purestorage.flashblade.purefb_policy module – Manage FlashBlade policies

Note

This module is part of the purestorage.flashblade collection (version 1.19.2).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install purestorage.flashblade. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: purestorage.flashblade.purefb_policy.

New in purestorage.flashblade 1.0.0

Synopsis

  • Manage policies for filesystem, file replica links and object store access.

  • To update an existing snapshot policy rule, you must first delete the original rule and then add the new rule to replace it. Purity’s best-fit will try to ensure that any required snapshots deleted on the deletion of the first rule will be recovered as long replacement rule is added before the snapshot eradication period is exceeded (usuually 24 hours).

Requirements

The below requirements are needed on the host that executes this module.

  • python >= 3.9

  • py-pure-client

  • purity_fb >= 1.12.2

  • netaddr

  • datetime

  • pytz

  • distro

  • pycountry

  • urllib3

Parameters

Parameter

Comments

access

string

added in purestorage.flashblade 1.9.0

Specifies access control for the export policy rule

Choices:

  • "root-squash" ← (default)

  • "all-squash"

  • "no-squash"

account

string

added in purestorage.flashblade 1.9.0

Name of Object Store account policy applies to.

Special Case pure policy is used for the system-wide S3 policies

actions

list / elements=string

added in purestorage.flashblade 1.9.0

List of permissions to grant.

System-wide policy rules cannot be deleted or modified

Choices:

  • "s3:*"

  • "s3:AbortMultipartUpload"

  • "s3:BypassGovernanceRetention"

  • "s3:CreateBucket"

  • "s3:DeleteBucket"

  • "s3:DeleteObject"

  • "s3:DeleteObjectVersion"

  • "s3:ExtendSafemodeRetentionPeriod"

  • "s3:GetBucketAcl"

  • "s3:GetBucketLocation"

  • "s3:GetBucketVersioning"

  • "s3:GetLifecycleConfiguration"

  • "s3:GetObject"

  • "s3:GetObjectAcl"

  • "s3:GetObjectLegalHold"

  • "s3:GetObjectLockConfiguration"

  • "s3:GetObjectRetention"

  • "s3:GetObjectTagging"

  • "s3:GetObjectVersion"

  • "s3:GetObjectVersionTagging"

  • "s3:ListAllMyBuckets"

  • "s3:ListBucket"

  • "s3:ListBucketMultipartUploads"

  • "s3:ListBucketVersions"

  • "s3:ListMultipartUploadParts"

  • "s3:PutBucketVersioning"

  • "s3:PutLifecycleConfiguration"

  • "s3:PutObject"

  • "s3:PutObjectLegalHold"

  • "s3:PutObjectLockConfiguration"

  • "s3:PutObjectRetention"

  • "s3:ResolveSafemodeConflicts"

anongid

string

added in purestorage.flashblade 1.9.0

Any user whose GID is affected by an access of `root_squash` or `all_squash` will have their GID mapped to anongid. The default anongid is null, which means 65534. Use “” to clear.

anonuid

string

added in purestorage.flashblade 1.9.0

Any user whose UID is affected by an access of `root_squash` or `all_squash` will have their UID mapped to anonuid. The default is null, which means 65534. Use “” to clear.

api_token

string

FlashBlade API token for admin privileged user.

at

string

Provide a time in 12-hour AM/PM format, eg. 11AM

atime

boolean

added in purestorage.flashblade 1.9.0

After a read operation has occurred, the inode access time is updated only if any of the following conditions is true; the previous access time is less than the inode modify time, the previous access time is less than the inode change time, or the previous access time is more than 24 hours ago.

If set to false, disables the update of inode access times after read operations.

Choices:

  • false

  • true ← (default)

before_rule

integer

added in purestorage.flashblade 1.9.0

The index of the client rule to insert or move a client rule before.

change

string

added in purestorage.flashblade 1.12.0

The state of the SMB share principals Change access permission.

Setting to “” will clear the current setting

Choices:

  • "allow"

  • "deny"

  • ""

client

string

added in purestorage.flashblade 1.9.0

Specifies the clients that will be permitted to access the export.

Accepted notation is a single IP address, subnet in CIDR notation, netgroup, or anonymous (*).

default_retention

string

added in purestorage.flashblade 1.19.0

The retention period used for committing files to WORM status. Will be applied if no access time is provided, or the access time is less than the current server time. Between min_retention and max_retention periods.

Valid values are weeks (w), days(d), hours(h), minutes(m) and seconds(s).

desc

string

added in purestorage.flashblade 1.14.0

A description of an object store policy, optionally specified when the policy is created.

Cannot be modified for an existing policy.

Default: ""

destroy_snapshots

boolean

added in purestorage.flashblade 1.11.0

This parameter must be set to true in order to modify a policy such that local or remote snapshots would be destroyed.

Choices:

  • false ← (default)

  • true

disable_warnings

boolean

added in purestorage.flashblade 1.18.0

Disable insecure certificate warnings

Choices:

  • false ← (default)

  • true

effect

string

added in purestorage.flashblade 1.9.0

Allow S3 requests that match all of the actions item selected. Rules are additive.

Choices:

  • "allow" ← (default)

  • "deny"

enabled

boolean

State of policy

Choices:

  • false

  • true ← (default)

every

integer

Interval between snapshots in seconds

Range available 300 - 31536000 (equates to 5m to 365d)

fb_url

string

FlashBlade management IP address or Hostname.

fileid_32bit

boolean

added in purestorage.flashblade 1.9.0

Whether the file id is 32 bits or not.

Choices:

  • false ← (default)

  • true

filesystem

list / elements=string

List of filesystems to add to a policy on creation

To amend policy members use the purestorage.flashblade.purefb_fs module

force_delete

boolean

added in purestorage.flashblade 1.9.0

Force the deletion of a Object Store Access Policy is this has attached users.

WARNING This can have undesired side-effects.

System-wide policies cannot be deleted

Choices:

  • false ← (default)

  • true

full_control

string

added in purestorage.flashblade 1.12.0

The state of the SMB share principals Full Control access permission.

Setting to “” will clear the current setting

Choices:

  • "allow"

  • "deny"

  • ""

ignore_enforcement

boolean

added in purestorage.flashblade 1.9.0

Certain combinations of actions and other rule elements are inherently ignored if specified together in a rule.

If set to true, operations which attempt to set these combinations will fail.

If set to false, such operations will instead be allowed.

Choices:

  • false

  • true ← (default)

interfaces

list / elements=string

added in purestorage.flashblade 1.17.0

Specifies which product interfaces the network access policy rule applies to, whether it is permitting or denying access.

Choices:

  • "management-ssh"

  • "management-rest-api"

  • "management-web-ui"

  • "snmp"

  • "local-network-superuser-password-access"

keep_for

integer

How long to keep snapshots for

Range available 300 - 31536000 (equates to 5m to 365d)

Must not be set less than every

max_retention

string

added in purestorage.flashblade 1.19.0

The maximum retention period of the WORM file system.

Between 1 second and 100 years.

Cannot be less than the min_retention.

Valid values are weeks (w), days(d), hours(h), minutes(m) and seconds(s).

min_retention

string

added in purestorage.flashblade 1.19.0

The minimum retention period of the WORM file system.

Between 1 second and 100 years.

Cannot be greater than the max_retention.

Valid values are weeks (w), days(d), hours(h), minutes(m) and seconds(s).

name

string

Name of the policy

object_resources

list / elements=string

added in purestorage.flashblade 1.9.0

List of bucket names and object paths, with a wildcard (*) to specify objects in a bucket; e.g., bucket1, bucket1/*, bucket2, bucket2/*.

System-wide policy rules cannot be deleted or modified

permission

string

added in purestorage.flashblade 1.9.0

Specifies which read-write client access permissions are allowed for the export.

Choices:

  • "rw"

  • "ro" ← (default)

policy_type

string

added in purestorage.flashblade 1.9.0

Type of policy

Choices:

  • "snapshot" ← (default)

  • "access"

  • "nfs"

  • "smb_share"

  • "smb_client"

  • "network"

  • "worm"

principal

string

added in purestorage.flashblade 1.12.0

The user or group who is the subject of this rule, and their domain

read

string

added in purestorage.flashblade 1.12.0

The state of the SMB share principals Read access permission.

Setting to “” will clear the current setting

Choices:

  • "allow"

  • "deny"

  • ""

rename

string

added in purestorage.flashblade 1.10.0

New name for policy

Only applies to NFS and SMB policies

list / elements=string

List of filesystem replica links to add to a policy on creation

To amend policy members use the purestorage.flashblade.purefb_fs_replica module

retention_lock

string

added in purestorage.flashblade 1.19.0

State of policy attributes after creation.

If set to locked then values of the policy attributes are not allowed to change.

If set to locked then values of the policy attributes can be changed.

Changing from unlocked to locked is allowed, but to change from locked to unlocked will require support from Pure Storage Technical Services.

Choices:

  • "locked"

  • "unlocked"

rule

string

added in purestorage.flashblade 1.9.0

Name of the rule for the Object Store Access Policy

Rules in system wide policies cannot be deleted or modified

s3_delimiters

list / elements=string

added in purestorage.flashblade 1.9.0

List of delimiter characters allowed in object list requests.

Grants permissions to list ‘folder names’ (prefixes ending in a delimiter) instead of object keys.

System-wide policy rules cannot be deleted or modified

s3_prefixes

list / elements=string

added in purestorage.flashblade 1.9.0

List of ‘folders’ (object key prefixes) for which object listings may be requested.

System-wide policy rules cannot be deleted or modified

secure

boolean

added in purestorage.flashblade 1.9.0

If true, this prevents NFS access to client connections coming from non-reserved ports.

If false, allows NFS access to client connections coming from non-reserved ports.

Applies to NFSv3, NFSv4.1, and auxiliary protocols MOUNT and NLM.

Choices:

  • false ← (default)

  • true

security

list / elements=string

added in purestorage.flashblade 1.9.0

The security flavors to use for accessing files on this mount point.

If the server does not support the requested flavor, the mount operation fails.

sys trusts the client to specify users identity.

krb provides cryptographic proof of a users identity in each RPC request.

krb5i adds integrity checking to krb5, to ensure the data has not been tampered with.

krb5p adds integrity checking and encryption to krb5.

Choices:

  • "sys" ← (default)

  • "krb5"

  • "krb5i"

  • "krb5p"

Default: ["sys"]

smb_encryption

string

added in purestorage.flashblade 1.12.0

The status of SMB encryption in a client policy rule

Choices:

  • "disabled"

  • "optional" ← (default)

  • "required"

source_ips

list / elements=string

added in purestorage.flashblade 1.9.0

List of IPs and subnets from which this rule should allow requests; e.g., 10.20.30.40, 10.20.30.0/24, 2001:DB8:1234:5678::/64.

System-wide policy rules cannot be deleted or modified

state

string

Create or delete policy.

Copy is applicable only to Object Store Access Policies Rules

Choices:

  • "absent"

  • "present" ← (default)

  • "copy"

target

string

added in purestorage.flashblade 1.9.0

Name of policy to copy rule to

target_rule

string

added in purestorage.flashblade 1.9.0

Name of the rule to copy the exisitng rule to.

If not defined the existing rule name is used.

timezone

string

Time Zone used for the at parameter

If not provided, the module will attempt to get the current local timezone from the server

user

string

added in purestorage.flashblade 1.9.0

User in the account that the policy is granted to.

Notes

Note

  • This module requires the purity_fb Python library

  • You must set PUREFB_URL and PUREFB_API environment variables if fb_url and api_token arguments are not passed to the module directly

Examples

- name: Create a simple snapshot policy with no rules
  purestorage.flashblade.purefb_policy:
    name: test_policy
    policy_type: snapshot
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a snapshot policy and connect to existing filesystems and filesystem replica links
  purestorage.flashblade.purefb_policy:
    name: test_policy_with_members
    policy_type: snapshot
    filesystem:
    - fs1
    - fs2
    replica_link:
    - rl1
    - rl2
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a snapshot policy with rules
  purestorage.flashblade.purefb_policy:
    name: test_policy2
    policy_type: snapshot
    at: 11AM
    keep_for: 86400
    every: 86400
    timezone: Asia/Shanghai
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete a snapshot policy
  purestorage.flashblade.purefb_policy:
    name: test_policy
    policy_type: snapshot
    state: absent
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an empty object store access policy
  purestorage.flashblade.purefb_policy:
    name: test_os_policy
    account: test
    policy_type: access
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an empty object store access policy and assign user
  purestorage.flashblade.purefb_policy:
    name: test_os_policy
    account: test
    policy_type: access
    user: fred
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a object store access policy with simple rule
  purestorage.flashblade.purefb_policy:
    name: test_os_policy_rule
    policy_type: access
    account: test
    rule: rule1
    actions: "s3:*"
    object_resources: "*"
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an empty SMB client policy
  purestorage.flashblade.purefb_policy:
    name: test_smb_client
    policy_type: smb_client
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an SMB client policy with a client rule
  purestorage.flashblade.purefb_policy:
    name: test_smb_client
    policy_type: smb_client
    client: "10.0.1.0/24"
    permission: rw
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an empty NFS export policy
  purestorage.flashblade.purefb_policy:
    name: test_nfs_export
    policy_type: nfs
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an NFS export policy with a client rule
  purestorage.flashblade.purefb_policy:
    name: test_nfs_export
    policy_type: nfs
    atime: true
    client: "10.0.1.0/24"
    secure: true
    security: [sys, krb5]
    permission: rw
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a new rule for an existing NFS export policy
  purestorage.flashblade.purefb_policy:
    name: test_nfs_export
    policy_type: nfs
    atime: true
    client: "10.0.2.0/24"
    security: sys
    permission: ro
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete a client rule from an NFS export policy
  purestorage.flashblade.purefb_policy:
    name: test_nfs_export
    client: "10.0.1.0/24"
    policy_type: nfs
    state: absent
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete an NFS export policy and all associated rules
  purestorage.flashblade.purefb_policy:
    name: test_nfs_export
    state: absent
    policy_type: nfs
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete a rule from an object store access policy
  purestorage.flashblade.purefb_policy:
    name: test_os_policy_rule
    account: test
    policy_type: access
    rule: rule1
    state: absent
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete a user from an object store access policy
  purestorage.flashblade.purefb_policy:
    name: test_os_policy_rule
    account: test
    user: fred
    policy_type: access
    state: absent
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete an object store access policy with attached users (USE WITH CAUTION)
  purestorage.flashblade.purefb_policy:
    name: test_os_policy_rule
    account: test
    policy_type: access
    force_delete: true
    state: absent
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete an object store access policy with no attached users
  purestorage.flashblade.purefb_policy:
    name: test_os_policy_rule
    account: test
    policy_type: access
    state: absent
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Copy an object store access policy rule to another exisitng policy
  purestorage.flashblade.purefb_policy:
    name: test_os_policy_rule
    policy_type: access
    account: test
    target: "account2/anotherpolicy"
    target_rule: new_rule1
    state: copy
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Rename an NFS Export Policy
  purestorage.flashblade.purefb_policy:
    name: old_name
    policy_type: nfs
    rename: new_name
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a WORM Data Policy
  purestorage.flashblade.purefb_policy:
    name: worm1
    policy_type: worm
    default_retention: 5d
    min_rentetion: 20h
    max_retention: 1y
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6

Authors

  • Pure Storage Ansible Team (@sdodsley)