[RFE] Improve enforcing and verifying of group/rule members

[myllynen]

Over a longer period of time there will be many users added to and removed from groups as people change roles within an organization or leave the organization altogether. Changes adding and removing properties will eventually happen also with e.g. HBAC and sudo rules. In some cases there might be different teams and/or several layers of automation on top before such requests get translated into Ansible playbooks and variables to configure IPA/IdM data to reflect current requirements and the state of an organization.

There does not seem to be a way to audit and verify e.g. current users part of a group or hosts part of a hostgroup. Also there does not seem to be a way to explicitly define, say, "this group shall only have these users as its members" after running a playbook.

It would make auditing and verification easier and helping to ensure that security-critical rules, such as sudo and HBAC, are enforced properly. Something like state: query is used by some other collections to retrieve current configuration but having the capability for explicitly set users of a group would be slightly more straightforward.

Please consider providing functionality to enforce and verify current entries and members of groups and rules. Thanks.

[rjeffman]

@myllynen I'll break your report in different issues raised and try to answer them all.

Regarding a way to query current IPA state, there is some investigation on the best way to define the playbooks and implement such a plugin so that it can be extended in the future. See, for example PR #782 and issue #660.

Regarding a way to say "this group shall only have these users as its members", this kind of state can be set on any module accepting action: member by setting the desired fields and using action: <module>, this would set the object to have a specific value (or set of values) for an attribute.

[myllynen]

Looks like 660/782 would indeed cover the info module or query state part so probably best to continue discussion about that there.

Thanks for pointing about the action: <module> usage, it solves the second part of issue! I now double checked and I still can't find any examples of that in the documentation so perhaps that explains partly why I didn't see that before. I'll create a separate ticket about that, perhaps we can close this one.

Thanks!

[t-woerner]

action: <module> is the default for all modules that support the action parameter.

The documentation of the group module has this:

action controls if a the group or member will be handled. To add or remove members, set action to ´member`.

This needs to be enhanced for sure.