ipa_role: Add support for privileges (#21149)

* ipa_role: Add support for privileges

* ipa_role: Add default vaule to module documentation

lib/ansible/modules/identity/ipa/ipa_role.py

@@ -58,6 +58,14 @@ options:
     - If option is omitted host groups will not be checked or changed.
     - If option is passed all assigned hostgroups that are not passed will be unassigned from the role.
     required: false
+  privilege:
+    description:
+    - List of privileges granted to the role.
+    - If an empty list is passed all assigned privileges will be removed.
+    - If option is omitted privileges will not be checked or changed.
+    - If option is passed all assigned privileges that are not passed will be removed.
+    required: false
+    default: None
   service:
     description:
     - List of service names to assign.
@@ -129,6 +137,9 @@ EXAMPLES = '''
     - host01.example.com
     hostgroup:
     - hostgroup01
+    privilege:
+    - Group Administrators
+    - User Administrators
     service:
     - service01
 
@@ -205,6 +216,12 @@ class RoleIPAClient(IPAClient):
     def role_remove_user(self, name, item):
         return self.role_remove_member(name=name, item={'user': item})
 
+    def role_add_privilege(self, name, item):
+        return self._post_json(method='role_add_privilege', name=name, item={'privilege': item})
+
+    def role_remove_privilege(self, name, item):
+        return self._post_json(method='role_remove_privilege', name=name, item={'privilege': item})
+
 
 def get_role_dict(description=None):
     data = {}
@@ -223,6 +240,7 @@ def ensure(module, client):
     group = module.params['group']
     host = module.params['host']
     hostgroup = module.params['hostgroup']
+    privilege = module.params['privilege']
     service = module.params['service']
     user = module.params['user']
 
@@ -249,7 +267,6 @@ def ensure(module, client):
             changed = client.modify_if_diff(name, ipa_role.get('member_group', []), group,
                                             client.role_add_group,
                                             client.role_remove_group) or changed
-
         if host is not None:
             changed = client.modify_if_diff(name, ipa_role.get('member_host', []), host,
                                             client.role_add_host,
@@ -260,6 +277,10 @@ def ensure(module, client):
                                             client.role_add_hostgroup,
                                             client.role_remove_hostgroup) or changed
 
+        if privilege is not None:
+            changed = client.modify_if_diff(name, ipa_role.get('memberof_privilege', []), privilege,
+                                            client.role_add_privilege,
+                                            client.role_remove_privilege) or changed
         if service is not None:
             changed = client.modify_if_diff(name, ipa_role.get('member_service', []), service,
                                             client.role_add_service,
@@ -268,6 +289,7 @@ def ensure(module, client):
             changed = client.modify_if_diff(name, ipa_role.get('member_user', []), user,
                                             client.role_add_user,
                                             client.role_remove_user) or changed
+
     else:
         if ipa_role:
             changed = True
@@ -285,6 +307,7 @@ def main():
             group=dict(type='list', required=False),
             host=dict(type='list', required=False),
             hostgroup=dict(type='list', required=False),
+            privilege=dict(type='list', required=False),
             service=dict(type='list', required=False),
             state=dict(type='str', required=False, default='present', choices=['present', 'absent']),
             user=dict(type='list', required=False),