a-c-m
/
community.general
mirror of https://github.com/ansible-collections/community.general.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

jk*: style adjustments (#9529) 

* jk*: style adjustments

* Apply suggestions from code review

* fix return yamls
pull/9542/head
Alexei Znamensky 2025-01-07 09:31:59 +13:00 committed by GitHub
parent 007302d5af
commit 27c34b150f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
31 changed files with 487 additions and 400 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/modules/jenkins_build.py
View File

@ -126,7 +126,7 @@ user:
type: str type: str
sample: admin sample: admin
url: url:
description: Url to connect to the Jenkins server. description: URL to connect to the Jenkins server.
returned: success returned: success
type: str type: str
sample: https://jenkins.mydomain.com sample: https://jenkins.mydomain.com

2
plugins/modules/jenkins_job.py
View File

@ -154,7 +154,7 @@ user:
type: str type: str
sample: admin sample: admin
url: url:
description: Url to connect to the Jenkins server. description: URL to connect to the Jenkins server.
returned: success returned: success
type: str type: str
sample: https://jenkins.mydomain.com sample: https://jenkins.mydomain.com

15
plugins/modules/keycloak_authz_authorization_scope.py
View File

@ -17,13 +17,14 @@ short_description: Allows administration of Keycloak client authorization scopes
version_added: 6.6.0 version_added: 6.6.0
description: description:
- This module allows the administration of Keycloak client Authorization Scopes using the Keycloak REST API. Authorization Scopes are only available - This module allows the administration of Keycloak client Authorization Scopes using the Keycloak REST API. Authorization
if a client has Authorization enabled. Scopes are only available if a client has Authorization enabled.
- This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have
rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate
to your needs and a user having the expected roles. realm definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services
have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/). paths and payloads have not officially been documented by the Keycloak project.
U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
attributes: attributes:
check_mode: check_mode:
support: full support: full

16
plugins/modules/keycloak_authz_custom_policy.py
View File

@ -17,13 +17,15 @@ short_description: Allows administration of Keycloak client custom Javascript po
version_added: 7.5.0 version_added: 7.5.0
description: description:
- This module allows the administration of Keycloak client custom Javascript using the Keycloak REST API. Custom Javascript policies are only - This module allows the administration of Keycloak client custom Javascript using the Keycloak REST API. Custom Javascript
available if a client has Authorization enabled and if they have been deployed to the Keycloak server as JAR files. policies are only available if a client has Authorization enabled and if they have been deployed to the Keycloak server
- This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access as JAR files.
rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have
to your needs and a user having the expected roles. the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate
- The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads realm definition with the scope tailored to your needs and a user having the expected roles.
have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/). - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services
paths and payloads have not officially been documented by the Keycloak project.
U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
attributes: attributes:
check_mode: check_mode:
support: full support: full

26
plugins/modules/keycloak_authz_permission.py
View File

@ -17,18 +17,20 @@ version_added: 7.2.0
short_description: Allows administration of Keycloak client authorization permissions using Keycloak API short_description: Allows administration of Keycloak client authorization permissions using Keycloak API
description: description:
- This module allows the administration of Keycloak client authorization permissions using the Keycloak REST API. Authorization permissions are - This module allows the administration of Keycloak client authorization permissions using the Keycloak REST API. Authorization
only available if a client has Authorization enabled. permissions are only available if a client has Authorization enabled.
- There are some peculiarities in JSON paths and payloads for authorization permissions. In particular POST and PUT operations are targeted - There are some peculiarities in JSON paths and payloads for authorization permissions. In particular POST and PUT operations
at permission endpoints, whereas GET requests go to policies endpoint. To make matters more interesting the JSON responses from GET requests are targeted at permission endpoints, whereas GET requests go to policies endpoint. To make matters more interesting the
return data in a different format than what is expected for POST and PUT. The end result is that it is not possible to detect changes to things JSON responses from GET requests return data in a different format than what is expected for POST and PUT. The end result
like policies, scopes or resources - at least not without a large number of additional API calls. Therefore this module always updates authorization is that it is not possible to detect changes to things like policies, scopes or resources - at least not without a large
permissions instead of attempting to determine if changes are truly needed. number of additional API calls. Therefore this module always updates authorization permissions instead of attempting to
- This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access determine if changes are truly needed.
rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have
to your needs and a user having the expected roles. the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate
- The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads realm definition with the scope tailored to your needs and a user having the expected roles.
have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/). - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services
paths and payloads have not officially been documented by the Keycloak project.
U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
attributes: attributes:
check_mode: check_mode:
support: full support: full

15
plugins/modules/keycloak_authz_permission_info.py
View File

@ -17,13 +17,14 @@ version_added: 7.2.0
short_description: Query Keycloak client authorization permissions information short_description: Query Keycloak client authorization permissions information
description: description:
- This module allows querying information about Keycloak client authorization permissions from the resources endpoint using the Keycloak REST - This module allows querying information about Keycloak client authorization permissions from the resources endpoint using
API. Authorization permissions are only available if a client has Authorization enabled. the Keycloak REST API. Authorization permissions are only available if a client has Authorization enabled.
- This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have the requisite access - This module requires access to the REST API using OpenID Connect; the user connecting and the realm being used must have
rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate
to your needs and a user having the expected roles. realm definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services paths and payloads - The names of module options are snake_cased versions of the camelCase options used by Keycloak. The Authorization Services
have not officially been documented by the Keycloak project. U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/). paths and payloads have not officially been documented by the Keycloak project.
U(https://www.puppeteers.net/blog/keycloak-authorization-services-rest-api-paths-and-payload/).
attributes: attributes:
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0

154
plugins/modules/keycloak_client.py
View File

@ -15,14 +15,16 @@ short_description: Allows administration of Keycloak clients using Keycloak API
description: description:
- This module allows the administration of Keycloak clients using the Keycloak REST API. It requires access to the REST API using OpenID Connect; - This module allows the administration of Keycloak clients using the Keycloak REST API. It requires access to the REST
the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an API using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default
admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at to your needs and a user having the expected roles.
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
Aliases are provided so camelCased versions can be used as well. at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). Aliases are provided so camelCased versions can be used
- The Keycloak API does not always sanity check inputs, for example you can set SAML-specific settings on an OpenID Connect client for instance and as well.
the other way around. Be careful. If you do not specify a setting, usually a sensible default is chosen. - The Keycloak API does not always sanity check inputs, for example you can set SAML-specific settings on an OpenID Connect
client for instance and the other way around. Be careful. If you do not specify a setting, usually a sensible default
is chosen.
attributes: attributes:
check_mode: check_mode:
support: full support: full
@ -49,15 +51,16 @@ options:
client_id: client_id:
description: description:
- Client id of client to be worked on. This is usually an alphanumeric name chosen by you. Either this or O(id) is required. If you specify - Client ID of client to be worked on. This is usually an alphanumeric name chosen by you. Either this or O(id) is required.
both, O(id) takes precedence. This is C(clientId) in the Keycloak REST API. If you specify both, O(id) takes precedence. This is C(clientId) in the Keycloak REST API.
aliases: aliases:
- clientId - clientId
type: str type: str
id: id:
description: description:
- Id of client to be worked on. This is usually an UUID. Either this or O(client_id) is required. If you specify both, this takes precedence. - ID of client to be worked on. This is usually an UUID. Either this or O(client_id) is required. If you specify both,
this takes precedence.
type: str type: str
name: name:
@ -86,7 +89,8 @@ options:
base_url: base_url:
description: description:
- Default URL to use when the auth server needs to redirect or link back to the client This is C(baseUrl) in the Keycloak REST API. - Default URL to use when the auth server needs to redirect or link back to the client This is C(baseUrl) in the Keycloak
REST API.
aliases: aliases:
- baseUrl - baseUrl
type: str type: str
@ -98,11 +102,11 @@ options:
client_authenticator_type: client_authenticator_type:
description: description:
- How do clients authenticate with the auth server? Either V(client-secret), V(client-jwt), or V(client-x509) can be chosen. When using - How do clients authenticate with the auth server? Either V(client-secret), V(client-jwt), or V(client-x509) can be
V(client-secret), the module parameter O(secret) can set it, for V(client-jwt), you can use the keys C(use.jwks.url), C(jwks.url), and chosen. When using V(client-secret), the module parameter O(secret) can set it, for V(client-jwt), you can use the
C(jwt.credential.certificate) in the O(attributes) module parameter to configure its behavior. For V(client-x509) you can use the keys keys C(use.jwks.url), C(jwks.url), and C(jwt.credential.certificate) in the O(attributes) module parameter to configure
C(x509.allow.regex.pattern.comparison) and C(x509.subjectdn) in the O(attributes) module parameter to configure which certificate(s) to its behavior. For V(client-x509) you can use the keys C(x509.allow.regex.pattern.comparison) and C(x509.subjectdn)
accept. in the O(attributes) module parameter to configure which certificate(s) to accept.
- This is C(clientAuthenticatorType) in the Keycloak REST API. - This is C(clientAuthenticatorType) in the Keycloak REST API.
choices: ['client-secret', 'client-jwt', 'client-x509'] choices: ['client-secret', 'client-jwt', 'client-x509']
aliases: aliases:
@ -111,22 +115,23 @@ options:
secret: secret:
description: description:
- When using O(client_authenticator_type=client-secret) (the default), you can specify a secret here (otherwise one will be generated if - When using O(client_authenticator_type=client-secret) (the default), you can specify a secret here (otherwise one
it does not exit). If changing this secret, the module will not register a change currently (but the changed secret will be saved). will be generated if it does not exit). If changing this secret, the module will not register a change currently (but
the changed secret will be saved).
type: str type: str
registration_access_token: registration_access_token:
description: description:
- The registration access token provides access for clients to the client registration service. This is C(registrationAccessToken) in the - The registration access token provides access for clients to the client registration service. This is C(registrationAccessToken)
Keycloak REST API. in the Keycloak REST API.
aliases: aliases:
- registrationAccessToken - registrationAccessToken
type: str type: str
default_roles: default_roles:
description: description:
- List of default roles for this client. If the client roles referenced do not exist yet, they will be created. This is C(defaultRoles) in - List of default roles for this client. If the client roles referenced do not exist yet, they will be created. This
the Keycloak REST API. is C(defaultRoles) in the Keycloak REST API.
aliases: aliases:
- defaultRoles - defaultRoles
type: list type: list
@ -150,7 +155,8 @@ options:
not_before: not_before:
description: description:
- Revoke any tokens issued before this date for this client (this is a UNIX timestamp). This is C(notBefore) in the Keycloak REST API. - Revoke any tokens issued before this date for this client (this is a UNIX timestamp). This is C(notBefore) in the
Keycloak REST API.
type: int type: int
aliases: aliases:
- notBefore - notBefore
@ -171,36 +177,40 @@ options:
standard_flow_enabled: standard_flow_enabled:
description: description:
- Enable standard flow for this client or not (OpenID connect). This is C(standardFlowEnabled) in the Keycloak REST API. - Enable standard flow for this client or not (OpenID connect). This is C(standardFlowEnabled) in the Keycloak REST
API.
aliases: aliases:
- standardFlowEnabled - standardFlowEnabled
type: bool type: bool
implicit_flow_enabled: implicit_flow_enabled:
description: description:
- Enable implicit flow for this client or not (OpenID connect). This is C(implicitFlowEnabled) in the Keycloak REST API. - Enable implicit flow for this client or not (OpenID connect). This is C(implicitFlowEnabled) in the Keycloak REST
API.
aliases: aliases:
- implicitFlowEnabled - implicitFlowEnabled
type: bool type: bool
direct_access_grants_enabled: direct_access_grants_enabled:
description: description:
- Are direct access grants enabled for this client or not (OpenID connect). This is C(directAccessGrantsEnabled) in the Keycloak REST API. - Are direct access grants enabled for this client or not (OpenID connect). This is C(directAccessGrantsEnabled) in
the Keycloak REST API.
aliases: aliases:
- directAccessGrantsEnabled - directAccessGrantsEnabled
type: bool type: bool
service_accounts_enabled: service_accounts_enabled:
description: description:
- Are service accounts enabled for this client or not (OpenID connect). This is C(serviceAccountsEnabled) in the Keycloak REST API. - Are service accounts enabled for this client or not (OpenID connect). This is C(serviceAccountsEnabled) in the Keycloak
REST API.
aliases: aliases:
- serviceAccountsEnabled - serviceAccountsEnabled
type: bool type: bool
authorization_services_enabled: authorization_services_enabled:
description: description:
- Are authorization services enabled for this client or not (OpenID connect). This is C(authorizationServicesEnabled) in the Keycloak REST - Are authorization services enabled for this client or not (OpenID connect). This is C(authorizationServicesEnabled)
API. in the Keycloak REST API.
aliases: aliases:
- authorizationServicesEnabled - authorizationServicesEnabled
type: bool type: bool
@ -243,37 +253,40 @@ options:
registered_nodes: registered_nodes:
description: description:
- Dict of registered cluster nodes (with C(nodename) as the key and last registration time as the value). This is C(registeredNodes) in the - Dict of registered cluster nodes (with C(nodename) as the key and last registration time as the value). This is C(registeredNodes)
Keycloak REST API. in the Keycloak REST API.
type: dict type: dict
aliases: aliases:
- registeredNodes - registeredNodes
client_template: client_template:
description: description:
- Client template to use for this client. If it does not exist this field will silently be dropped. This is C(clientTemplate) in the Keycloak - Client template to use for this client. If it does not exist this field will silently be dropped. This is C(clientTemplate)
REST API. in the Keycloak REST API.
type: str type: str
aliases: aliases:
- clientTemplate - clientTemplate
use_template_config: use_template_config:
description: description:
- Whether or not to use configuration from the O(client_template). This is C(useTemplateConfig) in the Keycloak REST API. - Whether or not to use configuration from the O(client_template). This is C(useTemplateConfig) in the Keycloak REST
API.
aliases: aliases:
- useTemplateConfig - useTemplateConfig
type: bool type: bool
use_template_scope: use_template_scope:
description: description:
- Whether or not to use scope configuration from the O(client_template). This is C(useTemplateScope) in the Keycloak REST API. - Whether or not to use scope configuration from the O(client_template). This is C(useTemplateScope) in the Keycloak
REST API.
aliases: aliases:
- useTemplateScope - useTemplateScope
type: bool type: bool
use_template_mappers: use_template_mappers:
description: description:
- Whether or not to use mapper configuration from the O(client_template). This is C(useTemplateMappers) in the Keycloak REST API. - Whether or not to use mapper configuration from the O(client_template). This is C(useTemplateMappers) in the Keycloak
REST API.
aliases: aliases:
- useTemplateMappers - useTemplateMappers
type: bool type: bool
@ -295,9 +308,9 @@ options:
authorization_settings: authorization_settings:
description: description:
- A data structure defining the authorization settings for this client. For reference, please see the Keycloak API docs at - A data structure defining the authorization settings for this client. For reference, please see the Keycloak API docs
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html#_resourceserverrepresentation). at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html#_resourceserverrepresentation). This is C(authorizationSettings)
This is C(authorizationSettings) in the Keycloak REST API. in the Keycloak REST API.
type: dict type: dict
aliases: aliases:
- authorizationSettings - authorizationSettings
@ -310,13 +323,15 @@ options:
browser: browser:
description: description:
- Flow ID of the browser authentication flow. - Flow ID of the browser authentication flow.
- O(authentication_flow_binding_overrides.browser) and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive. - O(authentication_flow_binding_overrides.browser) and O(authentication_flow_binding_overrides.browser_name) are
mutually exclusive.
type: str type: str
browser_name: browser_name:
description: description:
- Flow name of the browser authentication flow. - Flow name of the browser authentication flow.
- O(authentication_flow_binding_overrides.browser) and O(authentication_flow_binding_overrides.browser_name) are mutually exclusive. - O(authentication_flow_binding_overrides.browser) and O(authentication_flow_binding_overrides.browser_name) are
mutually exclusive.
aliases: aliases:
- browserName - browserName
type: str type: str
@ -325,8 +340,8 @@ options:
direct_grant: direct_grant:
description: description:
- Flow ID of the direct grant authentication flow. - Flow ID of the direct grant authentication flow.
- O(authentication_flow_binding_overrides.direct_grant) and O(authentication_flow_binding_overrides.direct_grant_name) are mutually - O(authentication_flow_binding_overrides.direct_grant) and O(authentication_flow_binding_overrides.direct_grant_name)
exclusive. are mutually exclusive.
aliases: aliases:
- directGrant - directGrant
type: str type: str
@ -334,8 +349,8 @@ options:
direct_grant_name: direct_grant_name:
description: description:
- Flow name of the direct grant authentication flow. - Flow name of the direct grant authentication flow.
- O(authentication_flow_binding_overrides.direct_grant) and O(authentication_flow_binding_overrides.direct_grant_name) are mutually - O(authentication_flow_binding_overrides.direct_grant) and O(authentication_flow_binding_overrides.direct_grant_name)
exclusive. are mutually exclusive.
aliases: aliases:
- directGrantName - directGrantName
type: str type: str
@ -398,8 +413,8 @@ options:
protocolMapper: protocolMapper:
description: description:
- 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may - 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide
be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:' since this may be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:'
- V(docker-v2-allow-all-mapper). - V(docker-v2-allow-all-mapper).
- V(oidc-address-mapper). - V(oidc-address-mapper).
- V(oidc-full-name-mapper). - V(oidc-full-name-mapper).
@ -422,29 +437,30 @@ options:
- V(saml-user-attribute-mapper). - V(saml-user-attribute-mapper).
- V(saml-user-property-mapper). - V(saml-user-property-mapper).
- V(saml-user-session-note-mapper). - V(saml-user-session-note-mapper).
- An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -> Providers - An exhaustive list of available mappers on your installation can be obtained on the admin console by going to
and looking under 'protocol-mapper'. Server Info -> Providers and looking under 'protocol-mapper'.
type: str type: str
config: config:
description: description:
- Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of - Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value
O(protocol_mappers[].protocolMapper) of O(protocol_mappers[].protocolMapper) and are not documented other than by the source of the mappers and its
and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest parent class(es). An example is given below. It is easiest to obtain valid config values by dumping an already-existing
to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the RV(existing) protocol mapper configuration through check-mode in the RV(existing) field.
field.
type: dict type: dict
attributes: attributes:
description: description:
- A dict of further attributes for this client. This can contain various configuration settings; an example is given in the examples section. - A dict of further attributes for this client. This can contain various configuration settings; an example is given
While an exhaustive list of permissible options is not available; possible options as of Keycloak 3.4 are listed below. The Keycloak API in the examples section. While an exhaustive list of permissible options is not available; possible options as of
does not validate whether a given option is appropriate for the protocol used; if specified anyway, Keycloak will simply not use it. Keycloak 3.4 are listed below. The Keycloak API does not validate whether a given option is appropriate for the protocol
used; if specified anyway, Keycloak will simply not use it.
type: dict type: dict
suboptions: suboptions:
saml.authnstatement: saml.authnstatement:
description: description:
- For SAML clients, boolean specifying whether or not a statement containing method and timestamp should be included in the login response. - For SAML clients, boolean specifying whether or not a statement containing method and timestamp should be included
in the login response.
saml.client.signature: saml.client.signature:
description: description:
- For SAML clients, boolean specifying whether a client signature is required and validated. - For SAML clients, boolean specifying whether a client signature is required and validated.
@ -462,8 +478,8 @@ options:
- Boolean specifying whether SAML documents should be signed by the realm. - Boolean specifying whether SAML documents should be signed by the realm.
saml.server.signature.keyinfo.ext: saml.server.signature.keyinfo.ext:
description: description:
- For SAML clients, boolean specifying whether REDIRECT signing key lookup should be optimized through inclusion of the signing key - For SAML clients, boolean specifying whether REDIRECT signing key lookup should be optimized through inclusion
id in the SAML Extensions element. of the signing key ID in the SAML Extensions element.
saml.signature.algorithm: saml.signature.algorithm:
description: description:
- Signature algorithm used to sign SAML documents. One of V(RSA_SHA256), V(RSA_SHA1), V(RSA_SHA512), or V(DSA_SHA1). - Signature algorithm used to sign SAML documents. One of V(RSA_SHA256), V(RSA_SHA1), V(RSA_SHA512), or V(DSA_SHA1).
@ -481,28 +497,30 @@ options:
- SAML Redirect Binding URL for the client's assertion consumer service (login responses). - SAML Redirect Binding URL for the client's assertion consumer service (login responses).
saml_force_name_id_format: saml_force_name_id_format:
description: description:
- For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured one instead. - For SAML clients, Boolean specifying whether to ignore requested NameID subject format and using the configured
one instead.
saml_name_id_format: saml_name_id_format:
description: description:
- For SAML clients, the NameID format to use (one of V(username), V(email), V(transient), or V(persistent)). - For SAML clients, the NameID format to use (one of V(username), V(email), V(transient), or V(persistent)).
saml_signature_canonicalization_method: saml_signature_canonicalization_method:
description: description:
- SAML signature canonicalization method. This is one of four values, namely V(http://www.w3.org/2001/10/xml-exc-c14n#) for EXCLUSIVE, - SAML signature canonicalization method. This is one of four values, namely V(http://www.w3.org/2001/10/xml-exc-c14n#)
V(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS, V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315) for EXCLUSIVE, V(http://www.w3.org/2001/10/xml-exc-c14n#WithComments) for EXCLUSIVE_WITH_COMMENTS,
V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
for INCLUSIVE, and V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS. for INCLUSIVE, and V(http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) for INCLUSIVE_WITH_COMMENTS.
saml_single_logout_service_url_post: saml_single_logout_service_url_post:
description: description:
- SAML POST binding url for the client's single logout service. - SAML POST binding URL for the client's single logout service.
saml_single_logout_service_url_redirect: saml_single_logout_service_url_redirect:
description: description:
- SAML redirect binding url for the client's single logout service. - SAML redirect binding URL for the client's single logout service.
user.info.response.signature.alg: user.info.response.signature.alg:
description: description:
- For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of V(RS256) or V(unsigned). - For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of V(RS256) or V(unsigned).
request.object.signature.alg: request.object.signature.alg:
description: description:
- For OpenID-Connect clients, JWA algorithm which the client needs to use when sending OIDC request object. One of V(any), V(none), - For OpenID-Connect clients, JWA algorithm which the client needs to use when sending OIDC request object. One
V(RS256). of V(any), V(none), V(RS256).
use.jwks.url: use.jwks.url:
description: description:
- For OpenID-Connect clients, boolean specifying whether to use a JWKS URL to obtain client public keys. - For OpenID-Connect clients, boolean specifying whether to use a JWKS URL to obtain client public keys.

46
plugins/modules/keycloak_client_rolemapping.py
View File

@ -16,16 +16,17 @@ short_description: Allows administration of Keycloak client_rolemapping with the
version_added: 3.5.0 version_added: 3.5.0
description: description:
- This module allows you to add, remove or modify Keycloak client_rolemapping with the Keycloak REST API. It requires access to the REST API - This module allows you to add, remove or modify Keycloak client_rolemapping with the Keycloak REST API. It requires access
using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, to the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights.
admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with
expected roles. the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module. - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API. way by this module. You may pass single values for attributes when calling the module, and this will be translated into
- When updating a client_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name a list suitable for the API.
into the role ID. - When updating a client_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API
to translate the name into the role ID.
attributes: attributes:
check_mode: check_mode:
support: full support: full
@ -38,7 +39,8 @@ options:
state: state:
description: description:
- State of the client_rolemapping. - State of the client_rolemapping.
- On V(present), the client_rolemapping will be created if it does not yet exist, or updated with the parameters you provide. - On V(present), the client_rolemapping will be created if it does not yet exist, or updated with the parameters you
provide.
- On V(absent), the client_rolemapping will be removed if it exists. - On V(absent), the client_rolemapping will be removed if it exists.
default: 'present' default: 'present'
type: str type: str
@ -71,21 +73,22 @@ options:
- Identify parent by ID. - Identify parent by ID.
- Needs less API calls than using O(parents[].name). - Needs less API calls than using O(parents[].name).
- A deep parent chain can be started at any point when first given parent is given as ID. - A deep parent chain can be started at any point when first given parent is given as ID.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them, - Note that in principle both ID and name can be specified at the same time but current implementation only always
with ID being preferred. use just one of them, with ID being preferred.
name: name:
type: str type: str
description: description:
- Identify parent by name. - Identify parent by name.
- Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood. - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top. - When giving a parent chain with only names it must be complete up to the top.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them, - Note that in principle both ID and name can be specified at the same time but current implementation only always
with ID being preferred. use just one of them, with ID being preferred.
gid: gid:
type: str type: str
description: description:
- Id of the group to be mapped. - ID of the group to be mapped.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required. - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of
API calls required.
client_id: client_id:
type: str type: str
description: description:
@ -94,8 +97,9 @@ options:
cid: cid:
type: str type: str
description: description:
- Id of the client to be mapped. - ID of the client to be mapped.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required. - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of
API calls required.
roles: roles:
description: description:
- Roles to be mapped to the group. - Roles to be mapped to the group.
@ -111,8 +115,8 @@ options:
type: str type: str
description: description:
- The unique identifier for this role_representation. - The unique identifier for this role_representation.
- This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls - This parameter is not required for updating or deleting a role_representation but providing it will reduce the
required. number of API calls required.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak

15
plugins/modules/keycloak_client_rolescope.py
View File

@ -11,17 +11,20 @@ __metaclass__ = type
DOCUMENTATION = r""" DOCUMENTATION = r"""
module: keycloak_client_rolescope module: keycloak_client_rolescope
short_description: Allows administration of Keycloak client roles scope to restrict the usage of certain roles to a other specific client applications short_description: Allows administration of Keycloak client roles scope to restrict the usage of certain roles to a other
specific client applications
version_added: 8.6.0 version_added: 8.6.0
description: description:
- This module allows you to add or remove Keycloak roles from clients scope using the Keycloak REST API. It requires access to the REST API using - This module allows you to add or remove Keycloak roles from clients scope using the Keycloak REST API. It requires access
OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli to the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights.
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with
the scope tailored to your needs and a user having the expected roles.
- Client O(client_id) must have O(community.general.keycloak_client#module:full_scope_allowed) set to V(false). - Client O(client_id) must have O(community.general.keycloak_client#module:full_scope_allowed) set to V(false).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module. - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API. way by this module. You may pass single values for attributes when calling the module, and this will be translated into
a list suitable for the API.
attributes: attributes:
check_mode: check_mode:
support: full support: full

40
plugins/modules/keycloak_clientscope.py
View File

@ -16,15 +16,17 @@ short_description: Allows administration of Keycloak client_scopes using Keycloa
version_added: 3.4.0 version_added: 3.4.0
description: description:
- This module allows you to add, remove or modify Keycloak client_scopes using the Keycloak REST API. It requires access to the REST API using OpenID - This module allows you to add, remove or modify Keycloak client_scopes using the Keycloak REST API. It requires access
Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli to the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights.
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at the scope tailored to your needs and a user having the expected roles.
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module. at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API. - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that
- When updating a client_scope, where possible provide the client_scope ID to the module. This removes a lookup to the API to translate the way by this module. You may pass single values for attributes when calling the module, and this will be translated into
name into the client_scope ID. a list suitable for the API.
- When updating a client_scope, where possible provide the client_scope ID to the module. This removes a lookup to the API
to translate the name into the client_scope ID.
attributes: attributes:
check_mode: check_mode:
support: full support: full
@ -60,7 +62,8 @@ options:
type: str type: str
description: description:
- The unique identifier for this client_scope. - The unique identifier for this client_scope.
- This parameter is not required for updating or deleting a client_scope but providing it will reduce the number of API calls required. - This parameter is not required for updating or deleting a client_scope but providing it will reduce the number of
API calls required.
description: description:
type: str type: str
description: description:
@ -91,8 +94,8 @@ options:
protocolMapper: protocolMapper:
description: description:
- 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may - 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide
be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:' since this may be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:'
- V(docker-v2-allow-all-mapper). - V(docker-v2-allow-all-mapper).
- V(oidc-address-mapper). - V(oidc-address-mapper).
- V(oidc-full-name-mapper). - V(oidc-full-name-mapper).
@ -115,8 +118,8 @@ options:
- V(saml-user-attribute-mapper). - V(saml-user-attribute-mapper).
- V(saml-user-property-mapper). - V(saml-user-property-mapper).
- V(saml-user-session-note-mapper). - V(saml-user-session-note-mapper).
- An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -> Providers - An exhaustive list of available mappers on your installation can be obtained on the admin console by going to
and looking under 'protocol-mapper'. Server Info -> Providers and looking under 'protocol-mapper'.
type: str type: str
name: name:
@ -131,11 +134,10 @@ options:
config: config:
description: description:
- Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of - Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value
O(protocol_mappers[].protocolMapper) of O(protocol_mappers[].protocolMapper) and are not documented other than by the source of the mappers and its
and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest parent class(es). An example is given below. It is easiest to obtain valid config values by dumping an already-existing
to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the RV(existing) protocol mapper configuration through check-mode in the RV(existing) return value.
return value.
type: dict type: dict
attributes: attributes:

7
plugins/modules/keycloak_clientscope_type.py
View File

@ -17,9 +17,10 @@ short_description: Set the type of aclientscope in realm or client using Keycloa
version_added: 6.6.0 version_added: 6.6.0
description: description:
- This module allows you to set the type (optional, default) of clientscopes using the Keycloak REST API. It requires access to the REST API using - This module allows you to set the type (optional, default) of clientscopes using the Keycloak REST API. It requires access
OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli to the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights.
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with
the scope tailored to your needs and a user having the expected roles.
attributes: attributes:
check_mode: check_mode:
support: full support: full

17
plugins/modules/keycloak_clientsecret_info.py
View File

@ -17,12 +17,14 @@ short_description: Retrieve client secret using Keycloak API
version_added: 6.1.0 version_added: 6.1.0
description: description:
- This module allows you to get a Keycloak client secret using the Keycloak REST API. It requires access to the REST API using OpenID Connect; the - This module allows you to get a Keycloak client secret using the Keycloak REST API. It requires access to the REST API
user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default
user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored
- When retrieving a new client secret, where possible provide the client's O(id) (not O(client_id)) to the module. This removes a lookup to to your needs and a user having the expected roles.
the API to translate the O(client_id) into the client ID. - When retrieving a new client secret, where possible provide the client's O(id) (not O(client_id)) to the module. This
- 'Note that this module returns the client secret. To avoid this showing up in the logs, please add C(no_log: true) to the task.' removes a lookup to the API to translate the O(client_id) into the client ID.
- 'Note that this module returns the client secret. To avoid this showing up in the logs, please add C(no_log: true) to
the task.'
attributes: attributes:
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0
@ -37,7 +39,8 @@ options:
id: id:
description: description:
- The unique identifier for this client. - The unique identifier for this client.
- This parameter is not required for getting or generating a client secret but providing it will reduce the number of API calls required. - This parameter is not required for getting or generating a client secret but providing it will reduce the number of
API calls required.
type: str type: str
client_id: client_id:

19
plugins/modules/keycloak_clientsecret_regenerate.py
View File

@ -17,12 +17,14 @@ short_description: Regenerate Keycloak client secret using Keycloak API
version_added: 6.1.0 version_added: 6.1.0
description: description:
- This module allows you to regenerate a Keycloak client secret using the Keycloak REST API. It requires access to the REST API using OpenID Connect; - This module allows you to regenerate a Keycloak client secret using the Keycloak REST API. It requires access to the REST
the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an API using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default
admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored
- When regenerating a client secret, where possible provide the client's id (not client_id) to the module. This removes a lookup to the API to your needs and a user having the expected roles.
to translate the client_id into the client ID. - When regenerating a client secret, where possible provide the client's ID (not client_id) to the module. This removes
- 'Note that this module returns the client secret. To avoid this showing up in the logs, please add C(no_log: true) to the task.' a lookup to the API to translate the client_id into the client ID.
- 'Note that this module returns the client secret. To avoid this showing up in the logs, please add C(no_log: true) to
the task.'
attributes: attributes:
check_mode: check_mode:
support: full support: full
@ -41,12 +43,13 @@ options:
id: id:
description: description:
- The unique identifier for this client. - The unique identifier for this client.
- This parameter is not required for getting or generating a client secret but providing it will reduce the number of API calls required. - This parameter is not required for getting or generating a client secret but providing it will reduce the number of
API calls required.
type: str type: str
client_id: client_id:
description: description:
- The client_id of the client. Passing this instead of id results in an extra API call. - The client_id of the client. Passing this instead of ID results in an extra API call.
aliases: aliases:
- clientId - clientId
type: str type: str

58
plugins/modules/keycloak_clienttemplate.py
View File

@ -14,13 +14,15 @@ module: keycloak_clienttemplate
short_description: Allows administration of Keycloak client templates using Keycloak API short_description: Allows administration of Keycloak client templates using Keycloak API
description: description:
- This module allows the administration of Keycloak client templates using the Keycloak REST API. It requires access to the REST API using OpenID - This module allows the administration of Keycloak client templates using the Keycloak REST API. It requires access to
Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights.
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at the scope tailored to your needs and a user having the expected roles.
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
- The Keycloak API does not always enforce for only sensible settings to be used -- you can set SAML-specific settings on an OpenID Connect at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
client for instance and the other way around. Be careful. If you do not specify a setting, usually a sensible default is chosen. - The Keycloak API does not always enforce for only sensible settings to be used -- you can set SAML-specific settings on
an OpenID Connect client for instance and the other way around. Be careful. If you do not specify a setting, usually a
sensible default is chosen.
attributes: attributes:
check_mode: check_mode:
support: full support: full
@ -41,7 +43,7 @@ options:
id: id:
description: description:
- Id of client template to be worked on. This is usually a UUID. - ID of client template to be worked on. This is usually a UUID.
type: str type: str
realm: realm:
@ -69,12 +71,14 @@ options:
full_scope_allowed: full_scope_allowed:
description: description:
- Is the "Full Scope Allowed" feature set for this client template or not. This is C(fullScopeAllowed) in the Keycloak REST API. - Is the "Full Scope Allowed" feature set for this client template or not. This is C(fullScopeAllowed) in the Keycloak
REST API.
type: bool type: bool
protocol_mappers: protocol_mappers:
description: description:
- A list of dicts defining protocol mappers for this client template. This is C(protocolMappers) in the Keycloak REST API. - A list of dicts defining protocol mappers for this client template. This is C(protocolMappers) in the Keycloak REST
API.
type: list type: list
elements: dict elements: dict
suboptions: suboptions:
@ -106,8 +110,8 @@ options:
protocolMapper: protocolMapper:
description: description:
- 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may - 'The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide
be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:' since this may be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:'
- V(docker-v2-allow-all-mapper). - V(docker-v2-allow-all-mapper).
- V(oidc-address-mapper). - V(oidc-address-mapper).
- V(oidc-full-name-mapper). - V(oidc-full-name-mapper).
@ -130,31 +134,29 @@ options:
- V(saml-user-attribute-mapper). - V(saml-user-attribute-mapper).
- V(saml-user-property-mapper). - V(saml-user-property-mapper).
- V(saml-user-session-note-mapper). - V(saml-user-session-note-mapper).
- An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -> Providers - An exhaustive list of available mappers on your installation can be obtained on the admin console by going to
and looking under 'protocol-mapper'. Server Info -> Providers and looking under 'protocol-mapper'.
type: str type: str
config: config:
description: description:
- Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of - Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value
O(protocol_mappers[].protocolMapper) of O(protocol_mappers[].protocolMapper) and are not documented other than by the source of the mappers and its
and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest parent class(es). An example is given below. It is easiest to obtain valid config values by dumping an already-existing
to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the RV(existing) protocol mapper configuration through check-mode in the RV(existing) field.
field.
type: dict type: dict
attributes: attributes:
description: description:
- A dict of further attributes for this client template. This can contain various configuration settings, though in the default installation - A dict of further attributes for this client template. This can contain various configuration settings, though in
of Keycloak as of 3.4, none are documented or known, so this is usually empty. the default installation of Keycloak as of 3.4, none are documented or known, so this is usually empty.
type: dict type: dict
notes: notes:
- The Keycloak REST API defines further fields (namely C(bearerOnly), C(consentRequired), C(standardFlowEnabled), C(implicitFlowEnabled), - The Keycloak REST API defines further fields (namely C(bearerOnly), C(consentRequired), C(standardFlowEnabled), C(implicitFlowEnabled),
C(directAccessGrantsEnabled), C(directAccessGrantsEnabled), C(serviceAccountsEnabled), C(publicClient), and C(frontchannelLogout)) which, while available
C(serviceAccountsEnabled), C(publicClient), and C(frontchannelLogout)) which, while available with keycloak_client, do not have any effect with keycloak_client, do not have any effect on Keycloak client-templates and are discarded if supplied with an API request
on Keycloak client-templates and are discarded if supplied with an API request changing client-templates. As such, they are not available changing client-templates. As such, they are not available through this module.
through this module.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
@ -242,13 +244,15 @@ existing:
description: Representation of existing client template (sample is truncated). description: Representation of existing client template (sample is truncated).
returned: always returned: always
type: dict type: dict
sample: {"description": "test01", "fullScopeAllowed": false, "id": "9c3712ab-decd-481e-954f-76da7b006e5f", "name": "test01", "protocol": "saml"} sample: {"description": "test01", "fullScopeAllowed": false, "id": "9c3712ab-decd-481e-954f-76da7b006e5f", "name": "test01",
"protocol": "saml"}
end_state: end_state:
description: Representation of client template after module execution (sample is truncated). description: Representation of client template after module execution (sample is truncated).
returned: on success returned: on success
type: dict type: dict
sample: {"description": "test01", "fullScopeAllowed": false, "id": "9c3712ab-decd-481e-954f-76da7b006e5f", "name": "test01", "protocol": "saml"} sample: {"description": "test01", "fullScopeAllowed": false, "id": "9c3712ab-decd-481e-954f-76da7b006e5f", "name": "test01",
"protocol": "saml"}
""" """
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \

13
plugins/modules/keycloak_component.py
View File

@ -16,12 +16,13 @@ short_description: Allows administration of Keycloak components using Keycloak A
version_added: 10.0.0 version_added: 10.0.0
description: description:
- This module allows the administration of Keycloak components using the Keycloak REST API. It requires access to the REST API using OpenID Connect; - This module allows the administration of Keycloak components using the Keycloak REST API. It requires access to the REST
the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, C(admin-cli) and an API using OpenID Connect; the user connecting and the realm being used must have the requisite access rights. In a default
C(admin) user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles. Keycloak installation, C(admin-cli) and an C(admin) user would work, as would a separate realm definition with the scope
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at tailored to your needs and a user having the expected roles.
U(https://www.keycloak.org/docs-api/latest/rest-api/index.html). - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
Aliases are provided so camelCased versions can be used as well. at U(https://www.keycloak.org/docs-api/latest/rest-api/index.html). Aliases are provided so camelCased versions can be
used as well.
attributes: attributes:
check_mode: check_mode:
support: full support: full

6
plugins/modules/keycloak_component_info.py
View File

@ -34,9 +34,8 @@ options:
provider_type: provider_type:
description: description:
- Provider type of components. - Provider type of components.
- 'Examples: V(org.keycloak.storage.UserStorageProvider), - 'Examples: V(org.keycloak.storage.UserStorageProvider), V(org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy),
V(org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy), V(org.keycloak.keys.KeyProvider), V(org.keycloak.keys.KeyProvider), V(org.keycloak.userprofile.UserProfileProvider), V(org.keycloak.storage.ldap.mappers.LDAPStorageMapper).'
V(org.keycloak.userprofile.UserProfileProvider), V(org.keycloak.storage.ldap.mappers.LDAPStorageMapper).'
type: str type: str
parent_id: parent_id:
description: description:
@ -92,7 +91,6 @@ EXAMPLES = r"""
realm: myrealm realm: myrealm
parent_id: "075ef2fa-19fc-4a6d-bf4c-249f57365fd2" parent_id: "075ef2fa-19fc-4a6d-bf4c-249f57365fd2"
provider_type: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper" provider_type: "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
""" """
RETURN = r""" RETURN = r"""

49
plugins/modules/keycloak_group.py
View File

@ -14,15 +14,17 @@ module: keycloak_group
short_description: Allows administration of Keycloak groups using Keycloak API short_description: Allows administration of Keycloak groups using Keycloak API
description: description:
- This module allows you to add, remove or modify Keycloak groups using the Keycloak REST API. It requires access to the REST API using OpenID Connect; - This module allows you to add, remove or modify Keycloak groups using the Keycloak REST API. It requires access to the
the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In
admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with the
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at scope tailored to your needs and a user having the expected roles.
U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html). - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module. at U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html).
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API. - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that
- When updating a group, where possible provide the group ID to the module. This removes a lookup to the API to translate the name into the way by this module. You may pass single values for attributes when calling the module, and this will be translated into
group ID. a list suitable for the API.
- When updating a group, where possible provide the group ID to the module. This removes a lookup to the API to translate
the name into the group ID.
attributes: attributes:
check_mode: check_mode:
support: full support: full
@ -36,8 +38,8 @@ options:
description: description:
- State of the group. - State of the group.
- On V(present), the group will be created if it does not yet exist, or updated with the parameters you provide. - On V(present), the group will be created if it does not yet exist, or updated with the parameters you provide.
- On V(absent), the group will be removed if it exists. Be aware that absenting a group with subgroups will automatically delete all its - On V(absent), the group will be removed if it exists. Be aware that absenting a group with subgroups will automatically
subgroups too. delete all its subgroups too.
default: 'present' default: 'present'
type: str type: str
choices: choices:
@ -59,7 +61,8 @@ options:
type: str type: str
description: description:
- The unique identifier for this group. - The unique identifier for this group.
- This parameter is not required for updating or deleting a group but providing it will reduce the number of API calls required. - This parameter is not required for updating or deleting a group but providing it will reduce the number of API calls
required.
attributes: attributes:
type: dict type: dict
description: description:
@ -70,9 +73,10 @@ options:
type: list type: list
description: description:
- List of parent groups for the group to handle sorted top to bottom. - List of parent groups for the group to handle sorted top to bottom.
- Set this to create a group as a subgroup of another group or groups (parents) or when accessing an existing subgroup by name. - Set this to create a group as a subgroup of another group or groups (parents) or when accessing an existing subgroup
- Not necessary to set when accessing an existing subgroup by its C(ID) because in that case the group can be directly queried without necessarily by name.
knowing its parent(s). - Not necessary to set when accessing an existing subgroup by its C(ID) because in that case the group can be directly
queried without necessarily knowing its parent(s).
elements: dict elements: dict
suboptions: suboptions:
id: id:
@ -81,19 +85,19 @@ options:
- Identify parent by ID. - Identify parent by ID.
- Needs less API calls than using O(parents[].name). - Needs less API calls than using O(parents[].name).
- A deep parent chain can be started at any point when first given parent is given as ID. - A deep parent chain can be started at any point when first given parent is given as ID.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them, - Note that in principle both ID and name can be specified at the same time but current implementation only always
with ID being preferred. use just one of them, with ID being preferred.
name: name:
type: str type: str
description: description:
- Identify parent by name. - Identify parent by name.
- Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood. - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top. - When giving a parent chain with only names it must be complete up to the top.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them, - Note that in principle both ID and name can be specified at the same time but current implementation only always
with ID being preferred. use just one of them, with ID being preferred.
notes: notes:
- Presently, the RV(end_state.realmRoles), RV(end_state.clientRoles), and RV(end_state.access) attributes returned by the Keycloak API are read-only - Presently, the RV(end_state.realmRoles), RV(end_state.clientRoles), and RV(end_state.access) attributes returned by the
for groups. This limitation will be removed in a later version of this module. Keycloak API are read-only for groups. This limitation will be removed in a later version of this module.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak
@ -278,7 +282,8 @@ end_state:
returned: always returned: always
sample: [] sample: []
subGroups: subGroups:
description: A list of groups that are children of this group. These groups will have the same parameters as documented here. description: A list of groups that are children of this group. These groups will have the same parameters as documented
here.
type: list type: list
returned: always returned: always
clientRoles: clientRoles:

28
plugins/modules/keycloak_identity_provider.py
View File

@ -16,12 +16,12 @@ short_description: Allows administration of Keycloak identity providers using Ke
version_added: 3.6.0 version_added: 3.6.0
description: description:
- This module allows you to add, remove or modify Keycloak identity providers using the Keycloak REST API. It requires access to the REST API - This module allows you to add, remove or modify Keycloak identity providers using the Keycloak REST API. It requires access
using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, to the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights.
admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with
expected roles. the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
U(https://www.keycloak.org/docs-api/15.0/rest-api/index.html). at U(https://www.keycloak.org/docs-api/15.0/rest-api/index.html).
attributes: attributes:
check_mode: check_mode:
support: full support: full
@ -34,7 +34,8 @@ options:
state: state:
description: description:
- State of the identity provider. - State of the identity provider.
- On V(present), the identity provider will be created if it does not yet exist, or updated with the parameters you provide. - On V(present), the identity provider will be created if it does not yet exist, or updated with the parameters you
provide.
- On V(absent), the identity provider will be removed if it exists. - On V(absent), the identity provider will be removed if it exists.
default: 'present' default: 'present'
type: str type: str
@ -89,8 +90,8 @@ options:
link_only: link_only:
description: description:
- If true, users cannot log in through this provider. They can only link to this provider. This is useful if you do not want to allow login - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you do
from the provider, but want to integrate with a provider. not want to allow login from the provider, but want to integrate with a provider.
aliases: aliases:
- linkOnly - linkOnly
type: bool type: bool
@ -125,14 +126,15 @@ options:
config: config:
description: description:
- Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id). Examples are - Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id).
given below for V(oidc) and V(saml). It is easiest to obtain valid config values by dumping an already-existing identity provider configuration Examples are given below for V(oidc) and V(saml). It is easiest to obtain valid config values by dumping an already-existing
through check-mode in the RV(existing) field. identity provider configuration through check-mode in the RV(existing) field.
type: dict type: dict
suboptions: suboptions:
hide_on_login_page: hide_on_login_page:
description: description:
- If hidden, login with this provider is possible only if requested explicitly, for example using the C(kc_idp_hint) parameter. - If hidden, login with this provider is possible only if requested explicitly, for example using the C(kc_idp_hint)
parameter.
aliases: aliases:
- hideOnLoginPage - hideOnLoginPage
type: bool type: bool

18
plugins/modules/keycloak_realm.py
View File

@ -17,14 +17,16 @@ short_description: Allows administration of Keycloak realm using Keycloak API
version_added: 3.0.0 version_added: 3.0.0
description: description:
- This module allows the administration of Keycloak realm using the Keycloak REST API. It requires access to the REST API using OpenID Connect; - This module allows the administration of Keycloak realm using the Keycloak REST API. It requires access to the REST API
the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin using OpenID Connect; the user connecting and the realm being used must have the requisite access rights. In a default
user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles. Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at to your needs and a user having the expected roles.
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
Aliases are provided so camelCased versions can be used as well. at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). Aliases are provided so camelCased versions can be used
- The Keycloak API does not always sanity check inputs, for example you can set SAML-specific settings on an OpenID Connect client for instance and as well.
also the other way around. B(Be careful). If you do not specify a setting, usually a sensible default is chosen. - The Keycloak API does not always sanity check inputs, for example you can set SAML-specific settings on an OpenID Connect
client for instance and also the other way around. B(Be careful). If you do not specify a setting, usually a sensible
default is chosen.
attributes: attributes:
check_mode: check_mode:
support: full support: full

9
plugins/modules/keycloak_realm_info.py
View File

@ -17,10 +17,11 @@ version_added: 4.3.0
description: description:
- This module allows you to get Keycloak realm public information using the Keycloak REST API. - This module allows you to get Keycloak realm public information using the Keycloak REST API.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module. - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API. way by this module. You may pass single values for attributes when calling the module, and this will be translated into
a list suitable for the API.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.attributes - community.general.attributes
- community.general.attributes.info_module - community.general.attributes.info_module

61
plugins/modules/keycloak_realm_key.py
View File

@ -17,17 +17,19 @@ short_description: Allows administration of Keycloak realm keys using Keycloak A
version_added: 7.5.0 version_added: 7.5.0
description: description:
- This module allows the administration of Keycloak realm keys using the Keycloak REST API. It requires access to the REST API using OpenID Connect; - This module allows the administration of Keycloak realm keys using the Keycloak REST API. It requires access to the REST
the user connecting and the realm being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin API using OpenID Connect; the user connecting and the realm being used must have the requisite access rights. In a default
user would work, as would a separate realm definition with the scope tailored to your needs and a user having the expected roles. Keycloak installation, admin-cli and an admin user would work, as would a separate realm definition with the scope tailored
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at to your needs and a user having the expected roles.
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
Aliases are provided so camelCased versions can be used as well. at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). Aliases are provided so camelCased versions can be used
- This module is unable to detect changes to the actual cryptographic key after importing it. However, if some other property is changed alongside as well.
the cryptographic key, then the key will also get changed as a side-effect, as the JSON payload needs to include the private key. This can - This module is unable to detect changes to the actual cryptographic key after importing it. However, if some other property
be considered either a bug or a feature, as the alternative would be to always update the realm key whether it has changed or not. is changed alongside the cryptographic key, then the key will also get changed as a side-effect, as the JSON payload needs
- If certificate is not explicitly provided it will be dynamically created by Keycloak. Therefore comparing the current state of the certificate to include the private key. This can be considered either a bug or a feature, as the alternative would be to always update
to the desired state (which may be empty) is not possible. the realm key whether it has changed or not.
- If certificate is not explicitly provided it will be dynamically created by Keycloak. Therefore comparing the current
state of the certificate to the desired state (which may be empty) is not possible.
attributes: attributes:
check_mode: check_mode:
support: full support: full
@ -52,9 +54,9 @@ options:
required: true required: true
force: force:
description: description:
- Enforce the state of the private key and certificate. This is not automatically the case as this module is unable to determine the current - Enforce the state of the private key and certificate. This is not automatically the case as this module is unable
state of the private key and thus cannot trigger an update based on an actual divergence. That said, a private key update may happen even to determine the current state of the private key and thus cannot trigger an update based on an actual divergence.
if force is false as a side-effect of other changes. That said, a private key update may happen even if force is false as a side-effect of other changes.
default: false default: false
type: bool type: bool
parent_id: parent_id:
@ -76,12 +78,14 @@ options:
suboptions: suboptions:
active: active:
description: description:
- Whether they key is active or inactive. Not to be confused with the state of the Ansible resource managed by the O(state) parameter. - Whether they key is active or inactive. Not to be confused with the state of the Ansible resource managed by the
O(state) parameter.
default: true default: true
type: bool type: bool
enabled: enabled:
description: description:
- Whether the key is enabled or disabled. Not to be confused with the state of the Ansible resource managed by the O(state) parameter. - Whether the key is enabled or disabled. Not to be confused with the state of the Ansible resource managed by the
O(state) parameter.
default: true default: true
type: bool type: bool
priority: priority:
@ -92,30 +96,33 @@ options:
algorithm: algorithm:
description: description:
- Key algorithm. - Key algorithm.
- The values V(RS384), V(RS512), V(PS256), V(PS384), V(PS512), V(RSA1_5), V(RSA-OAEP), V(RSA-OAEP-256) have been added in community.general - The values V(RS384), V(RS512), V(PS256), V(PS384), V(PS512), V(RSA1_5), V(RSA-OAEP), V(RSA-OAEP-256) have been
8.2.0. added in community.general 8.2.0.
default: RS256 default: RS256
choices: ['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256'] choices: ['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256']
type: str type: str
private_key: private_key:
description: description:
- The private key as an ASCII string. Contents of the key must match O(config.algorithm) and O(provider_id). - The private key as an ASCII string. Contents of the key must match O(config.algorithm) and O(provider_id).
- Please note that the module cannot detect whether the private key specified differs from the current state's private key. Use O(force=true) - Please note that the module cannot detect whether the private key specified differs from the current state's private
to force the module to update the private key if you expect it to be updated. key. Use O(force=true) to force the module to update the private key if you expect it to be updated.
required: true required: true
type: str type: str
certificate: certificate:
description: description:
- A certificate signed with the private key as an ASCII string. Contents of the key must match O(config.algorithm) and O(provider_id). - A certificate signed with the private key as an ASCII string. Contents of the key must match O(config.algorithm)
- If you want Keycloak to automatically generate a certificate using your private key then set this to an empty string. and O(provider_id).
- If you want Keycloak to automatically generate a certificate using your private key then set this to an empty
string.
required: true required: true
type: str type: str
notes: notes:
- Current value of the private key cannot be fetched from Keycloak. Therefore comparing its desired state to the current state is not possible. - Current value of the private key cannot be fetched from Keycloak. Therefore comparing its desired state to the current
- If certificate is not explicitly provided it will be dynamically created by Keycloak. Therefore comparing the current state of the certificate state is not possible.
to the desired state (which may be empty) is not possible. - If certificate is not explicitly provided it will be dynamically created by Keycloak. Therefore comparing the current
- Due to the private key and certificate options the module is B(not fully idempotent). You can use O(force=true) to force the module to always state of the certificate to the desired state (which may be empty) is not possible.
update if you know that the private key might have changed. - Due to the private key and certificate options the module is B(not fully idempotent). You can use O(force=true) to force
the module to always update if you know that the private key might have changed.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak

4
plugins/modules/keycloak_realm_keys_metadata_info.py
View File

@ -18,8 +18,8 @@ version_added: 9.3.0
description: description:
- This module allows you to get Keycloak realm keys metadata using the Keycloak REST API. - This module allows you to get Keycloak realm keys metadata using the Keycloak REST API.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
U(https://www.keycloak.org/docs-api/latest/rest-api/index.html). at U(https://www.keycloak.org/docs-api/latest/rest-api/index.html).
attributes: attributes:
action_group: action_group:
version_added: 10.2.0 version_added: 10.2.0

39
plugins/modules/keycloak_realm_rolemapping.py
View File

@ -16,16 +16,17 @@ short_description: Allows administration of Keycloak realm role mappings into gr
version_added: 8.2.0 version_added: 8.2.0
description: description:
- This module allows you to add, remove or modify Keycloak realm role mappings into groups with the Keycloak REST API. It requires access to - This module allows you to add, remove or modify Keycloak realm role mappings into groups with the Keycloak REST API. It
the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak requires access to the REST API using OpenID Connect; the user connecting and the client being used must have the requisite
installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client
having the expected roles. definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
U(https://www.keycloak.org/docs-api/18.0/rest-api/index.html). at U(https://www.keycloak.org/docs-api/18.0/rest-api/index.html).
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module. - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API. way by this module. You may pass single values for attributes when calling the module, and this will be translated into
- When updating a group_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name a list suitable for the API.
into the role ID. - When updating a group_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API
to translate the name into the role ID.
attributes: attributes:
check_mode: check_mode:
support: full support: full
@ -38,7 +39,8 @@ options:
state: state:
description: description:
- State of the realm_rolemapping. - State of the realm_rolemapping.
- On C(present), the realm_rolemapping will be created if it does not yet exist, or updated with the parameters you provide. - On C(present), the realm_rolemapping will be created if it does not yet exist, or updated with the parameters you
provide.
- On C(absent), the realm_rolemapping will be removed if it exists. - On C(absent), the realm_rolemapping will be removed if it exists.
default: 'present' default: 'present'
type: str type: str
@ -70,21 +72,22 @@ options:
- Identify parent by ID. - Identify parent by ID.
- Needs less API calls than using O(parents[].name). - Needs less API calls than using O(parents[].name).
- A deep parent chain can be started at any point when first given parent is given as ID. - A deep parent chain can be started at any point when first given parent is given as ID.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them, - Note that in principle both ID and name can be specified at the same time but current implementation only always
with ID being preferred. use just one of them, with ID being preferred.
name: name:
type: str type: str
description: description:
- Identify parent by name. - Identify parent by name.
- Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood. - Needs more internal API calls than using O(parents[].id) to map names to ID's under the hood.
- When giving a parent chain with only names it must be complete up to the top. - When giving a parent chain with only names it must be complete up to the top.
- Note that in principle both ID and name can be specified at the same time but current implementation only always use just one of them, - Note that in principle both ID and name can be specified at the same time but current implementation only always
with ID being preferred. use just one of them, with ID being preferred.
gid: gid:
type: str type: str
description: description:
- ID of the group to be mapped. - ID of the group to be mapped.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required. - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of
API calls required.
roles: roles:
description: description:
- Roles to be mapped to the group. - Roles to be mapped to the group.
@ -100,8 +103,8 @@ options:
type: str type: str
description: description:
- The unique identifier for this role_representation. - The unique identifier for this role_representation.
- This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls - This parameter is not required for updating or deleting a role_representation but providing it will reduce the
required. number of API calls required.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak

26
plugins/modules/keycloak_role.py
View File

@ -16,13 +16,15 @@ short_description: Allows administration of Keycloak roles using Keycloak API
version_added: 3.4.0 version_added: 3.4.0
description: description:
- This module allows you to add, remove or modify Keycloak roles using the Keycloak REST API. It requires access to the REST API using OpenID Connect; - This module allows you to add, remove or modify Keycloak roles using the Keycloak REST API. It requires access to the
the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights. In
admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with the
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at scope tailored to your needs and a user having the expected roles.
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module. at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API. - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that
way by this module. You may pass single values for attributes when calling the module, and this will be translated into
a list suitable for the API.
attributes: attributes:
check_mode: check_mode:
support: full support: full
@ -62,7 +64,7 @@ options:
client_id: client_id:
type: str type: str
description: description:
- If the role is a client role, the client id under which it resides. - If the role is a client role, the client ID under which it resides.
- If this parameter is absent, the role is considered a realm role. - If this parameter is absent, the role is considered a realm role.
attributes: attributes:
type: dict type: dict
@ -199,15 +201,15 @@ existing:
description: Representation of existing role. description: Representation of existing role.
returned: always returned: always
type: dict type: dict
sample: {"attributes": {}, "clientRole": true, "composite": false, "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a", "description": "My sample: {"attributes": {}, "clientRole": true, "composite": false, "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
client test role", "id": "561703dd-0f38-45ff-9a5a-0c978f794547", "name": "myrole"} "description": "My client test role", "id": "561703dd-0f38-45ff-9a5a-0c978f794547", "name": "myrole"}
end_state: end_state:
description: Representation of role after module execution (sample is truncated). description: Representation of role after module execution (sample is truncated).
returned: on success returned: on success
type: dict type: dict
sample: {"attributes": {}, "clientRole": true, "composite": false, "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a", "description": "My sample: {"attributes": {}, "clientRole": true, "composite": false, "containerId": "9f03eb61-a826-4771-a9fd-930e06d2d36a",
updated client test role", "id": "561703dd-0f38-45ff-9a5a-0c978f794547", "name": "myrole"} "description": "My updated client test role", "id": "561703dd-0f38-45ff-9a5a-0c978f794547", "name": "myrole"}
""" """
from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \ from ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak import KeycloakAPI, camel, \

119
plugins/modules/keycloak_user_federation.py
View File

@ -16,11 +16,12 @@ short_description: Allows administration of Keycloak user federations using Keyc
version_added: 3.7.0 version_added: 3.7.0
description: description:
- This module allows you to add, remove or modify Keycloak user federations using the Keycloak REST API. It requires access to the REST API using - This module allows you to add, remove or modify Keycloak user federations using the Keycloak REST API. It requires access
OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli to the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights.
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at the scope tailored to your needs and a user having the expected roles.
U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html). - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
at U(https://www.keycloak.org/docs-api/20.0.2/rest-api/index.html).
attributes: attributes:
check_mode: check_mode:
support: full support: full
@ -59,8 +60,8 @@ options:
provider_id: provider_id:
description: description:
- Provider for this user federation. Built-in providers are V(ldap), V(kerberos), and V(sssd). Custom user storage providers can also be - Provider for this user federation. Built-in providers are V(ldap), V(kerberos), and V(sssd). Custom user storage providers
used. can also be used.
aliases: aliases:
- providerId - providerId
type: str type: str
@ -90,12 +91,15 @@ options:
bind_credential_update_mode: bind_credential_update_mode:
description: description:
- The value of the config parameter O(config.bindCredential) is redacted in the Keycloak responses. Comparing the redacted value with the - The value of the config parameter O(config.bindCredential) is redacted in the Keycloak responses. Comparing the redacted
desired value always evaluates to not equal. This means the before and desired states are never equal if the parameter is set. value with the desired value always evaluates to not equal. This means the before and desired states are never equal
- Set to V(always) to include O(config.bindCredential) in the comparison of before and desired state. Because of the redacted value returned if the parameter is set.
by Keycloak the module will always detect a change and make an update if a O(config.bindCredential) value is set. - Set to V(always) to include O(config.bindCredential) in the comparison of before and desired state. Because of the
redacted value returned by Keycloak the module will always detect a change and make an update if a O(config.bindCredential)
value is set.
- Set to V(only_indirect) to exclude O(config.bindCredential) when comparing the before state with the desired state. - Set to V(only_indirect) to exclude O(config.bindCredential) when comparing the before state with the desired state.
The value of O(config.bindCredential) will only be updated if there are other changes to the user federation that require an update. The value of O(config.bindCredential) will only be updated if there are other changes to the user federation that
require an update.
type: str type: str
default: always default: always
choices: choices:
@ -105,9 +109,9 @@ options:
config: config:
description: description:
- Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id). Examples are - Dict specifying the configuration options for the provider; the contents differ depending on the value of O(provider_id).
given below for V(ldap), V(kerberos) and V(sssd). It is easiest to obtain valid config values by dumping an already-existing user federation Examples are given below for V(ldap), V(kerberos) and V(sssd). It is easiest to obtain valid config values by dumping
configuration through check-mode in the RV(existing) field. an already-existing user federation configuration through check-mode in the RV(existing) field.
- The value V(sssd) has been supported since community.general 4.2.0. - The value V(sssd) has been supported since community.general 4.2.0.
type: dict type: dict
suboptions: suboptions:
@ -131,8 +135,8 @@ options:
editMode: editMode:
description: description:
- V(READ_ONLY) is a read-only LDAP store. V(WRITABLE) means data will be synced back to LDAP on demand. V(UNSYNCED) means user data - V(READ_ONLY) is a read-only LDAP store. V(WRITABLE) means data will be synced back to LDAP on demand. V(UNSYNCED)
will be imported, but not synced back to LDAP. means user data will be imported, but not synced back to LDAP.
type: str type: str
choices: choices:
- READ_ONLY - READ_ONLY
@ -141,7 +145,8 @@ options:
syncRegistrations: syncRegistrations:
description: description:
- Should newly created users be created within LDAP store? Priority effects which provider is chosen to sync the new user. - Should newly created users be created within LDAP store? Priority effects which provider is chosen to sync the
new user.
default: false default: false
type: bool type: bool
@ -153,29 +158,31 @@ options:
usernameLDAPAttribute: usernameLDAPAttribute:
description: description:
- Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server vendors it can be V(uid). For Active directory - Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server vendors it can be V(uid). For
it can be V(sAMAccountName) or V(cn). The attribute should be filled for all LDAP user records you want to import from LDAP to Keycloak. Active directory it can be V(sAMAccountName) or V(cn). The attribute should be filled for all LDAP user records
you want to import from LDAP to Keycloak.
type: str type: str
rdnLDAPAttribute: rdnLDAPAttribute:
description: description:
- Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. Usually it is the same as Username LDAP attribute, - Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. Usually it is the same as Username
however it is not required. For example for Active directory, it is common to use V(cn) as RDN attribute when username attribute might LDAP attribute, however it is not required. For example for Active directory, it is common to use V(cn) as RDN
be V(sAMAccountName). attribute when username attribute might be V(sAMAccountName).
type: str type: str
uuidLDAPAttribute: uuidLDAPAttribute:
description: description:
- Name of LDAP attribute, which is used as unique object identifier (UUID) for objects in LDAP. For many LDAP server vendors, it is - Name of LDAP attribute, which is used as unique object identifier (UUID) for objects in LDAP. For many LDAP server
V(entryUUID); however some are different. For example for Active directory it should be V(objectGUID). If your LDAP server does not vendors, it is V(entryUUID); however some are different. For example for Active directory it should be V(objectGUID).
support the notion of UUID, you can use any other attribute that is supposed to be unique among LDAP users in tree. If your LDAP server does not support the notion of UUID, you can use any other attribute that is supposed to be
unique among LDAP users in tree.
type: str type: str
userObjectClasses: userObjectClasses:
description: description:
- All values of LDAP objectClass attribute for users in LDAP divided by comma. For example V(inetOrgPerson, organizationalPerson). Newly - All values of LDAP objectClass attribute for users in LDAP divided by comma. For example V(inetOrgPerson, organizationalPerson).
created Keycloak users will be written to LDAP with all those object classes and existing LDAP user records are found just if they Newly created Keycloak users will be written to LDAP with all those object classes and existing LDAP user records
contain all those object classes. are found just if they contain all those object classes.
type: str type: str
connectionUrl: connectionUrl:
@ -195,8 +202,8 @@ options:
searchScope: searchScope:
description: description:
- For one level, the search applies only for users in the DNs specified by User DNs. For subtree, the search applies to the whole subtree. - For one level, the search applies only for users in the DNs specified by User DNs. For subtree, the search applies
See LDAP documentation for more details. to the whole subtree. See LDAP documentation for more details.
default: '1' default: '1'
type: str type: str
choices: choices:
@ -205,7 +212,8 @@ options:
authType: authType:
description: description:
- Type of the Authentication method used during LDAP Bind operation. It is used in most of the requests sent to the LDAP server. - Type of the Authentication method used during LDAP Bind operation. It is used in most of the requests sent to
the LDAP server.
default: 'none' default: 'none'
type: str type: str
choices: choices:
@ -230,9 +238,9 @@ options:
usePasswordModifyExtendedOp: usePasswordModifyExtendedOp:
description: description:
- Use the LDAPv3 Password Modify Extended Operation (RFC-3062). The password modify extended operation usually requires that LDAP user - Use the LDAPv3 Password Modify Extended Operation (RFC-3062). The password modify extended operation usually requires
already has password in the LDAP server. So when this is used with 'Sync Registrations', it can be good to add also 'Hardcoded LDAP that LDAP user already has password in the LDAP server. So when this is used with 'Sync Registrations', it can
attribute mapper' with randomly generated initial password. be good to add also 'Hardcoded LDAP attribute mapper' with randomly generated initial password.
default: false default: false
type: bool type: bool
@ -250,11 +258,11 @@ options:
useTruststoreSpi: useTruststoreSpi:
description: description:
- Specifies whether LDAP connection will use the truststore SPI with the truststore configured in standalone.xml/domain.xml. V(always) - Specifies whether LDAP connection will use the truststore SPI with the truststore configured in standalone.xml/domain.xml.
means that it will always use it. V(never) means that it will not use it. V(ldapsOnly) means that it will use if your connection URL V(always) means that it will always use it. V(never) means that it will not use it. V(ldapsOnly) means that it
use ldaps. will use if your connection URL use ldaps.
- Note even if standalone.xml/domain.xml is not configured, the default Java cacerts or certificate specified by C(javax.net.ssl.trustStore) - Note even if standalone.xml/domain.xml is not configured, the default Java cacerts or certificate specified by
property will be used. C(javax.net.ssl.trustStore) property will be used.
default: ldapsOnly default: ldapsOnly
type: str type: str
choices: choices:
@ -295,8 +303,8 @@ options:
connectionPoolingDebug: connectionPoolingDebug:
description: description:
- A string that indicates the level of debug output to produce. Example valid values are V(fine) (trace connection creation and removal) - A string that indicates the level of debug output to produce. Example valid values are V(fine) (trace connection
and V(all) (all debugging information). creation and removal) and V(all) (all debugging information).
type: str type: str
connectionPoolingInitSize: connectionPoolingInitSize:
@ -321,13 +329,14 @@ options:
connectionPoolingTimeout: connectionPoolingTimeout:
description: description:
- The number of milliseconds that an idle connection may remain in the pool without being closed and removed from the pool. - The number of milliseconds that an idle connection may remain in the pool without being closed and removed from
the pool.
type: int type: int
allowKerberosAuthentication: allowKerberosAuthentication:
description: description:
- Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data about authenticated users will be provisioned from - Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data about authenticated users will
this LDAP server. be provisioned from this LDAP server.
default: false default: false
type: bool type: bool
@ -338,16 +347,17 @@ options:
krbPrincipalAttribute: krbPrincipalAttribute:
description: description:
- Name of the LDAP attribute, which refers to Kerberos principal. This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO - Name of the LDAP attribute, which refers to Kerberos principal. This is used to lookup appropriate LDAP user after
authentication in Keycloak. When this is empty, the LDAP user will be looked based on LDAP username corresponding to the first part successful Kerberos/SPNEGO authentication in Keycloak. When this is empty, the LDAP user will be looked based
of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG), it will assume that LDAP username is V(john). on LDAP username corresponding to the first part of his Kerberos principal. For instance, for principal C(john@KEYCLOAK.ORG),
it will assume that LDAP username is V(john).
type: str type: str
version_added: 8.1.0 version_added: 8.1.0
serverPrincipal: serverPrincipal:
description: description:
- Full name of server principal for HTTP service including server and domain name. For example V(HTTP/host.foo.org@FOO.ORG). Use V(*) - Full name of server principal for HTTP service including server and domain name. For example V(HTTP/host.foo.org@FOO.ORG).
to accept any service principal in the KeyTab file. Use V(*) to accept any service principal in the KeyTab file.
type: str type: str
keyTab: keyTab:
@ -362,8 +372,8 @@ options:
useKerberosForPasswordAuthentication: useKerberosForPasswordAuthentication:
description: description:
- Use Kerberos login module for authenticate username/password against Kerberos server instead of authenticating against LDAP server - Use Kerberos login module for authenticate username/password against Kerberos server instead of authenticating
with Directory Service API. against LDAP server with Directory Service API.
default: false default: false
type: bool type: bool
@ -429,8 +439,9 @@ options:
referral: referral:
description: description:
- Specifies if LDAP referrals should be followed or ignored. Please note that enabling referrals can slow down authentication as it - Specifies if LDAP referrals should be followed or ignored. Please note that enabling referrals can slow down authentication
allows the LDAP server to decide which other LDAP servers to use. This could potentially include untrusted servers. as it allows the LDAP server to decide which other LDAP servers to use. This could potentially include untrusted
servers.
type: str type: str
choices: choices:
- ignore - ignore

36
plugins/modules/keycloak_user_rolemapping.py
View File

@ -15,15 +15,17 @@ short_description: Allows administration of Keycloak user_rolemapping with the K
version_added: 5.7.0 version_added: 5.7.0
description: description:
- This module allows you to add, remove or modify Keycloak user_rolemapping with the Keycloak REST API. It requires access to the REST API using - This module allows you to add, remove or modify Keycloak user_rolemapping with the Keycloak REST API. It requires access
OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli to the REST API using OpenID Connect; the user connecting and the client being used must have the requisite access rights.
and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at the scope tailored to your needs and a user having the expected roles.
U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html). - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
- Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that way by this module. at U(https://www.keycloak.org/docs-api/8.0/rest-api/index.html).
You may pass single values for attributes when calling the module, and this will be translated into a list suitable for the API. - Attributes are multi-valued in the Keycloak API. All attributes are lists of individual values and will be returned that
- When updating a user_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to translate the name way by this module. You may pass single values for attributes when calling the module, and this will be translated into
into the role ID. a list suitable for the API.
- When updating a user_rolemapping, where possible provide the role ID to the module. This removes a lookup to the API to
translate the name into the role ID.
attributes: attributes:
check_mode: check_mode:
support: full support: full
@ -59,22 +61,26 @@ options:
type: str type: str
description: description:
- ID of the user to be mapped. - ID of the user to be mapped.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required. - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of
API calls required.
service_account_user_client_id: service_account_user_client_id:
type: str type: str
description: description:
- Client ID of the service-account-user to be mapped. - Client ID of the service-account-user to be mapped.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required. - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of
API calls required.
client_id: client_id:
type: str type: str
description: description:
- Name of the client to be mapped (different than O(cid)). - Name of the client to be mapped (different than O(cid)).
- This parameter is required if O(cid) is not provided (can be replaced by O(cid) to reduce the number of API calls that must be made). - This parameter is required if O(cid) is not provided (can be replaced by O(cid) to reduce the number of API calls
that must be made).
cid: cid:
type: str type: str
description: description:
- ID of the client to be mapped. - ID of the client to be mapped.
- This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of API calls required. - This parameter is not required for updating or deleting the rolemapping but providing it will reduce the number of
API calls required.
roles: roles:
description: description:
- Roles to be mapped to the user. - Roles to be mapped to the user.
@ -90,8 +96,8 @@ options:
type: str type: str
description: description:
- The unique identifier for this role_representation. - The unique identifier for this role_representation.
- This parameter is not required for updating or deleting a role_representation but providing it will reduce the number of API calls - This parameter is not required for updating or deleting a role_representation but providing it will reduce the
required. number of API calls required.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak

17
plugins/modules/keycloak_userprofile.py
View File

@ -14,11 +14,11 @@ module: keycloak_userprofile
short_description: Allows managing Keycloak User Profiles short_description: Allows managing Keycloak User Profiles
description: description:
- This module allows you to create, update, or delete Keycloak User Profiles using the Keycloak API. You can also customize the "Unmanaged Attributes" - This module allows you to create, update, or delete Keycloak User Profiles using the Keycloak API. You can also customize
with it. the "Unmanaged Attributes" with it.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at - The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation
U(https://www.keycloak.org/docs-api/24.0.5/rest-api/index.html). at U(https://www.keycloak.org/docs-api/24.0.5/rest-api/index.html). For compatibility reasons, the module also accepts
For compatibility reasons, the module also accepts the camelCase versions of the options. the camelCase versions of the options.
version_added: "9.4.0" version_added: "9.4.0"
attributes: attributes:
@ -33,7 +33,8 @@ options:
state: state:
description: description:
- State of the User Profile provider. - State of the User Profile provider.
- On V(present), the User Profile provider will be created if it does not yet exist, or updated with the parameters you provide. - On V(present), the User Profile provider will be created if it does not yet exist, or updated with the parameters
you provide.
- On V(absent), the User Profile provider will be removed if it exists. - On V(absent), the User Profile provider will be removed if it exists.
default: 'present' default: 'present'
type: str type: str
@ -264,8 +265,8 @@ options:
- ADMIN_VIEW - ADMIN_VIEW
notes: notes:
- Currently, only a single V(declarative-user-profile) entry is supported for O(provider_id) (design of the Keyckoak API). However, there can - Currently, only a single V(declarative-user-profile) entry is supported for O(provider_id) (design of the Keyckoak API).
be multiple O(config.kc_user_profile_config[].attributes[]) entries. However, there can be multiple O(config.kc_user_profile_config[].attributes[]) entries.
extends_documentation_fragment: extends_documentation_fragment:
- community.general.keycloak - community.general.keycloak
- community.general.keycloak.actiongroup_keycloak - community.general.keycloak.actiongroup_keycloak

4
plugins/modules/keyring.py
View File

@ -19,8 +19,8 @@ author:
- Alexander Hussey (@ahussey-redhat) - Alexander Hussey (@ahussey-redhat)
short_description: Set or delete a passphrase using the Operating System's native keyring short_description: Set or delete a passphrase using the Operating System's native keyring
description: >- description: >-
This module uses the L(keyring Python library, https://pypi.org/project/keyring/) to set or delete passphrases for a given service and username This module uses the L(keyring Python library, https://pypi.org/project/keyring/) to set or delete passphrases for a given
from the OS' native keyring. service and username from the OS' native keyring.
requirements: requirements:
- keyring (Python library) - keyring (Python library)
- gnome-keyring (application - required for headless Gnome keyring access) - gnome-keyring (application - required for headless Gnome keyring access)

4
plugins/modules/keyring_info.py
View File

@ -19,8 +19,8 @@ author:
- Alexander Hussey (@ahussey-redhat) - Alexander Hussey (@ahussey-redhat)
short_description: Get a passphrase using the Operating System's native keyring short_description: Get a passphrase using the Operating System's native keyring
description: >- description: >-
This module uses the L(keyring Python library, https://pypi.org/project/keyring/) to retrieve passphrases for a given service and username from This module uses the L(keyring Python library, https://pypi.org/project/keyring/) to retrieve passphrases for a given service
the OS' native keyring. and username from the OS' native keyring.
requirements: requirements:
- keyring (Python library) - keyring (Python library)
- gnome-keyring (application - required for headless Linux keyring access) - gnome-keyring (application - required for headless Linux keyring access)

2
plugins/modules/kibana_plugin.py
View File

@ -102,7 +102,7 @@ name:
returned: success returned: success
type: str type: str
url: url:
description: The url from where the plugin is installed from. description: The URL from where the plugin is installed from.
returned: success returned: success
type: str type: str
timeout: timeout:

20
plugins/modules/krb_ticket.py
View File

@ -50,21 +50,24 @@ options:
- Use O(cache_name) as the ticket cache name and location. - Use O(cache_name) as the ticket cache name and location.
- If this option is not used, the default cache name and location are used. - If this option is not used, the default cache name and location are used.
- The default credentials cache may vary between systems. - The default credentials cache may vary between systems.
- If not set the the value of E(KRB5CCNAME) environment variable will be used instead, its value is used to name the default ticket cache. - If not set the the value of E(KRB5CCNAME) environment variable will be used instead, its value is used to name the
default ticket cache.
type: str type: str
lifetime: lifetime:
description: description:
- Requests a ticket with the lifetime, if the O(lifetime) is not specified, the default ticket lifetime is used. - Requests a ticket with the lifetime, if the O(lifetime) is not specified, the default ticket lifetime is used.
- Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum - Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the
ticket lifetime. configured maximum ticket lifetime.
- 'The value for O(lifetime) must be followed by one of the following suffixes: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - days.' - 'The value for O(lifetime) must be followed by one of the following suffixes: V(s) - seconds, V(m) - minutes, V(h)
- hours, V(d) - days.'
- You cannot mix units; a value of V(3h30m) will result in an error. - You cannot mix units; a value of V(3h30m) will result in an error.
- See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference. - See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference.
type: str type: str
start_time: start_time:
description: description:
- Requests a postdated ticket. - Requests a postdated ticket.
- Postdated tickets are issued with the invalid flag set, and need to be resubmitted to the KDC for validation before use. - Postdated tickets are issued with the invalid flag set, and need to be resubmitted to the KDC for validation before
use.
- O(start_time) specifies the duration of the delay before the ticket can become valid. - O(start_time) specifies the duration of the delay before the ticket can become valid.
- You can use absolute time formats, for example V(July 27, 2012 at 20:30) you would neet to set O(start_time=20120727203000). - You can use absolute time formats, for example V(July 27, 2012 at 20:30) you would neet to set O(start_time=20120727203000).
- You can also use time duration format similar to O(lifetime) or O(renewable). - You can also use time duration format similar to O(lifetime) or O(renewable).
@ -73,8 +76,8 @@ options:
renewable: renewable:
description: description:
- Requests renewable tickets, with a total lifetime equal to O(renewable). - Requests renewable tickets, with a total lifetime equal to O(renewable).
- 'The value for O(renewable) must be followed by one of the following delimiters: V(s) - seconds, V(m) - minutes, V(h) - hours, V(d) - - 'The value for O(renewable) must be followed by one of the following delimiters: V(s) - seconds, V(m) - minutes, V(h)
days.' - hours, V(d) - days.'
- You cannot mix units; a value of V(3h30m) will result in an error. - You cannot mix units; a value of V(3h30m) will result in an error.
- See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference. - See U(https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html) for reference.
type: str type: str
@ -96,7 +99,8 @@ options:
type: bool type: bool
canonicalization: canonicalization:
description: description:
- Requests canonicalization of the principal name, and allows the KDC to reply with a different client principal from the one requested. - Requests canonicalization of the principal name, and allows the KDC to reply with a different client principal from
the one requested.
type: bool type: bool
enterprise: enterprise:
description: description: