purestorage.flashblade.purefb_policy module – Manage FlashBlade policies
Note
This module is part of the purestorage.flashblade collection (version 1.19.1).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install purestorage.flashblade
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: purestorage.flashblade.purefb_policy
.
New in purestorage.flashblade 1.0.0
Synopsis
Manage policies for filesystem, file replica links and object store access.
To update an existing snapshot policy rule, you must first delete the original rule and then add the new rule to replace it. Purity’s best-fit will try to ensure that any required snapshots deleted on the deletion of the first rule will be recovered as long replacement rule is added before the snapshot eradication period is exceeded (usuually 24 hours).
Requirements
The below requirements are needed on the host that executes this module.
python >= 3.9
py-pure-client
purity_fb >= 1.12.2
netaddr
datetime
pytz
distro
pycountry
urllib3
Parameters
Parameter |
Comments |
---|---|
Specifies access control for the export policy rule Choices:
|
|
Name of Object Store account policy applies to. Special Case pure policy is used for the system-wide S3 policies |
|
List of permissions to grant. System-wide policy rules cannot be deleted or modified Choices:
|
|
Any user whose GID is affected by an access of `root_squash` or `all_squash` will have their GID mapped to anongid. The default anongid is null, which means 65534. Use “” to clear. |
|
Any user whose UID is affected by an access of `root_squash` or `all_squash` will have their UID mapped to anonuid. The default is null, which means 65534. Use “” to clear. |
|
FlashBlade API token for admin privileged user. |
|
Provide a time in 12-hour AM/PM format, eg. 11AM |
|
After a read operation has occurred, the inode access time is updated only if any of the following conditions is true; the previous access time is less than the inode modify time, the previous access time is less than the inode change time, or the previous access time is more than 24 hours ago. If set to false, disables the update of inode access times after read operations. Choices:
|
|
The index of the client rule to insert or move a client rule before. |
|
The state of the SMB share principals Change access permission. Setting to “” will clear the current setting Choices:
|
|
Specifies the clients that will be permitted to access the export. Accepted notation is a single IP address, subnet in CIDR notation, netgroup, or anonymous (*). |
|
The retention period used for committing files to WORM status. Will be applied if no access time is provided, or the access time is less than the current server time. Between min_retention and max_retention periods. Valid values are weeks (w), days(d), hours(h), minutes(m) and seconds(s). |
|
A description of an object store policy, optionally specified when the policy is created. Cannot be modified for an existing policy. Default: |
|
This parameter must be set to true in order to modify a policy such that local or remote snapshots would be destroyed. Choices:
|
|
Disable insecure certificate warnings Choices:
|
|
Allow S3 requests that match all of the actions item selected. Rules are additive. Choices:
|
|
State of policy Choices:
|
|
Interval between snapshots in seconds Range available 300 - 31536000 (equates to 5m to 365d) |
|
FlashBlade management IP address or Hostname. |
|
Whether the file id is 32 bits or not. Choices:
|
|
List of filesystems to add to a policy on creation To amend policy members use the purestorage.flashblade.purefb_fs module |
|
Force the deletion of a Object Store Access Policy is this has attached users. WARNING This can have undesired side-effects. System-wide policies cannot be deleted Choices:
|
|
The state of the SMB share principals Full Control access permission. Setting to “” will clear the current setting Choices:
|
|
Certain combinations of actions and other rule elements are inherently ignored if specified together in a rule. If set to true, operations which attempt to set these combinations will fail. If set to false, such operations will instead be allowed. Choices:
|
|
Specifies which product interfaces the network access policy rule applies to, whether it is permitting or denying access. Choices:
|
|
How long to keep snapshots for Range available 300 - 31536000 (equates to 5m to 365d) Must not be set less than every |
|
The maximum retention period of the WORM file system. Between 1 second and 100 years. Cannot be less than the min_retention. Valid values are weeks (w), days(d), hours(h), minutes(m) and seconds(s). |
|
The minimum retention period of the WORM file system. Between 1 second and 100 years. Cannot be greater than the max_retention. Valid values are weeks (w), days(d), hours(h), minutes(m) and seconds(s). |
|
Name of the policy |
|
List of bucket names and object paths, with a wildcard (*) to specify objects in a bucket; e.g., bucket1, bucket1/*, bucket2, bucket2/*. System-wide policy rules cannot be deleted or modified |
|
Specifies which read-write client access permissions are allowed for the export. Choices:
|
|
Type of policy Choices:
|
|
The user or group who is the subject of this rule, and their domain |
|
The state of the SMB share principals Read access permission. Setting to “” will clear the current setting Choices:
|
|
New name for policy Only applies to NFS and SMB policies |
|
List of filesystem replica links to add to a policy on creation To amend policy members use the purestorage.flashblade.purefb_fs_replica module |
|
State of policy attributes after creation. If set to locked then values of the policy attributes are not allowed to change. If set to locked then values of the policy attributes can be changed. Changing from unlocked to locked is allowed, but to change from locked to unlocked will require support from Pure Storage Technical Services. Choices:
|
|
Name of the rule for the Object Store Access Policy Rules in system wide policies cannot be deleted or modified |
|
List of delimiter characters allowed in object list requests. Grants permissions to list ‘folder names’ (prefixes ending in a delimiter) instead of object keys. System-wide policy rules cannot be deleted or modified |
|
List of ‘folders’ (object key prefixes) for which object listings may be requested. System-wide policy rules cannot be deleted or modified |
|
If true, this prevents NFS access to client connections coming from non-reserved ports. If false, allows NFS access to client connections coming from non-reserved ports. Applies to NFSv3, NFSv4.1, and auxiliary protocols MOUNT and NLM. Choices:
|
|
The security flavors to use for accessing files on this mount point. If the server does not support the requested flavor, the mount operation fails. sys trusts the client to specify users identity. krb provides cryptographic proof of a users identity in each RPC request. krb5i adds integrity checking to krb5, to ensure the data has not been tampered with. krb5p adds integrity checking and encryption to krb5. Choices:
Default: |
|
The status of SMB encryption in a client policy rule Choices:
|
|
List of IPs and subnets from which this rule should allow requests; e.g., 10.20.30.40, 10.20.30.0/24, 2001:DB8:1234:5678::/64. System-wide policy rules cannot be deleted or modified |
|
Create or delete policy. Copy is applicable only to Object Store Access Policies Rules Choices:
|
|
Name of policy to copy rule to |
|
Name of the rule to copy the exisitng rule to. If not defined the existing rule name is used. |
|
Time Zone used for the at parameter If not provided, the module will attempt to get the current local timezone from the server |
|
User in the account that the policy is granted to. |
Notes
Note
This module requires the
purity_fb
Python libraryYou must set
PUREFB_URL
andPUREFB_API
environment variables if fb_url and api_token arguments are not passed to the module directly
Examples
- name: Create a simple snapshot policy with no rules
purestorage.flashblade.purefb_policy:
name: test_policy
policy_type: snapshot
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a snapshot policy and connect to existing filesystems and filesystem replica links
purestorage.flashblade.purefb_policy:
name: test_policy_with_members
policy_type: snapshot
filesystem:
- fs1
- fs2
replica_link:
- rl1
- rl2
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a snapshot policy with rules
purestorage.flashblade.purefb_policy:
name: test_policy2
policy_type: snapshot
at: 11AM
keep_for: 86400
every: 86400
timezone: Asia/Shanghai
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete a snapshot policy
purestorage.flashblade.purefb_policy:
name: test_policy
policy_type: snapshot
state: absent
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an empty object store access policy
purestorage.flashblade.purefb_policy:
name: test_os_policy
account: test
policy_type: access
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an empty object store access policy and assign user
purestorage.flashblade.purefb_policy:
name: test_os_policy
account: test
policy_type: access
user: fred
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a object store access policy with simple rule
purestorage.flashblade.purefb_policy:
name: test_os_policy_rule
policy_type: access
account: test
rule: rule1
actions: "s3:*"
object_resources: "*"
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an empty SMB client policy
purestorage.flashblade.purefb_policy:
name: test_smb_client
policy_type: smb_client
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an SMB client policy with a client rule
purestorage.flashblade.purefb_policy:
name: test_smb_client
policy_type: smb_client
client: "10.0.1.0/24"
permission: rw
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an empty NFS export policy
purestorage.flashblade.purefb_policy:
name: test_nfs_export
policy_type: nfs
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an NFS export policy with a client rule
purestorage.flashblade.purefb_policy:
name: test_nfs_export
policy_type: nfs
atime: true
client: "10.0.1.0/24"
secure: true
security: [sys, krb5]
permission: rw
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a new rule for an existing NFS export policy
purestorage.flashblade.purefb_policy:
name: test_nfs_export
policy_type: nfs
atime: true
client: "10.0.2.0/24"
security: sys
permission: ro
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete a client rule from an NFS export policy
purestorage.flashblade.purefb_policy:
name: test_nfs_export
client: "10.0.1.0/24"
policy_type: nfs
state: absent
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete an NFS export policy and all associated rules
purestorage.flashblade.purefb_policy:
name: test_nfs_export
state: absent
policy_type: nfs
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete a rule from an object store access policy
purestorage.flashblade.purefb_policy:
name: test_os_policy_rule
account: test
policy_type: access
rule: rule1
state: absent
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete a user from an object store access policy
purestorage.flashblade.purefb_policy:
name: test_os_policy_rule
account: test
user: fred
policy_type: access
state: absent
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete an object store access policy with attached users (USE WITH CAUTION)
purestorage.flashblade.purefb_policy:
name: test_os_policy_rule
account: test
policy_type: access
force_delete: true
state: absent
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete an object store access policy with no attached users
purestorage.flashblade.purefb_policy:
name: test_os_policy_rule
account: test
policy_type: access
state: absent
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Copy an object store access policy rule to another exisitng policy
purestorage.flashblade.purefb_policy:
name: test_os_policy_rule
policy_type: access
account: test
target: "account2/anotherpolicy"
target_rule: new_rule1
state: copy
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Rename an NFS Export Policy
purestorage.flashblade.purefb_policy:
name: old_name
policy_type: nfs
rename: new_name
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a WORM Data Policy
purestorage.flashblade.purefb_policy:
name: worm1
policy_type: worm
default_retention: 5d
min_rentetion: 20h
max_retention: 1y
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6