purestorage.flashblade.purefb_policy module – Manage FlashBlade policies
Note
This module is part of the purestorage.flashblade collection (version 1.9.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install purestorage.flashblade
.
To use it in a playbook, specify: purestorage.flashblade.purefb_policy
.
New in version 1.0.0: of purestorage.flashblade
Requirements
The below requirements are needed on the host that executes this module.
python >= 2.7
purity_fb >= 1.9
netaddr
pytz
Parameters
Parameter |
Comments |
---|---|
Specifies access control for the export policy rule Choices:
|
|
Name of Object Store account policy applies to. Special Case pure:policy is used for the system-wide S3 policies |
|
List of permissions to grant. System-wide policy rules cannot be deleted or modified Choices:
|
|
Any user whose GID is affected by an access of root_squash or all_squash will have their GID mapped to anongid. The default anongid is null, which means 65534. Use “” to clear. |
|
Any user whose UID is affected by an access of root_squash or all_squash will have their UID mapped to anonuid. The defaultis null, which means 65534. Use “” to clear. |
|
FlashBlade API token for admin privileged user. |
|
Provide a time in 12-hour AM/PM format, eg. 11AM |
|
After a read operation has occurred, the inode access time is updated only if any of the following conditions is true; the previous access time is less than the inode modify time, the previous access time is less than the inode change time, or the previous access time is more than 24 hours ago. If set to false, disables the update of inode access times after read operations. Choices:
|
|
The index of the client rule to insert or move a client rule before. |
|
Specifies the clients that will be permitted to access the export. Accepted notation is a single IP address, subnet in CIDR notation, netgroup, or anonymous (*). Default: “*” |
|
Allow S3 requests that match all of the actions item selected. Rules are additive. Choices:
|
|
State of policy Choices:
|
|
Interval between snapshots in seconds Range available 300 - 31536000 (equates to 5m to 365d) |
|
FlashBlade management IP address or Hostname. |
|
Whether the file id is 32 bits or not. Choices:
|
|
List of filesystems to add to a policy on creation To amend policy members use the purefb_fs module |
|
Force the deletion of a Object Store Access Policy is this has attached users. WARNING This can have undesired side-effects. System-wide policies cannot be deleted Choices:
|
|
Certain combinations of actions and other rule elements are inherently ignored if specified together in a rule. If set to true, operations which attempt to set these combinations will fail. If set to false, such operations will instead be allowed. Choices:
|
|
How long to keep snapshots for Range available 300 - 31536000 (equates to 5m to 365d) Must not be set less than every |
|
Name of the policy |
|
List of bucket names and object paths, with a wildcard (*) to specify objects in a bucket; e.g., bucket1, bucket1/, bucket2, bucket2/. System-wide policy rules cannot be deleted or modified |
|
Specifies which read-write client access permissions are allowed for the export. Choices:
|
|
Type of policy Choices:
|
|
List of filesystem replica links to add to a policy on creation To amend policy members use the purefb_fs_replica module |
|
Name of the rule for the Object Store Access Policy Rules in system-wide policies cannot be deleted or modified |
|
List of delimiter characters allowed in object list requests. Grants permissions to list ‘folder names’ (prefixes ending in a delimiter) instead of object keys. System-wide policy rules cannot be deleted or modified |
|
List of ‘folders’ (object key prefixes) for which object listings may be requested. System-wide policy rules cannot be deleted or modified |
|
If true, this prevents NFS access to client connections coming from non-reserved ports. If false, allows NFS access to client connections coming from non-reserved ports. Applies to NFSv3, NFSv4.1, and auxiliary protocols MOUNT and NLM. Choices:
|
|
The security flavors to use for accessing files on this mount point. If the server does not support the requested flavor, the mount operation fails. sys trusts the client to specify users identity. krb provides cryptographic proof of a users identity in each RPC request. krb5i adds integrity checking to krb5, to ensure the data has not been tampered with. krb5p adds integrity checking and encryption to krb5. Choices:
|
|
List of IPs and subnets from which this rule should allow requests; e.g., 10.20.30.40, 10.20.30.0/24, 2001:DB8:1234:5678::/64. System-wide policy rules cannot be deleted or modified |
|
Create or delete policy. Copy is applicable only to Object Store Access Policies Rules Choices:
|
|
Name of policy to copy rule to |
|
Name of the rule to copy the exisitng rule to. If not defined the existing rule name is used. |
|
Time Zone used for the at parameter If not provided, the module will attempt to get the current local timezone from the server |
|
User in the account that the policy is granted to. |
Notes
Note
This module requires the
purity_fb
Python libraryYou must set
PUREFB_URL
andPUREFB_API
environment variables if fb_url and api_token arguments are not passed to the module directly
Examples
- name: Create a simple snapshot policy with no rules
purefb_policy:
name: test_policy
policy_type: snapshot
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a snapshot policy and connect to existing filesystems and filesystem replica links
purefb_policy:
name: test_policy_with_members
policy_type: snapshot
filesystem:
- fs1
- fs2
replica_link:
- rl1
- rl2
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a snapshot policy with rules
purefb_policy:
name: test_policy2
policy_type: snapshot
at: 11AM
keep_for: 86400
every: 86400
timezone: Asia/Shanghai
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete a snapshot policy
purefb_policy:
name: test_policy
policy_type: snapshot
state: absent
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an empty object store access policy
purefb_policy:
name: test_os_policy
account: test
policy_type: access
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an empty object store access policy and assign user
purefb_policy:
name: test_os_policy
account: test
policy_type: access
user: fred
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a object store access policy with simple rule
purefb_policy:
name: test_os_policy_rule
policy_type: access
account: test
rule: rule1
actions: "s3:*"
object_resources: "*"
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an empty NFS export policy
purefb_policy:
name: test_nfs_export
policy_type: nfs
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an NFS export policy with a client rule
purefb_policy:
name: test_nfs_export
policy_type: nfs
atime: true
client: "10.0.1.0/24"
secure: true
security: [sys, krb5]
permission: rw
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a new rule for an existing NFS export policy
purefb_policy:
name: test_nfs_export
policy_type: nfs
atime: true
client: "10.0.2.0/24"
security: sys
permission: ro
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete a client rule from an NFS export policy
purefb_policy:
name: test_nfs_export
client: "10.0.1.0/24"
policy_type: nfs
state: absent
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete an NFS export policy and all associated rules
purefb_policy:
name: test_nfs_export
state: absent
policy_type: nfs
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete a rule from an object store access policy
purefb_policy:
name: test_os_policy_rule
account: test
policy_type: access
rule: rule1
state: absent
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete a user from an object store access policy
purefb_policy:
name: test_os_policy_rule
account: test
user: fred
policy_type: access
state: absent
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete an object store access policy with attached users (USE WITH CAUTION)
purefb_policy:
name: test_os_policy_rule
account: test
policy_type: access
force_delete: true
state: absent
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete an object store access policy with no attached users
purefb_policy:
name: test_os_policy_rule
account: test
policy_type: access
state: absent
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Copy an object store access policy rule to another exisitng policy
purefb_policy:
name: test_os_policy_rule
policy_type: access
account: test
target: "account2/anotherpolicy"
target_rule: new_rule1
state: copy
fb_url: 10.10.10.2
api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
Authors
Pure Storage Ansible Team (@sdodsley)