On Tue, 29 Sep 2015 08:27:01 -0600
Tim Flink <tflink(a)redhat.com> wrote:
Long story short, when the batcave upgrade happened on Friday we
found
out that rbac_playbook doesn't work on el7 due to an issue with
nss-altfiles.
I figured out how to sidestep the issue by changing the approach that
rbac_playbook takes. It used to get all the groups for the user
running the script and check for an intersection between those groups
and the required groups for the playbook being run.
The new version looks at the groups required for the playbook being
run, gathers all the users in those groups and verifies that the user
running rbac_playbook is in that list before proceeding.
I've included the changes below for security review before updating
anything on batcave01
Thanks for the reviews. Code has been pushed to git, I've built a new
ansible_utils package and put that in the el7 infrastructure repo.
Tim