purestorage.flashblade.purefb_policy – Manage FlashBlade policies

Note

This plugin is part of the purestorage.flashblade collection (version 1.9.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install purestorage.flashblade.

To use it in a playbook, specify: purestorage.flashblade.purefb_policy.

New in version 1.0.0: of purestorage.flashblade

Synopsis

  • Manage policies for filesystem, file replica links and object store access

Requirements

The below requirements are needed on the host that executes this module.

  • python >= 2.7

  • purity_fb >= 1.9

  • netaddr

  • pytz

Parameters

Parameter Choices/Defaults Comments
access
string
added in 1.9.0 of purestorage.flashblade
    Choices:
  • root-squash ←
  • all-squash
  • no-squash
Specifies access control for the export policy rule
account
string
added in 1.9.0 of purestorage.flashblade
Name of Object Store account policy applies to.
Special Case pure:policy is used for the system-wide S3 policies
actions
list / elements=string
added in 1.9.0 of purestorage.flashblade
    Choices:
  • s3:*
  • s3:AbortMultipartUpload
  • s3:CreateBucket
  • s3:DeleteBucket
  • s3:DeleteObject
  • s3:DeleteObjectVersion
  • s3:ExtendSafemodeRetentionPeriod
  • s3:GetBucketAcl
  • s3:GetBucketLocation
  • s3:GetBucketVersioning
  • s3:GetLifecycleConfiguration
  • s3:GetObject
  • s3:GetObjectAcl
  • s3:GetObjectVersion
  • s3:ListAllMyBuckets
  • s3:ListBucket
  • s3:ListBucketMultipartUploads
  • s3:ListBucketVersions
  • s3:ListMultipartUploadParts
  • s3:PutBucketVersioning
  • s3:PutLifecycleConfiguration
  • s3:PutObject
List of permissions to grant.
System-wide policy rules cannot be deleted or modified
anongid
string
added in 1.9.0 of purestorage.flashblade
Any user whose GID is affected by an access of `root_squash` or `all_squash` will have their GID mapped to anongid. The default anongid is null, which means 65534. Use "" to clear.
anonuid
string
added in 1.9.0 of purestorage.flashblade
Any user whose UID is affected by an access of `root_squash` or `all_squash` will have their UID mapped to anonuid. The defaultis null, which means 65534. Use "" to clear.
api_token
string
FlashBlade API token for admin privileged user.
at
string
Provide a time in 12-hour AM/PM format, eg. 11AM
atime
boolean
added in 1.9.0 of purestorage.flashblade
    Choices:
  • no
  • yes ←
After a read operation has occurred, the inode access time is updated only if any of the following conditions is true; the previous access time is less than the inode modify time, the previous access time is less than the inode change time, or the previous access time is more than 24 hours ago.
If set to false, disables the update of inode access times after read operations.
before_rule
integer
added in 1.9.0 of purestorage.flashblade
The index of the client rule to insert or move a client rule before.
client
string
added in 1.9.0 of purestorage.flashblade
Default:
"*"
Specifies the clients that will be permitted to access the export.
Accepted notation is a single IP address, subnet in CIDR notation, netgroup, or anonymous (*).
effect
string
added in 1.9.0 of purestorage.flashblade
    Choices:
  • allow ←
Allow S3 requests that match all of the actions item selected. Rules are additive.
enabled
boolean
    Choices:
  • no
  • yes ←
State of policy
every
integer
Interval between snapshots in seconds
Range available 300 - 31536000 (equates to 5m to 365d)
fb_url
string
FlashBlade management IP address or Hostname.
fileid_32bit
boolean
added in 1.9.0 of purestorage.flashblade
    Choices:
  • no ←
  • yes
Whether the file id is 32 bits or not.
filesystem
list / elements=string
List of filesystems to add to a policy on creation
To amend policy members use the purefb_fs module
force_delete
boolean
added in 1.9.0 of purestorage.flashblade
    Choices:
  • no ←
  • yes
Force the deletion of a Object Store Access Policy is this has attached users.
WARNING This can have undesired side-effects.
System-wide policies cannot be deleted
ignore_enforcement
boolean
added in 1.9.0 of purestorage.flashblade
    Choices:
  • no
  • yes ←
Certain combinations of actions and other rule elements are inherently ignored if specified together in a rule.
If set to true, operations which attempt to set these combinations will fail.
If set to false, such operations will instead be allowed.
keep_for
integer
How long to keep snapshots for
Range available 300 - 31536000 (equates to 5m to 365d)
Must not be set less than every
name
string
Name of the policy
object_resources
list / elements=string
added in 1.9.0 of purestorage.flashblade
List of bucket names and object paths, with a wildcard (*) to specify objects in a bucket; e.g., bucket1, bucket1/*, bucket2, bucket2/*.
System-wide policy rules cannot be deleted or modified
permission
string
added in 1.9.0 of purestorage.flashblade
    Choices:
  • rw
  • ro ←
Specifies which read-write client access permissions are allowed for the export.
policy_type
string
added in 1.9.0 of purestorage.flashblade
    Choices:
  • snapshot ←
  • access
  • nfs
Type of policy
replica_link
list / elements=string
List of filesystem replica links to add to a policy on creation
To amend policy members use the purefb_fs_replica module
rule
string
added in 1.9.0 of purestorage.flashblade
Name of the rule for the Object Store Access Policy
Rules in system-wide policies cannot be deleted or modified
s3_delimiters
list / elements=string
added in 1.9.0 of purestorage.flashblade
List of delimiter characters allowed in object list requests.
Grants permissions to list 'folder names' (prefixes ending in a delimiter) instead of object keys.
System-wide policy rules cannot be deleted or modified
s3_prefixes
list / elements=string
added in 1.9.0 of purestorage.flashblade
List of 'folders' (object key prefixes) for which object listings may be requested.
System-wide policy rules cannot be deleted or modified
secure
boolean
added in 1.9.0 of purestorage.flashblade
    Choices:
  • no ←
  • yes
If true, this prevents NFS access to client connections coming from non-reserved ports.
If false, allows NFS access to client connections coming from non-reserved ports.
Applies to NFSv3, NFSv4.1, and auxiliary protocols MOUNT and NLM.
security
list / elements=string
added in 1.9.0 of purestorage.flashblade
    Choices:
  • sys ←
  • krb5
  • krb5i
  • krb5p
The security flavors to use for accessing files on this mount point.
If the server does not support the requested flavor, the mount operation fails.
sys trusts the client to specify users identity.
krb provides cryptographic proof of a users identity in each RPC request.
krb5i adds integrity checking to krb5, to ensure the data has not been tampered with.
krb5p adds integrity checking and encryption to krb5.
source_ips
list / elements=string
added in 1.9.0 of purestorage.flashblade
List of IPs and subnets from which this rule should allow requests; e.g., 10.20.30.40, 10.20.30.0/24, 2001:DB8:1234:5678::/64.
System-wide policy rules cannot be deleted or modified
state
string
    Choices:
  • absent
  • present ←
  • copy
Create or delete policy.
Copy is applicable only to Object Store Access Policies Rules
target
string
added in 1.9.0 of purestorage.flashblade
Name of policy to copy rule to
target_rule
string
added in 1.9.0 of purestorage.flashblade
Name of the rule to copy the exisitng rule to.
If not defined the existing rule name is used.
timezone
string
Time Zone used for the at parameter
If not provided, the module will attempt to get the current local timezone from the server
user
string
added in 1.9.0 of purestorage.flashblade
User in the account that the policy is granted to.

Notes

Note

  • This module requires the purity_fb Python library

  • You must set PUREFB_URL and PUREFB_API environment variables if fb_url and api_token arguments are not passed to the module directly

Examples

- name: Create a simple snapshot policy with no rules
  purefb_policy:
    name: test_policy
    policy_type: snapshot
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a snapshot policy and connect to existing filesystems and filesystem replica links
  purefb_policy:
    name: test_policy_with_members
    policy_type: snapshot
    filesystem:
    - fs1
    - fs2
    replica_link:
    - rl1
    - rl2
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a snapshot policy with rules
  purefb_policy:
    name: test_policy2
    policy_type: snapshot
    at: 11AM
    keep_for: 86400
    every: 86400
    timezone: Asia/Shanghai
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete a snapshot policy
  purefb_policy:
    name: test_policy
    policy_type: snapshot
    state: absent
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an empty object store access policy
  purefb_policy:
    name: test_os_policy
    account: test
    policy_type: access
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an empty object store access policy and assign user
  purefb_policy:
    name: test_os_policy
    account: test
    policy_type: access
    user: fred
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a object store access policy with simple rule
  purefb_policy:
    name: test_os_policy_rule
    policy_type: access
    account: test
    rule: rule1
    actions: "s3:*"
    object_resources: "*"
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an empty NFS export policy
  purefb_policy:
    name: test_nfs_export
    policy_type: nfs
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create an NFS export policy with a client rule
  purefb_policy:
    name: test_nfs_export
    policy_type: nfs
    atime: true
    client: "10.0.1.0/24"
    secure: true
    security: [sys, krb5]
    permission: rw
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Create a new rule for an existing NFS export policy
  purefb_policy:
    name: test_nfs_export
    policy_type: nfs
    atime: true
    client: "10.0.2.0/24"
    security: sys
    permission: ro
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete a client rule from an NFS export policy
  purefb_policy:
    name: test_nfs_export
    client: "10.0.1.0/24"
    policy_type: nfs
    state: absent
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete an NFS export policy and all associated rules
  purefb_policy:
    name: test_nfs_export
    state: absent
    policy_type: nfs
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete a rule from an object store access policy
  purefb_policy:
    name: test_os_policy_rule
    account: test
    policy_type: access
    rule: rule1
    state: absent
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete a user from an object store access policy
  purefb_policy:
    name: test_os_policy_rule
    account: test
    user: fred
    policy_type: access
    state: absent
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete an object store access policy with attached users (USE WITH CAUTION)
  purefb_policy:
    name: test_os_policy_rule
    account: test
    policy_type: access
    force_delete: true
    state: absent
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Delete an object store access policy with no attached users
  purefb_policy:
    name: test_os_policy_rule
    account: test
    policy_type: access
    state: absent
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6
- name: Copy an object store access policy rule to another exisitng policy
  purefb_policy:
    name: test_os_policy_rule
    policy_type: access
    account: test
    target: "account2/anotherpolicy"
    target_rule: new_rule1
    state: copy
    fb_url: 10.10.10.2
    api_token: T-9f276a18-50ab-446e-8a0c-666a3529a1b6

Authors