating a client secret, where possible provide the client's id (not client_id) to the module. This removes a lookup to the API
to translate the client_id into the client ID.
- 'Note that this module returns the client secret. To avoid this showing up in the logs, please add C(no_log: true) to the task.'
attributes:
check_mode:
support: full
@ -50,14 +41,12 @@ options:
id:
description:
- The unique identifier for this client.
- This parameter is not required for getting or generating a client secret but
providing it will reduce the number of API calls required.
- This parameter is not required for getting or generating a client secret but providing it will reduce the number of API calls required.
type: str
client_id:
description:
- The client_id of the client. Passing this instead of id results in an
extra API call.
- The client_id of the client. Passing this instead of id results in an extra API call.
aliases:
- clientId
type: str
@ -71,9 +60,9 @@ extends_documentation_fragment:
author:
- Fynn Chen (@fynncfchen)
- John Cant (@johncant)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Regenerate a Keycloak client secret, authentication with credentials
community.general.keycloak_clientsecret_regenerate:
id: '9d59aa76-2755-48c6-b1af-beb70a82c3cd'
@ -105,16 +94,16 @@ EXAMPLES = '''
token: TOKEN
delegate_to: localhost
no_log: true
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
type: str
end_state:
description: Representation of the client credential after module execution
description: Representation of the client credential after module execution.
returned: on success
type: complex
contains:
@ -128,8 +117,7 @@ end_state:
type: str
returned: always
sample: cUGnX1EIeTtPPAkcyGMv0ncyqDPu68P1
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
KeycloakAPI, KeycloakError, get_token)

143
plugins/modules/keycloak_clienttemplate.py
View file

@ -8,26 +8,19 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_clienttemplate
short_description: Allows administration of Keycloak client templates via Keycloak API
short_description: Allows administration of Keycloak client templates using Keycloak API
description:
- This module allows the administration of Keycloak client templates via the Keycloak REST API. It
requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html)
- The Keycloak API does not always enforce for only sensible settings to be used -- you can set
SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful.
If you do not specify a setting, usually a sensible default is chosen.
- This module allows the administration of Keycloak client templates using the Keycloak REST API. It requires access to the REST API using OpenID
Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- The Keycloak API does not always enforce for only sensible settings to be used -- you can set SAML-specific settings on an OpenID Connect
client for instance and the other way around. Be careful. If you do not specify a setting, usually a sensible default is chosen.
attributes:
check_mode:
support: full
@ -41,7 +34,7 @@ options:
description:
- State of the client template.
- On V(present), the client template will be created (or updated if it exists already).
- On V(absent), the client template will be removed if it exists
- On V(absent), the client template will be removed if it exists.
choices: ['present', 'absent']
default: 'present'
type: str
@ -76,14 +69,12 @@ options:
full_scope_allowed:
description:
- Is the "Full Scope Allowed" feature set for this client template or not.
This is 'fullScopeAllowed' in the Keycloak REST API.
- Is the "Full Scope Allowed" feature set for this client template or not. This is C(fullScopeAllowed) in the Keycloak REST API.
type: bool
protocol_mappers:
description:
- a list of dicts defining protocol mappers for this client template.
This is 'protocolMappers' in the Keycloak REST API.
- A list of dicts defining protocol mappers for this client template. This is C(protocolMappers) in the Keycloak REST API.
type: list
elements: dict
suboptions:
@ -115,59 +106,55 @@ options:
protocolMapper:
description:
- "The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is
impossible to provide since this may be extended through SPIs by the user of Keycloak,
by default Keycloak as of 3.4 ships with at least:"
- V(docker-v2-allow-all-mapper)
- V(oidc-address-mapper)
- V(oidc-full-name-mapper)
- V(oidc-group-membership-mapper)
- V(oidc-hardcoded-claim-mapper)
- V(oidc-hardcoded-role-mapper)
- V(oidc-role-name-mapper)
- V(oidc-script-based-protocol-mapper)
- V(oidc-sha256-pairwise-sub-mapper)
- V(oidc-usermodel-attribute-mapper)
- V(oidc-usermodel-client-role-mapper)
- V(oidc-usermodel-property-mapper)
- V(oidc-usermodel-realm-role-mapper)
- V(oidc-usersessionmodel-note-mapper)
- V(saml-group-membership-mapper)
- V(saml-hardcode-attribute-mapper)
- V(saml-hardcode-role-mapper)
- V(saml-role-list-mapper)
- V(saml-role-name-mapper)
- V(saml-user-attribute-mapper)
- V(saml-user-property-mapper)
- V(saml-user-session-note-mapper)
- An exhaustive list of available mappers on your installation can be obtained on
the admin console by going to Server Info -> Providers and looking under
'protocol-mapper'.
- 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may
be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:'
- V(docker-v2-allow-all-mapper).
- V(oidc-address-mapper).
- V(oidc-full-name-mapper).
- V(oidc-group-membership-mapper).
- V(oidc-hardcoded-claim-mapper).
- V(oidc-hardcoded-role-mapper).
- V(oidc-role-name-mapper).
- V(oidc-script-based-protocol-mapper).
- V(oidc-sha256-pairwise-sub-mapper).
- V(oidc-usermodel-attribute-mapper).
- V(oidc-usermodel-client-role-mapper).
- V(oidc-usermodel-property-mapper).
- V(oidc-usermodel-realm-role-mapper).
- V(oidc-usersessionmodel-note-mapper).
- V(saml-group-membership-mapper).
- V(saml-hardcode-attribute-mapper).
- V(saml-hardcode-role-mapper).
- V(saml-role-list-mapper).
- V(saml-role-name-mapper).
- V(saml-user-attribute-mapper).
- V(saml-user-property-mapper).
- V(saml-user-session-note-mapper).
- An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -> Providers
and looking under 'protocol-mapper'.
type: str
config:
description:
- Dict specifying the configuration options for the protocol mapper; the
contents differ depending on the value of O(protocol_mappers[].protocolMapper) and are not documented
other than by the source of the mappers and its parent class(es). An example is given
below. It is easiest to obtain valid config values by dumping an already-existing
protocol mapper configuration through check-mode in the RV(existing) field.
- Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of
O(protocol_mappers[].protocolMapper)
and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest
to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the RV(existing)
field.
type: dict
attributes:
description:
- A dict of further attributes for this client template. This can contain various
configuration settings, though in the default installation of Keycloak as of 3.4, none
are documented or known, so this is usually empty.
- A dict of further attributes for this client template. This can contain various configuration settings, though in the default installation
of Keycloak as of 3.4, none are documented or known, so this is usually empty.
type: dict
notes:
- The Keycloak REST API defines further fields (namely C(bearerOnly), C(consentRequired), C(standardFlowEnabled),
C(implicitFlowEnabled), C(directAccessGrantsEnabled), C(serviceAccountsEnabled), C(publicClient), and
C(frontchannelLogout)) which, while available with keycloak_client, do not have any effect on
Keycloak client-templates and are discarded if supplied with an API request changing client-templates. As such,
they are not available through this module.
- The Keycloak REST API defines further fields (namely C(bearerOnly), C(consentRequired), C(standardFlowEnabled), C(implicitFlowEnabled),
C(directAccessGrantsEnabled),
C(serviceAccountsEnabled), C(publicClient), and C(frontchannelLogout)) which, while available with keycloak_client, do not have any effect
on Keycloak client-templates and are discarded if supplied with an API request changing client-templates. As such, they are not available
through this module.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
@ -175,9 +162,9 @@ extends_documentation_fragment:
author:
- Eike Frost (@eikef)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create or update Keycloak client template (minimal), authentication with credentials
community.general.keycloak_client:
auth_client_id: admin-cli
@ -236,9 +223,9 @@ EXAMPLES = '''
full_scope_allowed: false
id: bce6f5e9-d7d3-4955-817e-c5b7f8d65b3f
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -249,34 +236,20 @@ proposed:
description: Representation of proposed client template.
returned: always
type: dict
sample: {
name: "test01"
}
sample: {name: "test01"}
existing:
description: Representation of existing client template (sample is truncated).
returned: always
type: dict
sample: {
"description": "test01",
"fullScopeAllowed": false,
"id": "9c3712ab-decd-481e-954f-76da7b006e5f",
"name": "test01",
"protocol": "saml"
}
sample: {"description": "test01", "fullScopeAllowed": false, "id": "9c3712ab-decd-481e-954f-76da7b006e5f", "name": "test01", "protocol": "saml"}
end_state:
description: Representation of client template after module execution (sample is truncated).
returned: on success
type: dict
sample: {
"description": "test01",
"fullScopeAllowed": false,
"id": "9c3712ab-decd-481e-954f-76da7b006e5f",
"name": "test01",
"protocol": "saml"
}
'''
sample: {"description": "test01", "fullScopeAllowed": false, "id": "9c3712ab-decd-481e-954f-76da7b006e5f", "name": "test01", "protocol": "saml"}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError

35
plugins/modules/keycloak_component.py
View file

@ -8,25 +8,20 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_component
short_description: Allows administration of Keycloak components via Keycloak API
short_description: Allows administration of Keycloak components using Keycloak API
version_added: 10.0.0
description:
- This module allows the administration of Keycloak components via the Keycloak REST API. It
requires access to the REST API via OpenID Connect; the user connecting and the realm being
used must have the requisite access rights. In a default Keycloak installation, C(admin-cli)
and an C(admin) user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
- This module allows the administration of Keycloak components using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, C(admin-cli) and an
C(admin) user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
Aliases are provided so camelCased versions can be used as well.
attributes:
check_mode:
support: full
@ -61,8 +56,8 @@ options:
required: true
provider_type:
description:
- The name of the "provider type" for the key. That is, V(org.keycloak.storage.UserStorageProvider),
V(org.keycloak.userprofile.UserProfileProvider), ...
- The name of the "provider type" for the key. That is, V(org.keycloak.storage.UserStorageProvider), V(org.keycloak.userprofile.UserProfileProvider),
...
- See U(https://www.keycloak.org/docs/latest/server_development/index.html#_providers).
type: str
required: true
@ -79,9 +74,9 @@ extends_documentation_fragment:
author:
- Björn Bösel (@fivetide)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Manage Keycloak User Storage Provider
community.general.keycloak_component:
auth_keycloak_url: http://localhost:8080/auth
@ -97,9 +92,9 @@ EXAMPLES = '''
myCustomKey: "my_custom_key"
cachePolicy: "NO_CACHE"
enabled: true
'''
"""
RETURN = '''
RETURN = r"""
end_state:
description: Representation of the keycloak_component after module execution.
returned: on success
@ -130,9 +125,9 @@ end_state:
type: str
returned: when O(state=present)
config:
description: component configuration.
description: Component configuration.
type: dict
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError

28
plugins/modules/keycloak_component_info.py
View file

@ -8,17 +8,15 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_component_info
short_description: Retrive component info in Keycloak
short_description: Retrieve component info in Keycloak
version_added: 8.2.0
description:
- This module retrive information on component from Keycloak.
- This module retrieve information on component from Keycloak.
attributes:
action_group:
version_added: 10.2.0
@ -36,12 +34,9 @@ options:
provider_type:
description:
- Provider type of components.
- "Example:
V(org.keycloak.storage.UserStorageProvider),
V(org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy),
V(org.keycloak.keys.KeyProvider),
V(org.keycloak.userprofile.UserProfileProvider),
V(org.keycloak.storage.ldap.mappers.LDAPStorageMapper)."
- 'Examples: V(org.keycloak.storage.UserStorageProvider),
V(org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy), V(org.keycloak.keys.KeyProvider),
V(org.keycloak.userprofile.UserProfileProvider), V(org.keycloak.storage.ldap.mappers.LDAPStorageMapper).'
type: str
parent_id:
description:
@ -57,9 +52,9 @@ extends_documentation_fragment:
author:
- Andre Desrosiers (@desand01)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Retrive info of a UserStorageProvider named myldap
community.general.keycloak_component_info:
auth_keycloak_url: http://localhost:8080/auth
@ -98,16 +93,15 @@ EXAMPLES = '''
parent_id: "075ef2fa-19fc-4a6d-bf4c-249f57365fd2"
provider_type: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
"""
'''
RETURN = '''
RETURN = r"""
components:
description: JSON representation of components.
returned: always
type: list
elements: dict
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError

83
plugins/modules/keycloak_group.py
View file

@ -8,29 +8,21 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_group
short_description: Allows administration of Keycloak groups via Keycloak API
short_description: Allows administration of Keycloak groups using Keycloak API
description:
- This module allows you to add, remove or modify Keycloak groups via the Keycloak REST API.
It requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- When updating a group, where possible provide the group ID to the module. This removes a lookup
to the API to translate the name into the group ID.
- This module allows you to add, remove or modify Keycloak groups using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an
admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
- When updating a group, where possible provide the group ID to the module. This removes a lookup to the API to translate the name into the
group ID.
attributes:
check_mode:
support: full
@ -44,9 +36,8 @@ options:
description:
- State of the group.
- On V(present), the group will be created if it does not yet exist, or updated with the parameters you provide.
- >-
On V(absent), the group will be removed if it exists. Be aware that absenting
a group with subgroups will automatically delete all its subgroups too.
- On V(absent), the group will be removed if it exists. Be aware that absenting a group with subgroups will automatically delete all its
subgroups too.
default: 'present'
type: str
choices:
@ -58,7 +49,6 @@ options:
description:
- Name of the group.
- This parameter is required only when creating or updating the group.
realm:
type: str
description:
@ -69,26 +59,20 @@ options:
type: str
description:
- The unique identifier for this group.
- This parameter is not required for updating or deleting a group but
providing it will reduce the number of API calls required.
- This parameter is not required for updating or deleting a group but providing it will reduce the number of API calls required.
attributes:
type: dict
description:
- A dict of key/value pairs to set as custom attributes for the group.
- Values may be single values (e.g. a string) or a list of strings.
- Values may be single values (for example a string) or a list of strings.
parents:
version_added: "6.4.0"
type: list
description:
- List of parent groups for the group to handle sorted top to bottom.
- >-
Set this to create a group as a subgroup of another group or groups (parents) or
when accessing an existing subgroup by name.
- >-
Not necessary to set when accessing an existing subgroup by its C(ID) because in
that case the group can be directly queried without necessarily knowing its parent(s).
- Set this to create a group as a subgroup of another group or groups (parents) or when accessing an existing subgroup by name.
- Not necessary to set when accessing an existing subgroup by its C(ID) because in that case the group can be directly queried without necessarily
knowing its parent(s).
elements: dict
suboptions:
id:
@ -97,23 +81,19 @@ options:
- Identify parent by ID.
- Needs less API calls than using O(parents[].name).
- A deep parent chain can be started at any point when first given parent is given as ID.
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
with ID being preferred.
name:
type: str
description:
- Identify parent by name.
- Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top.
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
with ID being preferred.
notes:
- Presently, the RV(end_state.realmRoles), RV(end_state.clientRoles), and RV(end_state.access) attributes returned by the Keycloak API
are read-only for groups. This limitation will be removed in a later version of this module.
- Presently, the RV(end_state.realmRoles), RV(end_state.clientRoles), and RV(end_state.access) attributes returned by the Keycloak API are read-only
for groups. This limitation will be removed in a later version of this module.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
@ -121,9 +101,9 @@ extends_documentation_fragment:
author:
- Adam Goossens (@adamgoossens)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create a Keycloak group, authentication with credentials
community.general.keycloak_group:
name: my-new-kc-group
@ -258,9 +238,9 @@ EXAMPLES = '''
parents:
- id: "{{ result_new_kcgrp_sub.end_state.id }}"
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -298,8 +278,7 @@ end_state:
returned: always
sample: []
subGroups:
description: A list of groups that are children of this group. These groups will have the same parameters as
documented here.
description: A list of groups that are children of this group. These groups will have the same parameters as documented here.
type: list
returned: always
clientRoles:
@ -315,7 +294,7 @@ end_state:
manage: true
manageMembership: true
view: true
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError
@ -372,7 +351,7 @@ def main():
parents = module.params.get('parents')
# attributes in Keycloak have their values returned as lists
# via the API. attributes is a dict, so we'll transparently convert
# using the API. attributes is a dict, so we'll transparently convert
# the values to lists.
if attributes is not None:
for key, val in module.params['attributes'].items():

43
plugins/modules/keycloak_identity_provider.py
View file

@ -8,24 +8,20 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_identity_provider
short_description: Allows administration of Keycloak identity providers via Keycloak API
short_description: Allows administration of Keycloak identity providers using Keycloak API
version_added: 3.6.0
description:
- This module allows you to add, remove or modify Keycloak identity providers via the Keycloak REST API.
It requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/15.0/rest-api/index.html).
- This module allows you to add, remove or modify Keycloak identity providers using the Keycloak REST API. It requires access to the REST API
using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation,
admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the
expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/15.0/rest-api/index.html).
attributes:
check_mode:
support: full
@ -93,8 +89,8 @@ options:
link_only:
description:
- If true, users cannot log in through this provider. They can only link to this provider.
This is useful if you don't want to allow login from the provider, but want to integrate with a provider.
- If true, users cannot log in through this provider. They can only link to this provider. This is useful if you do not want to allow login
from the provider, but want to integrate with a provider.
aliases:
- linkOnly
type: bool
@ -129,9 +125,9 @@ options:
config:
description:
- Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id).
Examples are given below for V(oidc) and V(saml). It is easiest to obtain valid config values by dumping an already-existing
identity provider configuration through check-mode in the RV(existing) field.
- Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id). Examples are
given below for V(oidc) and V(saml). It is easiest to obtain valid config values by dumping an already-existing identity provider configuration
through check-mode in the RV(existing) field.
type: dict
suboptions:
hide_on_login_page:
@ -273,8 +269,7 @@ options:
config:
description:
- Dict specifying the configuration options for the mapper; the contents differ depending on the value of
O(mappers[].identityProviderMapper).
- Dict specifying the configuration options for the mapper; the contents differ depending on the value of O(mappers[].identityProviderMapper).
type: dict
extends_documentation_fragment:
@ -284,9 +279,9 @@ extends_documentation_fragment:
author:
- Laurent Paumier (@laurpaum)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create OIDC identity provider, authentication with credentials
community.general.keycloak_identity_provider:
state: present
@ -347,9 +342,9 @@ EXAMPLES = '''
attribute.friendly.name: User Roles
attribute.name: roles
syncMode: INHERIT
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -428,7 +423,7 @@ end_state:
"storeToken": false,
"trustEmail": false,
}
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError

54
plugins/modules/keycloak_realm.py
View file

@ -9,29 +9,22 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_realm
short_description: Allows administration of Keycloak realm via Keycloak API
short_description: Allows administration of Keycloak realm using Keycloak API
version_added: 3.0.0
description:
- This module allows the administration of Keycloak realm via the Keycloak REST API. It
requires access to the REST API via OpenID Connect; the user connecting and the realm being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- This module allows the administration of Keycloak realm using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin
user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
Aliases are provided so camelCased versions can be used as well.
- The Keycloak API does not always sanity check inputs e.g. you can set
SAML-specific settings on an OpenID Connect client for instance and vice versa. Be careful.
If you do not specify a setting, usually a sensible default is chosen.
- The Keycloak API does not always sanity check inputs, for example you can set SAML-specific settings on an OpenID Connect client for instance and
also the other way around. B(Be careful). If you do not specify a setting, usually a sensible default is chosen.
attributes:
check_mode:
support: full
@ -523,9 +516,9 @@ extends_documentation_fragment:
author:
- Christophe Gilles (@kris2kris)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create or update Keycloak realm (minimal example)
community.general.keycloak_realm:
auth_client_id: admin-cli
@ -546,10 +539,9 @@ EXAMPLES = '''
auth_password: PASSWORD
id: test
state: absent
"""
'''
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -560,32 +552,20 @@ proposed:
description: Representation of proposed realm.
returned: always
type: dict
sample: {
id: "test"
}
sample: {id: "test"}
existing:
description: Representation of existing realm (sample is truncated).
returned: always
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
end_state:
description: Representation of realm after module execution (sample is truncated).
returned: on success
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
'''
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError

29
plugins/modules/keycloak_realm_info.py
View file

@ -8,24 +8,19 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_realm_info
short_description: Allows obtaining Keycloak realm public information via Keycloak API
short_description: Allows obtaining Keycloak realm public information using Keycloak API
version_added: 4.3.0
description:
- This module allows you to get Keycloak realm public information via the Keycloak REST API.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- This module allows you to get Keycloak realm public information using the Keycloak REST API.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
extends_documentation_fragment:
- community.general.attributes
- community.general.attributes.info_module
@ -52,17 +47,17 @@ options:
author:
- Fynn Chen (@fynncfchen)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Get a Keycloak public key
community.general.keycloak_realm_info:
realm: MyCustomRealm
auth_keycloak_url: https://auth.example.com/auth
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -99,7 +94,7 @@ realm_info:
type: int
returned: always
sample: 0
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI
from ansible.module_utils.basic import AnsibleModule

97
plugins/modules/keycloak_realm_key.py
View file

@ -9,35 +9,25 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_realm_key
short_description: Allows administration of Keycloak realm keys via Keycloak API
short_description: Allows administration of Keycloak realm keys using Keycloak API
version_added: 7.5.0
description:
- This module allows the administration of Keycloak realm keys via the Keycloak REST API. It
requires access to the REST API via OpenID Connect; the user connecting and the realm being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate realm definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- This module allows the administration of Keycloak realm keys using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin
user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
Aliases are provided so camelCased versions can be used as well.
- This module is unable to detect changes to the actual cryptographic key after importing it.
However, if some other property is changed alongside the cryptographic key, then the key
will also get changed as a side-effect, as the JSON payload needs to include the private key.
This can be considered either a bug or a feature, as the alternative would be to always
update the realm key whether it has changed or not.
- If certificate is not explicitly provided it will be dynamically created by Keycloak.
Therefore comparing the current state of the certificate to the desired state (which may be
empty) is not possible.
- This module is unable to detect changes to the actual cryptographic key after importing it. However, if some other property is changed alongside
the cryptographic key, then the key will also get changed as a side-effect, as the JSON payload needs to include the private key. This can
be considered either a bug or a feature, as the alternative would be to always update the realm key whether it has changed or not.
- If certificate is not explicitly provided it will be dynamically created by Keycloak. Therefore comparing the current state of the certificate
to the desired state (which may be empty) is not possible.
attributes:
check_mode:
support: full
@ -62,10 +52,9 @@ options:
required: true
force:
description:
- Enforce the state of the private key and certificate. This is not automatically the
case as this module is unable to determine the current state of the private key and
thus cannot trigger an update based on an actual divergence. That said, a private key
update may happen even if force is false as a side-effect of other changes.
- Enforce the state of the private key and certificate. This is not automatically the case as this module is unable to determine the current
state of the private key and thus cannot trigger an update based on an actual divergence. That said, a private key update may happen even
if force is false as a side-effect of other changes.
default: false
type: bool
parent_id:
@ -87,14 +76,12 @@ options:
suboptions:
active:
description:
- Whether they key is active or inactive. Not to be confused with the state
of the Ansible resource managed by the O(state) parameter.
- Whether they key is active or inactive. Not to be confused with the state of the Ansible resource managed by the O(state) parameter.
default: true
type: bool
enabled:
description:
- Whether the key is enabled or disabled. Not to be confused with the state
of the Ansible resource managed by the O(state) parameter.
- Whether the key is enabled or disabled. Not to be confused with the state of the Ansible resource managed by the O(state) parameter.
default: true
type: bool
priority:
@ -105,39 +92,30 @@ options:
algorithm:
description:
- Key algorithm.
- The values V(RS384), V(RS512), V(PS256), V(PS384), V(PS512), V(RSA1_5),
V(RSA-OAEP), V(RSA-OAEP-256) have been added in community.general 8.2.0.
- The values V(RS384), V(RS512), V(PS256), V(PS384), V(PS512), V(RSA1_5), V(RSA-OAEP), V(RSA-OAEP-256) have been added in community.general
8.2.0.
default: RS256
choices: ['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256']
type: str
private_key:
description:
- The private key as an ASCII string. Contents of the key must match O(config.algorithm)
and O(provider_id).
- Please note that the module cannot detect whether the private key specified differs from the
current state's private key. Use O(force=true) to force the module to update the private key
if you expect it to be updated.
- The private key as an ASCII string. Contents of the key must match O(config.algorithm) and O(provider_id).
- Please note that the module cannot detect whether the private key specified differs from the current state's private key. Use O(force=true)
to force the module to update the private key if you expect it to be updated.
required: true
type: str
certificate:
description:
- A certificate signed with the private key as an ASCII string. Contents of the
key must match O(config.algorithm) and O(provider_id).
- If you want Keycloak to automatically generate a certificate using your private key
then set this to an empty string.
- A certificate signed with the private key as an ASCII string. Contents of the key must match O(config.algorithm) and O(provider_id).
- If you want Keycloak to automatically generate a certificate using your private key then set this to an empty string.
required: true
type: str
notes:
- Current value of the private key cannot be fetched from Keycloak.
Therefore comparing its desired state to the current state is not
possible.
- If certificate is not explicitly provided it will be dynamically created
by Keycloak. Therefore comparing the current state of the certificate to
the desired state (which may be empty) is not possible.
- Due to the private key and certificate options the module is
B(not fully idempotent). You can use O(force=true) to force the module
to always update if you know that the private key might have changed.
- Current value of the private key cannot be fetched from Keycloak. Therefore comparing its desired state to the current state is not possible.
- If certificate is not explicitly provided it will be dynamically created by Keycloak. Therefore comparing the current state of the certificate
to the desired state (which may be empty) is not possible.
- Due to the private key and certificate options the module is B(not fully idempotent). You can use O(force=true) to force the module to always
update if you know that the private key might have changed.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
@ -145,9 +123,9 @@ extends_documentation_fragment:
author:
- Samuli Seppänen (@mattock)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Manage Keycloak realm key (certificate autogenerated by Keycloak)
community.general.keycloak_realm_key:
name: custom
@ -182,9 +160,9 @@ EXAMPLES = '''
active: true
priority: 120
algorithm: RS256
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -223,13 +201,8 @@ end_state:
description: Realm key configuration.
type: dict
returned: when O(state=present)
sample: {
"active": ["true"],
"algorithm": ["RS256"],
"enabled": ["true"],
"priority": ["140"]
}
'''
sample: {"active": ["true"], "algorithm": ["RS256"], "enabled": ["true"], "priority": ["140"]}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError

21
plugins/modules/keycloak_realm_keys_metadata_info.py
View file

@ -9,20 +9,17 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = """
---
DOCUMENTATION = r"""
module: keycloak_realm_keys_metadata_info
short_description: Allows obtaining Keycloak realm keys metadata via Keycloak API
short_description: Allows obtaining Keycloak realm keys metadata using Keycloak API
version_added: 9.3.0
description:
- This module allows you to get Keycloak realm keys metadata via the Keycloak REST API.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
- This module allows you to get Keycloak realm keys metadata using the Keycloak REST API.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
attributes:
action_group:
version_added: 10.2.0
@ -44,7 +41,7 @@ author:
- Thomas Bach (@thomasbach-dev)
"""
EXAMPLES = """
EXAMPLES = r"""
- name: Fetch Keys metadata
community.general.keycloak_realm_keys_metadata_info:
auth_keycloak_url: https://auth.example.com/auth
@ -67,7 +64,7 @@ EXAMPLES = """
delegate_to: localhost
"""
RETURN = """
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -76,9 +73,7 @@ msg:
keys_metadata:
description:
- Representation of the realm keys metadata (see
U(https://www.keycloak.org/docs-api/latest/rest-api/index.html#KeysMetadataRepresentation)).
- Representation of the realm keys metadata (see U(https://www.keycloak.org/docs-api/latest/rest-api/index.html#KeysMetadataRepresentation)).
returned: always
type: dict
contains:

82
plugins/modules/keycloak_realm_rolemapping.py
View file

@ -8,8 +8,7 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_realm_rolemapping
short_description: Allows administration of Keycloak realm role mappings into groups with the Keycloak API
@ -17,24 +16,16 @@ short_description: Allows administration of Keycloak realm role mappings into gr
version_added: 8.2.0
description:
- This module allows you to add, remove or modify Keycloak realm role
mappings into groups with the Keycloak REST API. It requires access to the
REST API via OpenID Connect; the user connecting and the client being used
must have the requisite access rights. In a default Keycloak installation,
admin-cli and an admin user would work, as would a separate client
definition with the scope tailored to your needs and a user having the
expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/18.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- When updating a group_rolemapping, where possible provide the role ID to the module. This removes a lookup
to the API to translate the name into the role ID.
- This module allows you to add, remove or modify Keycloak realm role mappings into groups with the Keycloak REST API. It requires access to
the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak
installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user
having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/18.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
- When updating a group_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name
into the role ID.
attributes:
check_mode:
support: full
@ -66,13 +57,11 @@ options:
description:
- Name of the group to be mapped.
- This parameter is required (can be replaced by gid for less API call).
parents:
type: list
description:
- List of parent groups for the group to handle sorted top to bottom.
- >-
Set this if your group is a subgroup and you do not provide the GID in O(gid).
- Set this if your group is a subgroup and you do not provide the GID in O(gid).
elements: dict
suboptions:
id:
@ -81,25 +70,21 @@ options:
- Identify parent by ID.
- Needs less API calls than using O(parents[].name).
- A deep parent chain can be started at any point when first given parent is given as ID.
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
with ID being preferred.
name:
type: str
description:
- Identify parent by name.
- Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top.
- Note that in principle both ID and name can be specified at the same time
but current implementation only always use just one of them, with ID
being preferred.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them,
with ID being preferred.
gid:
type: str
description:
- ID of the group to be mapped.
- This parameter is not required for updating or deleting the rolemapping but
providing it will reduce the number of API calls required.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
roles:
description:
- Roles to be mapped to the group.
@ -115,9 +100,8 @@ options:
type: str
description:
- The unique identifier for this role_representation.
- This parameter is not required for updating or deleting a role_representation but
providing it will reduce the number of API calls required.
- This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls
required.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
@ -127,9 +111,9 @@ author:
- Gaëtan Daubresse (@Gaetan2907)
- Marius Huysamen (@mhuysamen)
- Alexander Groß (@agross)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Map a client role to a group, authentication with credentials
community.general.keycloak_realm_rolemapping:
realm: MyCustomRealm
@ -195,9 +179,9 @@ EXAMPLES = '''
- name: role_name2
id: role_id2
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -208,9 +192,7 @@ proposed:
description: Representation of proposed client role mapping.
returned: always
type: dict
sample: {
clientId: "test"
}
sample: {clientId: "test"}
existing:
description:
@ -218,12 +200,7 @@ existing:
- The sample is truncated.
returned: always
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
end_state:
description:
@ -231,13 +208,8 @@ end_state:
- The sample is truncated.
returned: on success
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
'''
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import (
KeycloakAPI, keycloak_argument_spec, get_token, KeycloakError,

68
plugins/modules/keycloak_role.py
View file

@ -8,28 +8,21 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_role
short_description: Allows administration of Keycloak roles via Keycloak API
short_description: Allows administration of Keycloak roles using Keycloak API
version_added: 3.4.0
description:
- This module allows you to add, remove or modify Keycloak roles via the Keycloak REST API.
It requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- This module allows you to add, remove or modify Keycloak roles using the Keycloak REST API. It requires access to the REST API using OpenID Connect;
the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an
admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
attributes:
check_mode:
support: full
@ -56,12 +49,10 @@ options:
description:
- Name of the role.
- This parameter is required.
description:
type: str
description:
- The role description.
realm:
type: str
description:
@ -73,12 +64,11 @@ options:
description:
- If the role is a client role, the client id under which it resides.
- If this parameter is absent, the role is considered a realm role.
attributes:
type: dict
description:
- A dict of key/value pairs to set as custom attributes for the role.
- Values may be single values (e.g. a string) or a list of strings.
- Values may be single values (for example a string) or a list of strings.
composite:
description:
- If V(true), the role is a composition of other realm and/or client role.
@ -123,9 +113,9 @@ extends_documentation_fragment:
author:
- Laurent Paumier (@laurpaum)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create a Keycloak realm role, authentication with credentials
community.general.keycloak_role:
name: my-new-kc-role
@ -190,9 +180,9 @@ EXAMPLES = '''
- list
- items
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -203,38 +193,22 @@ proposed:
description: Representation of proposed role.
returned: always
type: dict
sample: {
"description": "My updated test description"
}
sample: {"description": "My updated test description"}
existing:
description: Representation of existing role.
returned: always
type: dict
sample: {
"attributes": {},
"clientRole": true,
"composite": false,
"containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
"description": "My client test role",
"id": "561703dd-0f38-45ff-9a5a-0c978f794547",
"name": "myrole"
}
sample: {"attributes": {}, "clientRole": true, "composite": false, "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a", "description": "My
client test role", "id": "561703dd-0f38-45ff-9a5a-0c978f794547", "name": "myrole"}
end_state:
description: Representation of role after module execution (sample is truncated).
returned: on success
type: dict
sample: {
"attributes": {},
"clientRole": true,
"composite": false,
"containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
"description": "My updated client test role",
"id": "561703dd-0f38-45ff-9a5a-0c978f794547",
"name": "myrole"
}
'''
sample: {"attributes": {}, "clientRole": true, "composite": false, "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a", "description": "My
updated client test role", "id": "561703dd-0f38-45ff-9a5a-0c978f794547", "name": "myrole"}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError, is_struct_included
@ -290,7 +264,7 @@ def main():
state = module.params.get('state')
# attributes in Keycloak have their values returned as lists
# via the API. attributes is a dict, so we'll transparently convert
# using the API. attributes is a dict, so we'll transparently convert
# the values to lists.
if module.params.get('attributes') is not None:
for key, val in module.params['attributes'].items():

24
plugins/modules/keycloak_user.py
View file

@ -9,8 +9,7 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_user
short_description: Create and configure a user in Keycloak
description:
@ -178,12 +177,12 @@ options:
type: str
access:
description:
- list user access.
- List user access.
required: false
type: dict
disableable_credential_types:
description:
- list user Credential Type.
- List user Credential Type.
default: []
type: list
elements: str
@ -191,12 +190,12 @@ options:
- disableableCredentialTypes
origin:
description:
- user origin.
- User origin.
required: false
type: str
self:
description:
- user self administration.
- User self administration.
required: false
type: str
state:
@ -225,9 +224,9 @@ notes:
- The module does not modify the user ID of an existing user.
author:
- Philippe Gauthier (@elfelip)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create a user user1
community.general.keycloak_user:
auth_keycloak_url: http://localhost:8080/auth
@ -327,9 +326,9 @@ EXAMPLES = '''
realm: master
username: user1
state: absent
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -344,14 +343,15 @@ existing:
returned: on success
type: dict
end_state:
description: Representation of the user after module execution
description: Representation of the user after module execution.
returned: on success
type: dict
changed:
description: Return V(true) if the operation changed the user on the keycloak server, V(false) otherwise.
returned: always
type: bool
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError, is_struct_included
from ansible.module_utils.basic import AnsibleModule

188
plugins/modules/keycloak_user_federation.py
View file

@ -8,24 +8,19 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_user_federation
short_description: Allows administration of Keycloak user federations via Keycloak API
short_description: Allows administration of Keycloak user federations using Keycloak API
version_added: 3.7.0
description:
- This module allows you to add, remove or modify Keycloak user federations via the Keycloak REST API.
It requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html).
- This module allows you to add, remove or modify Keycloak user federations using the Keycloak REST API. It requires access to the REST API using
OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html).
attributes:
check_mode:
support: full
@ -38,8 +33,7 @@ options:
state:
description:
- State of the user federation.
- On V(present), the user federation will be created if it does not yet exist, or updated with
the parameters you provide.
- On V(present), the user federation will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the user federation will be removed if it exists.
default: 'present'
type: str
@ -55,8 +49,7 @@ options:
id:
description:
- The unique ID for this user federation. If left empty, the user federation will be searched
by its O(name).
- The unique ID for this user federation. If left empty, the user federation will be searched by its O(name).
type: str
name:
@ -66,8 +59,8 @@ options:
provider_id:
description:
- Provider for this user federation. Built-in providers are V(ldap), V(kerberos), and V(sssd).
Custom user storage providers can also be used.
- Provider for this user federation. Built-in providers are V(ldap), V(kerberos), and V(sssd). Custom user storage providers can also be
used.
aliases:
- providerId
type: str
@ -97,15 +90,12 @@ options:
bind_credential_update_mode:
description:
- The value of the config parameter O(config.bindCredential) is redacted in the Keycloak responses.
Comparing the redacted value with the desired value always evaluates to not equal. This means
the before and desired states are never equal if the parameter is set.
- Set to V(always) to include O(config.bindCredential) in the comparison of before and desired state.
Because of the redacted value returned by Keycloak the module will always detect a change
and make an update if a O(config.bindCredential) value is set.
- Set to V(only_indirect) to exclude O(config.bindCredential) when comparing the before state with the
desired state. The value of O(config.bindCredential) will only be updated if there are other changes
to the user federation that require an update.
- The value of the config parameter O(config.bindCredential) is redacted in the Keycloak responses. Comparing the redacted value with the
desired value always evaluates to not equal. This means the before and desired states are never equal if the parameter is set.
- Set to V(always) to include O(config.bindCredential) in the comparison of before and desired state. Because of the redacted value returned
by Keycloak the module will always detect a change and make an update if a O(config.bindCredential) value is set.
- Set to V(only_indirect) to exclude O(config.bindCredential) when comparing the before state with the desired state.
The value of O(config.bindCredential) will only be updated if there are other changes to the user federation that require an update.
type: str
default: always
choices:
@ -115,9 +105,8 @@ options:
config:
description:
- Dict specifying the configuration options for the provider; the contents differ depending on
the value of O(provider_id). Examples are given below for V(ldap), V(kerberos) and V(sssd).
It is easiest to obtain valid config values by dumping an already-existing user federation
- Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id). Examples are
given below for V(ldap), V(kerberos) and V(sssd). It is easiest to obtain valid config values by dumping an already-existing user federation
configuration through check-mode in the RV(existing) field.
- The value V(sssd) has been supported since community.general 4.2.0.
type: dict
@ -136,15 +125,14 @@ options:
importEnabled:
description:
- If V(true), LDAP users will be imported into Keycloak DB and synced by the configured
sync policies.
- If V(true), LDAP users will be imported into Keycloak DB and synced by the configured sync policies.
default: true
type: bool
editMode:
description:
- V(READ_ONLY) is a read-only LDAP store. V(WRITABLE) means data will be synced back to LDAP
on demand. V(UNSYNCED) means user data will be imported, but not synced back to LDAP.
- V(READ_ONLY) is a read-only LDAP store. V(WRITABLE) means data will be synced back to LDAP on demand. V(UNSYNCED) means user data
will be imported, but not synced back to LDAP.
type: str
choices:
- READ_ONLY
@ -153,8 +141,7 @@ options:
syncRegistrations:
description:
- Should newly created users be created within LDAP store? Priority effects which
provider is chosen to sync the new user.
- Should newly created users be created within LDAP store? Priority effects which provider is chosen to sync the new user.
default: false
type: bool
@ -166,35 +153,29 @@ options:
usernameLDAPAttribute:
description:
- Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server
vendors it can be V(uid). For Active directory it can be V(sAMAccountName) or V(cn).
The attribute should be filled for all LDAP user records you want to import from
LDAP to Keycloak.
- Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server vendors it can be V(uid). For Active directory
it can be V(sAMAccountName) or V(cn). The attribute should be filled for all LDAP user records you want to import from LDAP to Keycloak.
type: str
rdnLDAPAttribute:
description:
- Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN.
Usually it's the same as Username LDAP attribute, however it is not required. For
example for Active directory, it is common to use V(cn) as RDN attribute when
username attribute might be V(sAMAccountName).
- Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. Usually it's the same as Username LDAP attribute,
however it is not required. For example for Active directory, it is common to use V(cn) as RDN attribute when username attribute might
be V(sAMAccountName).
type: str
uuidLDAPAttribute:
description:
- Name of LDAP attribute, which is used as unique object identifier (UUID) for objects
in LDAP. For many LDAP server vendors, it is V(entryUUID); however some are different.
For example for Active directory it should be V(objectGUID). If your LDAP server does
not support the notion of UUID, you can use any other attribute that is supposed to
be unique among LDAP users in tree.
- Name of LDAP attribute, which is used as unique object identifier (UUID) for objects in LDAP. For many LDAP server vendors, it is
V(entryUUID); however some are different. For example for Active directory it should be V(objectGUID). If your LDAP server does not
support the notion of UUID, you can use any other attribute that is supposed to be unique among LDAP users in tree.
type: str
userObjectClasses:
description:
- All values of LDAP objectClass attribute for users in LDAP divided by comma.
For example V(inetOrgPerson, organizationalPerson). Newly created Keycloak users
will be written to LDAP with all those object classes and existing LDAP user records
are found just if they contain all those object classes.
- All values of LDAP objectClass attribute for users in LDAP divided by comma. For example V(inetOrgPerson, organizationalPerson). Newly
created Keycloak users will be written to LDAP with all those object classes and existing LDAP user records are found just if they
contain all those object classes.
type: str
connectionUrl:
@ -209,15 +190,13 @@ options:
customUserSearchFilter:
description:
- Additional LDAP Filter for filtering searched users. Leave this empty if you don't
need additional filter.
- Additional LDAP Filter for filtering searched users. Leave this empty if you do not need additional filter.
type: str
searchScope:
description:
- For one level, the search applies only for users in the DNs specified by User DNs.
For subtree, the search applies to the whole subtree. See LDAP documentation for
more details.
- For one level, the search applies only for users in the DNs specified by User DNs. For subtree, the search applies to the whole subtree.
See LDAP documentation for more details.
default: '1'
type: str
choices:
@ -226,8 +205,7 @@ options:
authType:
description:
- Type of the Authentication method used during LDAP Bind operation. It is used in
most of the requests sent to the LDAP server.
- Type of the Authentication method used during LDAP Bind operation. It is used in most of the requests sent to the LDAP server.
default: 'none'
type: str
choices:
@ -252,35 +230,31 @@ options:
usePasswordModifyExtendedOp:
description:
- Use the LDAPv3 Password Modify Extended Operation (RFC-3062). The password modify
extended operation usually requires that LDAP user already has password in the LDAP
server. So when this is used with 'Sync Registrations', it can be good to add also
'Hardcoded LDAP attribute mapper' with randomly generated initial password.
- Use the LDAPv3 Password Modify Extended Operation (RFC-3062). The password modify extended operation usually requires that LDAP user
already has password in the LDAP server. So when this is used with 'Sync Registrations', it can be good to add also 'Hardcoded LDAP
attribute mapper' with randomly generated initial password.
default: false
type: bool
validatePasswordPolicy:
description:
- Determines if Keycloak should validate the password with the realm password policy
before updating it.
- Determines if Keycloak should validate the password with the realm password policy before updating it.
default: false
type: bool
trustEmail:
description:
- If enabled, email provided by this provider is not verified even if verification is
enabled for the realm.
- If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
default: false
type: bool
useTruststoreSpi:
description:
- Specifies whether LDAP connection will use the truststore SPI with the truststore
configured in standalone.xml/domain.xml. V(always) means that it will always use it.
V(never) means that it will not use it. V(ldapsOnly) means that it will use if
your connection URL use ldaps. Note even if standalone.xml/domain.xml is not
configured, the default Java cacerts or certificate specified by
C(javax.net.ssl.trustStore) property will be used.
- Specifies whether LDAP connection will use the truststore SPI with the truststore configured in standalone.xml/domain.xml. V(always)
means that it will always use it. V(never) means that it will not use it. V(ldapsOnly) means that it will use if your connection URL
use ldaps.
- Note even if standalone.xml/domain.xml is not configured, the default Java cacerts or certificate specified by C(javax.net.ssl.trustStore)
property will be used.
default: ldapsOnly
type: str
choices:
@ -321,44 +295,39 @@ options:
connectionPoolingDebug:
description:
- A string that indicates the level of debug output to produce. Example valid values are
V(fine) (trace connection creation and removal) and V(all) (all debugging information).
- A string that indicates the level of debug output to produce. Example valid values are V(fine) (trace connection creation and removal)
and V(all) (all debugging information).
type: str
connectionPoolingInitSize:
description:
- The number of connections per connection identity to create when initially creating a
connection for the identity.
- The number of connections per connection identity to create when initially creating a connection for the identity.
type: int
connectionPoolingMaxSize:
description:
- The maximum number of connections per connection identity that can be maintained
concurrently.
- The maximum number of connections per connection identity that can be maintained concurrently.
type: int
connectionPoolingPrefSize:
description:
- The preferred number of connections per connection identity that should be maintained
concurrently.
- The preferred number of connections per connection identity that should be maintained concurrently.
type: int
connectionPoolingProtocol:
description:
- A list of space-separated protocol types of connections that may be pooled.
Valid types are V(plain) and V(ssl).
- A list of space-separated protocol types of connections that may be pooled. Valid types are V(plain) and V(ssl).
type: str
connectionPoolingTimeout:
description:
- The number of milliseconds that an idle connection may remain in the pool without
being closed and removed from the pool.
- The number of milliseconds that an idle connection may remain in the pool without being closed and removed from the pool.
type: int
allowKerberosAuthentication:
description:
- Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data
about authenticated users will be provisioned from this LDAP server.
- Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data about authenticated users will be provisioned from
this LDAP server.
default: false
type: bool
@ -369,25 +338,21 @@ options:
krbPrincipalAttribute:
description:
- Name of the LDAP attribute, which refers to Kerberos principal.
This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO authentication in Keycloak.
When this is empty, the LDAP user will be looked based on LDAP username corresponding
to the first part of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG),
it will assume that LDAP username is V(john).
- Name of the LDAP attribute, which refers to Kerberos principal. This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO
authentication in Keycloak. When this is empty, the LDAP user will be looked based on LDAP username corresponding to the first part
of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG), it will assume that LDAP username is V(john).
type: str
version_added: 8.1.0
serverPrincipal:
description:
- Full name of server principal for HTTP service including server and domain name. For
example V(HTTP/host.foo.org@FOO.ORG). Use V(*) to accept any service principal in the
KeyTab file.
- Full name of server principal for HTTP service including server and domain name. For example V(HTTP/host.foo.org@FOO.ORG). Use V(*)
to accept any service principal in the KeyTab file.
type: str
keyTab:
description:
- Location of Kerberos KeyTab file containing the credentials of server principal. For
example V(/etc/krb5.keytab).
- Location of Kerberos KeyTab file containing the credentials of server principal. For example V(/etc/krb5.keytab).
type: str
debug:
@ -397,8 +362,8 @@ options:
useKerberosForPasswordAuthentication:
description:
- Use Kerberos login module for authenticate username/password against Kerberos server
instead of authenticating against LDAP server with Directory Service API.
- Use Kerberos login module for authenticate username/password against Kerberos server instead of authenticating against LDAP server
with Directory Service API.
default: false
type: bool
@ -464,9 +429,8 @@ options:
referral:
description:
- Specifies if LDAP referrals should be followed or ignored. Please note that enabling
referrals can slow down authentication as it allows the LDAP server to decide which other
LDAP servers to use. This could potentially include untrusted servers.
- Specifies if LDAP referrals should be followed or ignored. Please note that enabling referrals can slow down authentication as it
allows the LDAP server to decide which other LDAP servers to use. This could potentially include untrusted servers.
type: str
choices:
- ignore
@ -491,8 +455,7 @@ options:
parentId:
description:
- Unique ID for the parent of this mapper. ID of the user federation will automatically
be used if left blank.
- Unique ID for the parent of this mapper. ID of the user federation will automatically be used if left blank.
type: str
providerId:
@ -508,9 +471,7 @@ options:
config:
description:
- Dict specifying the configuration options for the mapper; the contents differ
depending on the value of I(identityProviderMapper).
# TODO: what is identityProviderMapper above???
- Dict specifying the configuration options for the mapper; the contents differ depending on the value of I(identityProviderMapper).
type: dict
extends_documentation_fragment:
@ -520,9 +481,9 @@ extends_documentation_fragment:
author:
- Laurent Paumier (@laurpaum)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create LDAP user federation
community.general.keycloak_user_federation:
auth_keycloak_url: https://keycloak.example.com/auth
@ -616,10 +577,9 @@ EXAMPLES = '''
realm: my-realm
name: my-federation
state: absent
"""
'''
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -744,7 +704,7 @@ end_state:
"providerId": "kerberos",
"providerType": "org.keycloak.storage.UserStorageProvider"
}
'''
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError

78
plugins/modules/keycloak_user_rolemapping.py
View file

@ -7,8 +7,7 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_user_rolemapping
short_description: Allows administration of Keycloak user_rolemapping with the Keycloak API
@ -16,22 +15,15 @@ short_description: Allows administration of Keycloak user_rolemapping with the K
version_added: 5.7.0
description:
- This module allows you to add, remove or modify Keycloak user_rolemapping with the Keycloak REST API.
It requires access to the REST API via OpenID Connect; the user connecting and the client being
used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored
to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will
be returned that way by this module. You may pass single values for attributes when calling the module,
and this will be translated into a list suitable for the API.
- When updating a user_rolemapping, where possible provide the role ID to the module. This removes a lookup
to the API to translate the name into the role ID.
- This module allows you to add, remove or modify Keycloak user_rolemapping with the Keycloak REST API. It requires access to the REST API using
OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module.
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API.
- When updating a user_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name
into the role ID.
attributes:
check_mode:
support: full
@ -63,35 +55,26 @@ options:
description:
- Username of the user roles are mapped to.
- This parameter is not required (can be replaced by uid for less API call).
uid:
type: str
description:
- ID of the user to be mapped.
- This parameter is not required for updating or deleting the rolemapping but
providing it will reduce the number of API calls required.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
service_account_user_client_id:
type: str
description:
- Client ID of the service-account-user to be mapped.
- This parameter is not required for updating or deleting the rolemapping but
providing it will reduce the number of API calls required.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
client_id:
type: str
description:
- Name of the client to be mapped (different than O(cid)).
- This parameter is required if O(cid) is not provided (can be replaced by O(cid)
to reduce the number of API calls that must be made).
- This parameter is required if O(cid) is not provided (can be replaced by O(cid) to reduce the number of API calls that must be made).
cid:
type: str
description:
- ID of the client to be mapped.
- This parameter is not required for updating or deleting the rolemapping but
providing it will reduce the number of API calls required.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required.
roles:
description:
- Roles to be mapped to the user.
@ -107,9 +90,8 @@ options:
type: str
description:
- The unique identifier for this role_representation.
- This parameter is not required for updating or deleting a role_representation but
providing it will reduce the number of API calls required.
- This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls
required.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
@ -117,9 +99,9 @@ extends_documentation_fragment:
author:
- Dušan Marković (@bratwurzt)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Map a client role to a user, authentication with credentials
community.general.keycloak_user_rolemapping:
realm: MyCustomRealm
@ -189,9 +171,9 @@ EXAMPLES = '''
- name: role_name2
id: role_id2
delegate_to: localhost
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: Message as to what action was taken.
returned: always
@ -202,9 +184,7 @@ proposed:
description: Representation of proposed client role mapping.
returned: always
type: dict
sample: {
clientId: "test"
}
sample: {clientId: "test"}
existing:
description:
@ -212,12 +192,7 @@ existing:
- The sample is truncated.
returned: always
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
end_state:
description:
@ -225,13 +200,8 @@ end_state:
- The sample is truncated.
returned: on success
type: dict
sample: {
"adminUrl": "http://www.example.com/admin_url",
"attributes": {
"request.object.signature.alg": "RS256",
}
}
'''
sample: {"adminUrl": "http://www.example.com/admin_url", "attributes": {"request.object.signature.alg": "RS256"}}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, \
keycloak_argument_spec, get_token, KeycloakError

32
plugins/modules/keycloak_userprofile.py
View file

@ -8,19 +8,17 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: keycloak_userprofile
short_description: Allows managing Keycloak User Profiles
description:
- This module allows you to create, update, or delete Keycloak User Profiles via Keycloak API. You can also customize the "Unmanaged Attributes" with it.
- The names of module options are snake_cased versions of the camelCase ones found in the
Keycloak API and its documentation at U(https://www.keycloak.org/docs-api/24.0.5/rest-api/index.html).
- This module allows you to create, update, or delete Keycloak User Profiles using the Keycloak API. You can also customize the "Unmanaged Attributes"
with it.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at
U(https://www.keycloak.org/docs-api/24.0.5/rest-api/index.html).
For compatibility reasons, the module also accepts the camelCase versions of the options.
version_added: "9.4.0"
attributes:
@ -35,8 +33,7 @@ options:
state:
description:
- State of the User Profile provider.
- On V(present), the User Profile provider will be created if it does not yet exist, or updated with
the parameters you provide.
- On V(present), the User Profile provider will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the User Profile provider will be removed if it exists.
default: 'present'
type: str
@ -267,9 +264,8 @@ options:
- ADMIN_VIEW
notes:
- Currently, only a single V(declarative-user-profile) entry is supported for O(provider_id) (design of the Keyckoak API).
However, there can be multiple O(config.kc_user_profile_config[].attributes[]) entries.
- Currently, only a single V(declarative-user-profile) entry is supported for O(provider_id) (design of the Keyckoak API). However, there can
be multiple O(config.kc_user_profile_config[].attributes[]) entries.
extends_documentation_fragment:
- community.general.keycloak
- community.general.keycloak.actiongroup_keycloak
@ -277,9 +273,9 @@ extends_documentation_fragment:
author:
- Eike Waldt (@yeoldegrove)
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Create a Declarative User Profile with default settings
community.general.keycloak_userprofile:
state: present
@ -397,9 +393,9 @@ EXAMPLES = '''
config:
kc_user_profile_config:
- unmanagedAttributePolicy: ADMIN_VIEW
'''
"""
RETURN = '''
RETURN = r"""
msg:
description: The output message generated by the module.
returned: always
@ -409,8 +405,8 @@ data:
description: The data returned by the Keycloak API.
returned: when state is present
type: dict
sample: {...}
'''
sample: {'...': '...'}
"""
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \
keycloak_argument_spec, get_token, KeycloakError

5
plugins/modules/keyring.py
View file

@ -13,15 +13,14 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = r"""
---
module: keyring
version_added: 5.2.0
author:
- Alexander Hussey (@ahussey-redhat)
short_description: Set or delete a passphrase using the Operating System's native keyring
description: >-
This module uses the L(keyring Python library, https://pypi.org/project/keyring/)
to set or delete passphrases for a given service and username from the OS' native keyring.
This module uses the L(keyring Python library, https://pypi.org/project/keyring/) to set or delete passphrases for a given service and username
from the OS' native keyring.
requirements:
- keyring (Python library)
- gnome-keyring (application - required for headless Gnome keyring access)

5
plugins/modules/keyring_info.py
View file

@ -13,15 +13,14 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = r"""
---
module: keyring_info
version_added: 5.2.0
author:
- Alexander Hussey (@ahussey-redhat)
short_description: Get a passphrase using the Operating System's native keyring
description: >-
This module uses the L(keyring Python library, https://pypi.org/project/keyring/)
to retrieve passphrases for a given service and username from the OS' native keyring.
This module uses the L(keyring Python library, https://pypi.org/project/keyring/) to retrieve passphrases for a given service and username from
the OS' native keyring.
requirements:
- keyring (Python library)
- gnome-keyring (application - required for headless Linux keyring access)

31
plugins/modules/kibana_plugin.py
View file

@ -11,8 +11,7 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
DOCUMENTATION = r"""
module: kibana_plugin
short_description: Manage Kibana plugins
description:
@ -40,11 +39,11 @@ options:
url:
description:
- Set exact URL to download the plugin from.
- For local file, prefix its absolute path with file://
- For local file, prefix its absolute path with file://.
type: str
timeout:
description:
- "Timeout setting: 30s, 1m, 1h etc."
- 'Timeout setting: V(30s), V(1m), V(1h) and so on.'
default: 1m
type: str
plugin_bin:
@ -73,9 +72,9 @@ options:
type: bool
default: false
version_added: 2.3.0
'''
"""
EXAMPLES = '''
EXAMPLES = r"""
- name: Install Elasticsearch head plugin
community.general.kibana_plugin:
state: present
@ -91,38 +90,38 @@ EXAMPLES = '''
community.general.kibana_plugin:
state: absent
name: elasticsearch/marvel
'''
"""
RETURN = '''
RETURN = r"""
cmd:
description: the launched command during plugin management (install / remove)
description: The launched command during plugin management (install / remove).
returned: success
type: str
name:
description: the plugin name to install or remove
description: The plugin name to install or remove.
returned: success
type: str
url:
description: the url from where the plugin is installed from
description: The url from where the plugin is installed from.
returned: success
type: str
timeout:
description: the timeout for plugin download
description: The timeout for plugin download.
returned: success
type: str
stdout:
description: the command stdout
description: The command stdout.
returned: success
type: str
stderr:
description: the command stderr
description: The command stderr.
returned: success
type: str
state:
description: the state for the managed plugin
description: The state for the managed plugin.
returned: success
type: str
'''
"""
import os
from ansible.module_utils.basic import AnsibleModule

17
plugins/modules/krb_ticket.py
View file

@ -8,8 +8,7 @@ from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = r'''
---
DOCUMENTATION = r"""
module: krb_ticket
short_description: Kerberos utils for managing tickets
version_added: 10.0.0
@ -56,8 +55,9 @@ options:
lifetime:
description:
- Requests a ticket with the lifetime, if the O(lifetime) is not specified, the default ticket lifetime is used.
- Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime.
- "The value for O(lifetime) must be followed by one of the following suffixes: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days."
- Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum
ticket lifetime.
- 'The value for O(lifetime) must be followed by one of the following suffixes: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days.'
- You cannot mix units; a value of V(3h30m) will result in an error.
- See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference.
type: str
@ -73,7 +73,8 @@ options:
renewable:
description:
- Requests renewable tickets, with a total lifetime equal to O(renewable).
- "The value for O(renewable) must be followed by one of the following delimiters: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days."
- 'The value for O(renewable) must be followed by one of the following delimiters: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) -
days.'
- You cannot mix units; a value of V(3h30m) will result in an error.
- See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference.
type: str
@ -125,9 +126,9 @@ requirements:
- krb5-user and krb5-config packages
extends_documentation_fragment:
- community.general.attributes
'''
"""
EXAMPLES = r'''
EXAMPLES = r"""
- name: Get Kerberos ticket using default principal
community.general.krb_ticket:
password: some_password
@ -179,7 +180,7 @@ EXAMPLES = r'''
community.general.krb_ticket:
state: absent
kdestroy_all: true
'''
"""
from ansible.module_utils.basic import AnsibleModule, env_fallback
from ansible_collections.community.general.plugins.module_utils.cmd_runner import CmdRunner, cmd_runner_fmt