diff --git a/docs/source/modules/zhmc_adapter.rst b/docs/source/modules/zhmc_adapter.rst index a9f8fea7e..4a2c32d33 100644 --- a/docs/source/modules/zhmc_adapter.rst +++ b/docs/source/modules/zhmc_adapter.rst @@ -56,6 +56,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + name The name of the target adapter. In case of renaming an adapter, this is the new name of the adapter. diff --git a/docs/source/modules/zhmc_cpc.rst b/docs/source/modules/zhmc_cpc.rst index ca7ae8fd5..827ef0ef8 100644 --- a/docs/source/modules/zhmc_cpc.rst +++ b/docs/source/modules/zhmc_cpc.rst @@ -55,6 +55,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + name The name of the target CPC. diff --git a/docs/source/modules/zhmc_crypto_attachment.rst b/docs/source/modules/zhmc_crypto_attachment.rst index 3b5e0b370..4ef139218 100644 --- a/docs/source/modules/zhmc_crypto_attachment.rst +++ b/docs/source/modules/zhmc_crypto_attachment.rst @@ -56,6 +56,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + cpc_name The name of the CPC that has the partition and the crypto adapters. diff --git a/docs/source/modules/zhmc_hba.rst b/docs/source/modules/zhmc_hba.rst index c282b720c..f81acafbe 100644 --- a/docs/source/modules/zhmc_hba.rst +++ b/docs/source/modules/zhmc_hba.rst @@ -55,6 +55,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + cpc_name The name of the CPC with the partition containing the HBA. diff --git a/docs/source/modules/zhmc_nic.rst b/docs/source/modules/zhmc_nic.rst index 00a80baa5..a0abfb7a1 100644 --- a/docs/source/modules/zhmc_nic.rst +++ b/docs/source/modules/zhmc_nic.rst @@ -55,6 +55,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + cpc_name The name of the CPC with the partition containing the NIC. diff --git a/docs/source/modules/zhmc_partition.rst b/docs/source/modules/zhmc_partition.rst index 6b8a9338f..05008078d 100644 --- a/docs/source/modules/zhmc_partition.rst +++ b/docs/source/modules/zhmc_partition.rst @@ -56,6 +56,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + cpc_name The name of the CPC with the target partition. diff --git a/docs/source/modules/zhmc_storage_group.rst b/docs/source/modules/zhmc_storage_group.rst index 1dec550a7..9611f65da 100644 --- a/docs/source/modules/zhmc_storage_group.rst +++ b/docs/source/modules/zhmc_storage_group.rst @@ -55,6 +55,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + cpc_name The name of the CPC associated with the target storage group. diff --git a/docs/source/modules/zhmc_storage_group_attachment.rst b/docs/source/modules/zhmc_storage_group_attachment.rst index c9dfbd2b1..330183704 100644 --- a/docs/source/modules/zhmc_storage_group_attachment.rst +++ b/docs/source/modules/zhmc_storage_group_attachment.rst @@ -55,6 +55,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + cpc_name The name of the CPC that has the partition and is associated with the storage group. diff --git a/docs/source/modules/zhmc_storage_volume.rst b/docs/source/modules/zhmc_storage_volume.rst index fb8bce511..416114d71 100644 --- a/docs/source/modules/zhmc_storage_volume.rst +++ b/docs/source/modules/zhmc_storage_volume.rst @@ -55,6 +55,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + cpc_name The name of the CPC associated with the storage group containing the target storage volume. diff --git a/docs/source/modules/zhmc_user.rst b/docs/source/modules/zhmc_user.rst index 594d339d6..23433c9af 100644 --- a/docs/source/modules/zhmc_user.rst +++ b/docs/source/modules/zhmc_user.rst @@ -55,6 +55,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + name The userid of the target user (i.e. the 'name' property of the User object). diff --git a/docs/source/modules/zhmc_virtual_function.rst b/docs/source/modules/zhmc_virtual_function.rst index 4dbd2ed53..1ee403cf9 100644 --- a/docs/source/modules/zhmc_virtual_function.rst +++ b/docs/source/modules/zhmc_virtual_function.rst @@ -55,6 +55,21 @@ hmc_auth | **type**: str + ca_certs + Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate. + + | **required**: False + | **type**: str + + + verify + If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate. + + | **required**: False + | **type**: bool + | **default**: True + + cpc_name The name of the CPC with the partition containing the virtual function. diff --git a/docs/source/release_notes.rst b/docs/source/release_notes.rst index e51bc77b2..05e96209b 100644 --- a/docs/source/release_notes.rst +++ b/docs/source/release_notes.rst @@ -29,6 +29,13 @@ Released: not yet **Incompatible changes:** +* The new support for verifying HMC certificates will by default verify the + HMC certificate using the "Mozilla CA Certificate List" provided by the + 'certifi' Python package, causing self-signed HMC certificates to be + rejected. The verification behavior can be controlled with the new + 'ca_certs' and 'verify' sub-parameters of the 'hmc_auth' module parameter + of each module. + **Deprecations:** **Bug fixes:** @@ -67,6 +74,10 @@ Released: not yet * Increased minimum version of zhmcclient to 0.29.0 to pick up fixes. +* Added support for verifying HMC certificates by adding module sub-parameters + 'ca_certs' and 'verify' to the 'hmc_auth' module parameter of all modules. + (issue #401) + **Cleanup:** * Renamed "Bibliography" page to "Resources" and removed common Ansible links diff --git a/minimum-constraints.txt b/minimum-constraints.txt index 6fd01cb95..30a7df546 100644 --- a/minimum-constraints.txt +++ b/minimum-constraints.txt @@ -87,8 +87,8 @@ wheel==0.33.5; python_version >= '3.8' ansible==2.9.0.0 requests==2.20.1 -# git+https://github.com/zhmcclient/python-zhmcclient@master#egg=zhmcclient -zhmcclient==0.29.0 +# TODO: Enable zhmcclient 0.31.0 once released on Pypi +# zhmcclient==0.31.0 # Indirect dependencies for installation (must be consistent with requirements.txt) diff --git a/plugins/module_utils/common.py b/plugins/module_utils/common.py index eade4ecc1..ddfa22882 100644 --- a/plugins/module_utils/common.py +++ b/plugins/module_utils/common.py @@ -153,11 +153,14 @@ def get_hmc_auth(hmc_auth): Parameters: hmc_auth (dict): value of the 'hmc_auth' module input parameter, - which is a dictionary with items 'userid' and 'password'. + which is a dictionary with required items 'userid' and 'password' + and optional items 'ca_certs' and 'verify'. Returns: - tuple(userid, password): A tuple with the respective items - of the input dictionary. + tuple(userid, password, ca_certs, verify): A tuple with the respective + items of the input dictionary. Optional items are defaulted: + - ca_certs: Defaults to None. + - verify: Defaults to True. Raises: ParameterError: An item in the input dictionary was missing. @@ -172,7 +175,9 @@ def get_hmc_auth(hmc_auth): except KeyError: raise ParameterError("Required item 'password' is missing in " "dictionary module parameter 'hmc_auth'.") - return userid, password + ca_certs = hmc_auth.get('ca_certs', None) + verify = hmc_auth.get('verify', True) + return userid, password, ca_certs, verify def pull_partition_status(partition): @@ -364,7 +369,7 @@ def wait_for_transition_completion(partition): raise AssertionError() -def get_session(faked_session, host, userid, password): +def get_session(faked_session, host, userid, password, ca_certs, verify): """ Return a session object for the HMC. @@ -372,13 +377,13 @@ def get_session(faked_session, host, userid, password): faked_session (zhmcclient_mock.FakedSession or None): If this object is a `zhmcclient_mock.FakedSession` object, return that object. - Else, return a new `zhmcclient.Session` object from the `host`, - `userid`, and `password` arguments. + Else, return a new `zhmcclient.Session` object from the other arguments. """ if isinstance(faked_session, FakedSession): return faked_session else: - return Session(host, userid, password) + verify_cert = ca_certs if verify else False + return Session(host, userid, password, verify_cert=verify_cert) def to_unicode(value): diff --git a/plugins/modules/zhmc_adapter.py b/plugins/modules/zhmc_adapter.py index beabb3cc6..3cab5e7d9 100644 --- a/plugins/modules/zhmc_adapter.py +++ b/plugins/modules/zhmc_adapter.py @@ -67,6 +67,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true name: description: - The name of the target adapter. In case of renaming an adapter, this is @@ -524,7 +544,7 @@ def ensure_set(params, check_mode): # Note: Defaults specified in argument_spec will be set in params dict host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] adapter_name = params['name'] adapter_match = params['match'] @@ -533,7 +553,8 @@ def ensure_set(params, check_mode): changed = False try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) adapter = identify_adapter(cpc, adapter_name, adapter_match) @@ -601,7 +622,7 @@ def ensure_present(params, check_mode): # Note: Defaults specified in argument_spec will be set in params dict host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] adapter_name = params['name'] _faked_session = params.get('_faked_session', None) # No default specified @@ -609,7 +630,8 @@ def ensure_present(params, check_mode): changed = False try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -736,7 +758,7 @@ def ensure_absent(params, check_mode): # Note: Defaults specified in argument_spec will be set in params dict host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] adapter_name = params['name'] _faked_session = params.get('_faked_session', None) # No default specified @@ -745,7 +767,8 @@ def ensure_absent(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -776,13 +799,14 @@ def facts(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] adapter_name = params['name'] _faked_session = params.get('_faked_session', None) # No default specified try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) adapter = cpc.adapters.find(name=adapter_name) diff --git a/plugins/modules/zhmc_cpc.py b/plugins/modules/zhmc_cpc.py index acde60880..9a4281e6c 100644 --- a/plugins/modules/zhmc_cpc.py +++ b/plugins/modules/zhmc_cpc.py @@ -67,6 +67,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true name: description: - The name of the target CPC. @@ -444,14 +464,15 @@ def ensure_set(params, check_mode): # Note: Defaults specified in argument_spec will be set in params dict host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['name'] _faked_session = params.get('_faked_session', None) # No default specified changed = False try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -489,12 +510,13 @@ def facts(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['name'] _faked_session = params.get('_faked_session', None) # No default specified try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. diff --git a/plugins/modules/zhmc_crypto_attachment.py b/plugins/modules/zhmc_crypto_attachment.py index a2c2d0c66..6b922b902 100644 --- a/plugins/modules/zhmc_crypto_attachment.py +++ b/plugins/modules/zhmc_crypto_attachment.py @@ -69,6 +69,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true cpc_name: description: - The name of the CPC that has the partition and the crypto adapters. @@ -466,7 +486,7 @@ def ensure_attached(params, check_mode): # Note: Defaults specified in argument_spec will be set in params dict host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] adapter_count = params['adapter_count'] @@ -496,7 +516,8 @@ def ensure_attached(params, check_mode): result_changes = dict() try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) partition = cpc.partitions.find(name=partition_name) @@ -901,7 +922,7 @@ def ensure_detached(params, check_mode): # Note: Defaults specified in argument_spec will be set in params dict host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] _faked_session = params.get('_faked_session', None) # No default specified @@ -911,7 +932,8 @@ def ensure_detached(params, check_mode): result_changes = dict() try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) partition = cpc.partitions.find(name=partition_name) @@ -990,13 +1012,14 @@ def facts(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] _faked_session = params.get('_faked_session', None) # No default specified try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) partition = cpc.partitions.find(name=partition_name) diff --git a/plugins/modules/zhmc_hba.py b/plugins/modules/zhmc_hba.py index 53b336d79..d8a7cfd0f 100644 --- a/plugins/modules/zhmc_hba.py +++ b/plugins/modules/zhmc_hba.py @@ -72,6 +72,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true cpc_name: description: - The name of the CPC with the partition containing the HBA. @@ -408,7 +428,7 @@ def ensure_present(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] hba_name = params['name'] @@ -418,7 +438,8 @@ def ensure_present(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -504,7 +525,7 @@ def ensure_absent(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] hba_name = params['name'] @@ -514,7 +535,8 @@ def ensure_absent(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) partition = cpc.partitions.find(name=partition_name) diff --git a/plugins/modules/zhmc_nic.py b/plugins/modules/zhmc_nic.py index 97e70f57a..c5bedb114 100644 --- a/plugins/modules/zhmc_nic.py +++ b/plugins/modules/zhmc_nic.py @@ -69,6 +69,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true cpc_name: description: - The name of the CPC with the partition containing the NIC. @@ -487,7 +507,7 @@ def ensure_present(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] nic_name = params['name'] @@ -497,7 +517,8 @@ def ensure_present(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -582,7 +603,7 @@ def ensure_absent(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] nic_name = params['name'] @@ -592,7 +613,8 @@ def ensure_absent(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) partition = cpc.partitions.find(name=partition_name) diff --git a/plugins/modules/zhmc_partition.py b/plugins/modules/zhmc_partition.py index 85ecece19..93e306786 100644 --- a/plugins/modules/zhmc_partition.py +++ b/plugins/modules/zhmc_partition.py @@ -74,6 +74,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true cpc_name: description: - The name of the CPC with the target partition. @@ -1099,7 +1119,7 @@ def ensure_active(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['name'] expand_storage_groups = params['expand_storage_groups'] @@ -1110,7 +1130,8 @@ def ensure_active(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -1203,7 +1224,7 @@ def ensure_stopped(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['name'] expand_storage_groups = params['expand_storage_groups'] @@ -1214,7 +1235,8 @@ def ensure_stopped(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -1284,7 +1306,7 @@ def ensure_absent(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['name'] _faked_session = params.get('_faked_session', None) @@ -1293,7 +1315,8 @@ def ensure_absent(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -1324,7 +1347,7 @@ def facts(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['name'] expand_storage_groups = params['expand_storage_groups'] @@ -1337,7 +1360,8 @@ def facts(params, check_mode): try: # The default exception handling is sufficient for this code - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) diff --git a/plugins/modules/zhmc_storage_group.py b/plugins/modules/zhmc_storage_group.py index 83620910a..b2a16d324 100644 --- a/plugins/modules/zhmc_storage_group.py +++ b/plugins/modules/zhmc_storage_group.py @@ -76,6 +76,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true cpc_name: description: - The name of the CPC associated with the target storage group. @@ -780,7 +800,7 @@ def ensure_present(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['name'] expand = params['expand'] @@ -790,7 +810,8 @@ def ensure_present(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) @@ -864,7 +885,7 @@ def ensure_absent(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['name'] _faked_session = params.get('_faked_session', None) @@ -873,7 +894,8 @@ def ensure_absent(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) @@ -918,7 +940,7 @@ def facts(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['name'] expand = params['expand'] @@ -930,7 +952,8 @@ def facts(params, check_mode): try: # The default exception handling is sufficient for this code - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) diff --git a/plugins/modules/zhmc_storage_group_attachment.py b/plugins/modules/zhmc_storage_group_attachment.py index f86dfdc10..da8bb85b9 100644 --- a/plugins/modules/zhmc_storage_group_attachment.py +++ b/plugins/modules/zhmc_storage_group_attachment.py @@ -74,6 +74,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true cpc_name: description: - The name of the CPC that has the partition and is associated with the @@ -219,7 +239,7 @@ def ensure_attached(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['storage_group_name'] partition_name = params['partition_name'] @@ -229,7 +249,8 @@ def ensure_attached(params, check_mode): attached = None try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) @@ -273,7 +294,7 @@ def ensure_detached(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['storage_group_name'] partition_name = params['partition_name'] @@ -283,7 +304,8 @@ def ensure_detached(params, check_mode): attached = None try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) @@ -327,7 +349,7 @@ def facts(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['storage_group_name'] partition_name = params['partition_name'] @@ -337,7 +359,8 @@ def facts(params, check_mode): attached = None try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) diff --git a/plugins/modules/zhmc_storage_volume.py b/plugins/modules/zhmc_storage_volume.py index 4e6c6bc31..f4a1af9e6 100644 --- a/plugins/modules/zhmc_storage_volume.py +++ b/plugins/modules/zhmc_storage_volume.py @@ -75,6 +75,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true cpc_name: description: - The name of the CPC associated with the storage group containing the @@ -427,7 +447,7 @@ def ensure_present(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['storage_group_name'] storage_volume_name = params['name'] @@ -437,7 +457,8 @@ def ensure_present(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) @@ -526,7 +547,7 @@ def ensure_absent(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['storage_group_name'] storage_volume_name = params['name'] @@ -536,7 +557,8 @@ def ensure_absent(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) @@ -580,7 +602,7 @@ def facts(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] storage_group_name = params['storage_group_name'] storage_volume_name = params['name'] @@ -590,7 +612,8 @@ def facts(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console cpc = client.cpcs.find(name=cpc_name) diff --git a/plugins/modules/zhmc_user.py b/plugins/modules/zhmc_user.py index 8291153d4..33f871397 100644 --- a/plugins/modules/zhmc_user.py +++ b/plugins/modules/zhmc_user.py @@ -65,6 +65,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true name: description: - The userid of the target user (i.e. the 'name' property of the User @@ -763,7 +783,7 @@ def ensure_present(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) user_name = params['name'] expand = params['expand'] _faked_session = params.get('_faked_session', None) @@ -772,7 +792,8 @@ def ensure_present(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console # The default exception handling is sufficient for the above. @@ -846,7 +867,7 @@ def ensure_absent(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) user_name = params['name'] _faked_session = params.get('_faked_session', None) @@ -854,7 +875,8 @@ def ensure_absent(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console # The default exception handling is sufficient for the above. @@ -884,7 +906,7 @@ def facts(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) user_name = params['name'] expand = params['expand'] _faked_session = params.get('_faked_session', None) @@ -895,7 +917,8 @@ def facts(params, check_mode): try: # The default exception handling is sufficient for this code - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) console = client.consoles.console diff --git a/plugins/modules/zhmc_virtual_function.py b/plugins/modules/zhmc_virtual_function.py index 4f5b90cda..9bbc9240e 100644 --- a/plugins/modules/zhmc_virtual_function.py +++ b/plugins/modules/zhmc_virtual_function.py @@ -69,6 +69,26 @@ - The password for authenticating with the HMC. type: str required: true + ca_certs: + description: + - Path name of certificate file or certificate directory to be used + for verifying the HMC certificate. If null (default), the path name + in the 'REQUESTS_CA_BUNDLE' environment variable or the path name + in the 'CURL_CA_BUNDLE' environment variable is used, or if neither + of these variables is set, the certificates in the Mozilla CA + Certificate List provided by the 'certifi' Python package are used + for verifying the HMC certificate. + type: str + required: false + default: null + verify: + description: + - If True (default), verify the HMC certificate as specified in the + C(ca_certs) parameter. If False, ignore what is specified in the + C(ca_certs) parameter and do not verify the HMC certificate. + type: bool + required: false + default: true cpc_name: description: - The name of the CPC with the partition containing the virtual function. @@ -385,7 +405,7 @@ def ensure_present(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] vfunction_name = params['name'] @@ -395,7 +415,8 @@ def ensure_present(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) # The default exception handling is sufficient for the above. @@ -480,7 +501,7 @@ def ensure_absent(params, check_mode): """ host = params['hmc_host'] - userid, password = get_hmc_auth(params['hmc_auth']) + userid, password, ca_certs, verify = get_hmc_auth(params['hmc_auth']) cpc_name = params['cpc_name'] partition_name = params['partition_name'] vfunction_name = params['name'] @@ -490,7 +511,8 @@ def ensure_absent(params, check_mode): result = {} try: - session = get_session(_faked_session, host, userid, password) + session = get_session(_faked_session, + host, userid, password, ca_certs, verify) client = zhmcclient.Client(session) cpc = client.cpcs.find(name=cpc_name) partition = cpc.partitions.find(name=partition_name) diff --git a/requirements.txt b/requirements.txt index 805683a85..50154ec0c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -11,8 +11,9 @@ ansible>=2.9.0.0 requests>=2.20.1 -# git+https://github.com/zhmcclient/python-zhmcclient@master#egg=zhmcclient -zhmcclient>=0.29.0 # Apache-2.0 +# TODO: Enable zhmcclient 0.31.0 once released on Pypi +git+https://github.com/zhmcclient/python-zhmcclient@master#egg=zhmcclient +# zhmcclient>=0.31.0 # Apache-2.0 # Indirect dependencies are not specified in this file, unless needed to solve versioning issues: