--- # Custom handler module fails with # "module_stdout": "Traceback (most recent call last):\r\n File \"/var/tmp/ansible-tmp-1571092868.423615-27323659292827/AnsiballZ_jboss_cli.py\", line 114, in \r\n _ansiballz_main()\r\n File \"/var/tmp/ansible-tmp-1571092868.423615-27323659292827/AnsiballZ_jboss_cli.py\", line 106, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/var/tmp/ansible-tmp-1571092868.423615-27323659292827/AnsiballZ_jboss_cli.py\", line 49, in invoke_module\r\n imp.load_module('__main__', mod, module, MOD_DESC)\r\n File \"/tmp/ansible_jboss_cli_payload_hTw5aK/__main__.py\", line 135, in \r\n File \"/tmp/ansible_jboss_cli_payload_hTw5aK/__main__.py\", line 132, in main\r\n File \"/tmp/ansible_jboss_cli_payload_hTw5aK/__main__.py\", line 129, in run_module\r\n File \"/tmp/ansible_jboss_cli_payload_hTw5aK/ansible_jboss_cli_payload.zip/ansible/module_utils/basic.py\", line 2053, in fail_json\r\nAssertionError: implementation error -- msg to explain the error is required\r\n", #- name: Get the (ldap_security_realm) security-realm info #shell: "source {{ service_startup_file }} ; ./jboss-cli.sh {{ jboss_cli_auth }} --connect --command='/core-service=management/security-realm=ldap_security_realm/:read-resource(recursive=true,proxies=false,include-runtime=false,include-defaults=true)'" # shell: "source {{ service_startup_file }} ; ./jboss-cli.sh {{ jboss_cli_auth }} --connect --command='/subsystem=elytron/security-realm=elytron_security_realm:read-resource(recursive=true,proxies=false,include-runtime=false,include-defaults=true)'" #args: #chdir: "{{ jboss_dir }}/bin" #become: True #register: sr2 #become_user: "{{ jboss_service_user }}" #changed_when: False #failed_when: sr2.rc != 0 and sr2.rc != 1 - name: Add the (ldap_security_realm) security-realm jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" #jboss_cli_command: "/core-service=management/security-realm=ldap_security_realm/:add" jboss_cli_script: "/subsystem=elytron/ldap-realm=ldap_security_realm:add(dir-context=ldap-connection,identity-mapping={search-base-dn="ou=SFG Users,dc=corp,dc=standard,dc=com",rdn-identifier="uid",user-password-mapper={from="userPassword"}}) become: True register: sr2add become_user: "{{ jboss_service_user }}" changed_when: False # we need to add this security-realm since it was not found when: sr2.rc == 1 - debug: msg: jboss_encrypted_keystore password is {{ jboss_encrypted_keystore }} - name: Add the truststore to the (ldap_security_realm) security-realm jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" #jboss_cli_command: "/core-service=management/security-realm=ldap_security_realm/authentication=truststore:add(keystore-path={{ jboss_bin_dir }}/keystore.jks,keystore-password={{ jboss_encrypted_keystore }})" jboss_cli_command: "/subsystem=elytron/ldap-realm=ldap_security_realm:add(keystore-path={{ jboss_bin_dir }}/keystore.jks, keystore-password={{ jboss_encrypted_keystore }})" become: True register: sr2trust become_user: "{{ jboss_service_user }}" changed_when: False when: sr2.stdout is not search('{{ jboss_bin_dir }}/keystore.jks') failed_when: sr2trust.rc != 0 - name: Add the authentication to the (ldap_security_realm) security-realm jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" #jboss_cli_command: "/core-service=management/security-realm=ldap_security_realm/authentication=ldap:add(connection=ldap_connection,base-dn=\"ou=SFG Users,dc=corp,dc=standard,dc=com\",recursive=\"true\",username-attribute=saMAccountName)" jboss_cli_command: "/subsystem=elytron/dir-context=ldap:add(connection=ldap_connection,base-dn=\"ou=SFG Users,dc=corp,dc=standard,dc=com\",recursive=\"true\",username-attribute=saMAccountName)" become: True register: sr2auth become_user: "{{ jboss_service_user }}" changed_when: False when: sr2.stdout is not search('saMAccountName') failed_when: sr2auth.rc != 0 #- name: Get the (ldap_security_realm_native) security-realm info #jboss_cli: #jboss_cli_script: "{{ jboss_cli_script }}" #jboss_cli_command: "/core-service=management/security-realm=ldap_security_realm_native/:read-resource(recursive=true,proxies=false,include-runtime=false,include-defaults=true)" #become: True #register: sr2native #become_user: "{{ jboss_service_user }}" #changed_when: False #failed_when: sr2native.rc != 0 and sr2native.rc != 1 #- name: Add the (ldap_security_realm_native) security-realm #jboss_cli: #jboss_cli_script: "{{ jboss_cli_script }}" #jboss_cli_command: "/core-service=management/security-realm=ldap_security_realm_native/:add" #become: True #register: sr2nativeadd #become_user: "{{ jboss_service_user }}" #changed_when: False # we need to add this security-realm since it was not found #when: sr2native.rc == 1 #- name: Add the authentication to the (ldap_security_realm_native) security-realm #jboss_cli: #jboss_cli_script: "{{ jboss_cli_script }}" #jboss_cli_command: "/core-service=management/security-realm=ldap_security_realm_native/authentication=ldap:add(connection=ldap_connection,base-dn=\"ou=SFG Users,dc=corp,dc=standard,dc=com\",recursive=\"true\",username-attribute=saMAccountName)" #become: True #register: sr2nativeauth #become_user: "{{ jboss_service_user }}" #changed_when: False #when: sr2.stdout is not search('saMAccountName') #failed_when: sr2nativeauth.rc != 0 # When THIS task is migrated to jboss_cli, NEXT task ("Add the (ldap_connection)") fails with error: # "module_stdout": "Traceback (most recent call last):\r\n File \"/var/tmp/ansible-tmp-1571266407.025619-139418031831131/AnsiballZ_jboss_cli.py\", line 114, in \r\n _ansiballz_main()\r\n File \"/var/tmp/ansible-tmp-1571266407.025619-139418031831131/AnsiballZ_jboss_cli.py\", line 106, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/var/tmp/ansible-tmp-1571266407.025619-139418031831131/AnsiballZ_jboss_cli.py\", line 49, in invoke_module\r\n imp.load_module('__main__', mod, module, MOD_DESC)\r\n File \"/tmp/ansible_jboss_cli_payload_oc4PpZ/__main__.py\", line 135, in \r\n File \"/tmp/ansible_jboss_cli_payload_oc4PpZ/__main__.py\", line 132, in main\r\n File \"/tmp/ansible_jboss_cli_payload_oc4PpZ/__main__.py\", line 129, in run_module\r\n File \"/tmp/ansible_jboss_cli_payload_oc4PpZ/ansible_jboss_cli_payload.zip/ansible/module_utils/basic.py\", line 2053, in fail_json\r\nAssertionError: implementation error -- msg to explain the error is required\r\n" - name: Get the ldap_connection info shell: "source {{ service_startup_file }} ; ./jboss-cli.sh {{ jboss_cli_auth }} --connect --command='/core-service=management/ldap-connection=ldap_connection/:read-resource(recursive=true,proxies=false,include-runtime=false,include-defaults=true)'" args: chdir: "{{ jboss_dir }}/bin" become: True register: lc become_user: "{{ jboss_service_user }}" changed_when: False failed_when: lc.rc != 0 and lc.rc != 1 - name: Add the (ldap_connection) jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "/core-service=management/ldap-connection=ldap_connection/:add(search-credential=\"Df7*G+$r\",search-dn=\"cn=LDAP-was,ou=Special Accounts,ou=SFG Users,dc=corp,dc=standard,dc=com\",url=\"ldaps://ldap.standard.com:636\")" become: True register: lcadd become_user: "{{ jboss_service_user }}" changed_when: False when: lc.stdout is not search('ldaps://ldap.standard.com:636') failed_when: lcadd.rc != 0 - name: Check SuperUser role mapping jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "ls /core-service=management/access=authorization/role-mapping" become: True register: role_mapping become_user: "{{ jboss_service_user }}" changed_when: False failed_when: role_mapping.rc != 0 and role_mapping.rc != 1 - name: Add SuperUser role mapping jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "/core-service=management/access=authorization/role-mapping=SuperUser:add()" become: True register: __add_superuser_role_mapping become_user: "{{ jboss_service_user }}" when: role_mapping.stdout is not search('SuperUser') changed_when: False failed_when: __add_superuser_role_mapping.rc != 0 and _add_superuser_role_mapping.rc != 1 - name: Add Administrator role mapping jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "/core-service=management/access=authorization/role-mapping=Administrator:add()" become: True register: __add_admin_role_mapping become_user: "{{ jboss_service_user }}" when: role_mapping.stdout is not search('Administrator') changed_when: False failed_when: __add_admin_role_mapping.rc != 0 and _add_admin_role_mapping.rc != 1 - name: Add Deployer role mapping jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "/core-service=management/access=authorization/role-mapping=Deployer:add()" become: True register: __add_deployer_role_mapping become_user: "{{ jboss_service_user }}" when: role_mapping.stdout is not search('Deployer') changed_when: False failed_when: __add_deployer_role_mapping.rc != 0 and _add_deployer_role_mapping.rc != 1 - name: Add Monitor role mapping jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "/core-service=management/access=authorization/role-mapping=Monitor:add()" become: True register: __add_monitor_role_mapping become_user: "{{ jboss_service_user }}" when: role_mapping.stdout is not search('Monitor') changed_when: False failed_when: __add_monitor_role_mapping.rc != 0 and _add_monitor_role_mapping.rc != 1 - name: Check for jboss_admin group jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "ls /core-service=management/access=authorization/role-mapping=Administrator/include=" become: True register: ja become_user: "{{ jboss_service_user }}" retries: 5 delay: 1 until: ja.rc == 0 changed_when: False failed_when: ja.rc != 0 - name: Map jboss_admin group to Administrator jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "/core-service=management/access=authorization/role-mapping=Administrator/include=Administrator:add(name=jboss_admin, type=GROUP)" become: True register: ja_add become_user: "{{ jboss_service_user }}" retries: 5 delay: 1 until: ja_add.rc == 0 changed_when: False failed_when: ja_add.rc != 0 when: ja.stdout is not search('Administrator') - name: Check for jboss_superuser group jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "ls /core-service=management/access=authorization/role-mapping=SuperUser/include=" become: True register: js become_user: "{{ jboss_service_user }}" retries: 5 delay: 1 until: js.rc == 0 changed_when: False failed_when: js.rc != 0 - name: Map jboss_superuser group to SuperUser jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "/core-service=management/access=authorization/role-mapping=SuperUser/include=SuperUser:add(name=jboss_SuperUser, type=GROUP)" become: True register: js_add become_user: "{{ jboss_service_user }}" changed_when: False failed_when: js_add.rc != 0 and js_add.rc != 1 when: js.stdout is not search('SuperUser') - name: Check for jboss_deploy group jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "ls /core-service=management/access=authorization/role-mapping=Deployer/include=" become: True register: jd become_user: "{{ jboss_service_user }}" changed_when: False failed_when: jd.rc != 0 and jd.rc != 1 - name: Map jboss_deploy group to Deployer jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "/core-service=management/access=authorization/role-mapping=Deployer/include=Deployer:add(name=jboss_deploy, type=GROUP)" become: True register: jd_add become_user: "{{ jboss_service_user }}" changed_when: False failed_when: jd_add.rc != 0 and jd_add.rc != 1 when: jd.stdout is not search('Deployer') - name: Check for jboss_monitor group jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "ls /core-service=management/access=authorization/role-mapping=Monitor/include=" become: True register: jm become_user: "{{ jboss_service_user }}" changed_when: False failed_when: jm.rc != 0 and jm.rc != 1 - name: Map jboss_monitor group to Monitor jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "/core-service=management/access=authorization/role-mapping=Monitor/include=Monitor:add(name=jboss_monitor, type=GROUP)" become: True register: jm_add become_user: "{{ jboss_service_user }}" changed_when: False failed_when: jm_add.rc != 0 and jm_add.rc != 1 when: jm.stdout is not search('Monitor') - name: Check for ManagementRealmHTTPS jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "ls /core-service=management/security-realm" become: True register: mrhttps become_user: "{{ jboss_service_user }}" changed_when: False failed_when: mrhttps.rc != 0 and mrhttps.rc != 1 - name: Create ManagementRealmHTTPS jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "/core-service=management/security-realm=ManagementRealmHTTPS:add()" become: True register: mrhttps become_user: "{{ jboss_service_user }}" changed_when: False failed_when: mrhttps.rc != 0 and mrhttps.rc != 1 when: mrhttps.stdout is not search('ManagementRealmHTTPS') - name: Check if SSL configuration exists for management realm jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "ls /core-service=management/security-realm=ManagementRealmHTTPS/server-identity=" become: True register: ssl_conf become_user: "{{ jboss_service_user }}" changed_when: False failed_when: ssl_conf.rc != 0 and ssl_conf.rc != 1 - name: Create SSL configuration for management realm jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "/core-service=management/security-realm=ManagementRealmHTTPS/server-identity=ssl:add(alias={{ ansible_fqdn }}, keystore-path={{ jboss_bin_dir }}/keystore.jks,keystore-password={{ jboss_encrypted_keystore }})" become: True become_user: "{{ jboss_service_user }}" changed_when: False when: ssl_conf.stdout is not search('ssl') register: ssl_conf failed_when: ssl_conf.rc != 0 - name: Check for local user jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "ls /core-service=management/security-realm=ManagementRealmHTTPS/authentication" become: True register: mgt_realm_auth become_user: "{{ jboss_service_user }}" changed_when: False - name: Add for local user jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "/core-service=management/security-realm=ManagementRealmHTTPS/authentication=local:add(default-user=local)" become: True register: local_user become_user: "{{ jboss_service_user }}" changed_when: False when: mgt_realm_auth.stdout is not search('local') - name: Check for management user prop file path jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "ls /core-service=management/security-realm=ManagementRealmHTTPS/authentication" become: True register: mgt_prop_path become_user: "{{ jboss_service_user }}" changed_when: False - name: Add management user prop file path jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "/core-service=management/security-realm=ManagementRealmHTTPS/authentication=properties:add(relative-to=jboss.server.config.dir, path=mgmt-users.properties)" become: True register: local_user become_user: "{{ jboss_service_user }}" changed_when: False when: mgt_prop_path.stdout is not search('properties') # Keep this a raw jboss-cli call per Russ - name: Reload (if needed) shell: "source {{ service_startup_file }} ; ./jboss-cli.sh {{ jboss_cli_auth }} --connect --command=':reload' ; sleep 10" args: chdir: "{{ jboss_dir }}/bin" become: True register: reload become_user: "{{ jboss_service_user }}" changed_when: False failed_when: reload.rc != 0 - name: Get the (management-interface) info jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "/core-service=management/management-interface=http-interface/:read-resource(recursive=true,proxies=false,include-runtime=false,include-defaults=true)" become: True register: mi become_user: "{{ jboss_service_user }}" changed_when: False failed_when: mi.rc != 0 and mi.rc != 1 - name: Add the (ldap_security_realm) to the (management-interface) jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "/core-service=management/management-interface=http-interface/:write-attribute(name=security-realm,value=ldap_security_realm)" become: True register: miattr become_user: "{{ jboss_service_user }}" changed_when: False when: mi.stdout is not search('ldap_security_realm') failed_when: miattr.rc != 0 - name: Check if http-upgrade enabled jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "ls /core-service=management/management-interface=http-interface" become: True register: miattr become_user: "{{ jboss_service_user }}" retries: 5 delay: 1 until: miattr.rc == 0 changed_when: False failed_when: miattr.rc != 0 - name: Add http-upgrade enabled jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "if (outcome != success) of /core-service=management/management-interface=http-interface:read-attribute(name=http-upgrade) /core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade,value={enabled=true}) end-if" become: True register: miattr become_user: "{{ jboss_service_user }}" changed_when: False when: miattr.stdout is not search("http-upgrade={\"enabled\" => true}") failed_when: miattr.rc != 0 - name: Check for management service ldap authorization jboss_cli: jboss_cli_script: "{{ jboss_cli_script }}" jboss_cli_command: "ls /core-service=management/security-realm=ldap_security_realm/authorization" become: True register: msldapauth become_user: "{{ jboss_service_user }}" changed_when: False - name: Check for CLI AD batch file stat: path: /tmp/jboss_ad_cli.batch register: __cli_batch_file become: True - name: Copy CLI AD batch file template: src: jboss_ad_cli.batch.j2 dest: /tmp/jboss_ad_cli.batch owner: root group: root mode: '0644' when: __cli_batch_file.stat.exists == False and (msldapauth.stdout is not search('ldap')) become: True changed_when: False # Custom handler module cannot execute files per Russ - name: Execute CLI AD batch file shell: "source {{ service_startup_file }} ; ./jboss-cli.sh {{ jboss_cli_auth }} --connect --file=/tmp/jboss_ad_cli.batch" args: chdir: "{{ jboss_dir }}/bin" become: True become_user: "{{ jboss_service_user }}" register: __jboss_ad_cli_batch failed_when: __jboss_ad_cli_batch.stdout is not search('success') changed_when: False when: msldapauth.stdout is not search('ldap') - name: Delete CLI AD batch file file: path: /tmp/jboss_ad_cli.batch state: absent become: True changed_when: False - name: Configure the jboss auth variable include_tasks: golden_set_cli_auth.yml - name: Restart jboss using shell include_tasks: golden_shell_restart.yml when: mi.stdout is not search('ldap_security_realm')