From 4e6297c8d99b0ef38bdc3375b14107cf21754348 Mon Sep 17 00:00:00 2001
From: Brenton Leanhardt <bleanhar@redhat.com>
Date: Tue, 16 Feb 2016 10:14:34 -0500
Subject: Refactoring the add-scc-to-user logic

---
 .../tasks/legacy_add_scc_to_user.yml               | 34 +++++++++++++++++++
 roles/openshift_serviceaccounts/tasks/main.yml     | 39 +---------------------
 2 files changed, 35 insertions(+), 38 deletions(-)
 create mode 100644 roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml

(limited to 'roles')

diff --git a/roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml b/roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml
new file mode 100644
index 000000000..628df4540
--- /dev/null
+++ b/roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml
@@ -0,0 +1,34 @@
+####
+#
+# OSE 3.0.z did not have 'oadm policy add-scc-to-user'.
+#
+####
+
+- name: tmp dir for openshift
+  file:
+    path: /tmp/openshift
+    state: directory
+    owner: root
+    mode: 700
+
+- name: Create service account configs
+  template:
+    src: serviceaccount.j2
+    dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml"
+  with_items: openshift_serviceaccounts_names
+
+- name: Get current security context constraints
+  shell: >
+    {{ openshift.common.client_binary }} get scc privileged -o yaml
+    --output-version=v1 > /tmp/openshift/scc.yaml
+  changed_when: false
+
+- name: Add security context constraint for {{ item }}
+  lineinfile:
+    dest: /tmp/openshift/scc.yaml
+    line: "- system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item }}"
+    insertafter: "^users:$"
+  with_items: openshift_serviceaccounts_names
+
+- name: Apply new scc rules for service accounts
+  command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1"
diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml
index 89d9e3aa7..f34fa7b74 100644
--- a/roles/openshift_serviceaccounts/tasks/main.yml
+++ b/roles/openshift_serviceaccounts/tasks/main.yml
@@ -32,42 +32,5 @@
   - openshift_serviceaccounts_names
   - scc_test.results
 
-####
-#
-# Support for 3.0.z
-#
-####
-
-- name: tmp dir for openshift
-  file:
-    path: /tmp/openshift
-    state: directory
-    owner: root
-    mode: 700
-  when: not openshift.common.version_gte_3_1_or_1_1
-
-- name: Create service account configs
-  template:
-    src: serviceaccount.j2
-    dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml"
-  with_items: openshift_serviceaccounts_names
-  when: not openshift.common.version_gte_3_1_or_1_1
-
-- name: Get current security context constraints
-  shell: >
-    {{ openshift.common.client_binary }} get scc privileged -o yaml
-    --output-version=v1 > /tmp/openshift/scc.yaml
-  changed_when: false
-  when: not openshift.common.version_gte_3_1_or_1_1
-
-- name: Add security context constraint for {{ item }}
-  lineinfile:
-    dest: /tmp/openshift/scc.yaml
-    line: "- system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item }}"
-    insertafter: "^users:$"
-  with_items: openshift_serviceaccounts_names
-  when: not openshift.common.version_gte_3_1_or_1_1
-
-- name: Apply new scc rules for service accounts
-  command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1"
+- include: legacy_add_scc_to_user.yml
   when: not openshift.common.version_gte_3_1_or_1_1
-- 
cgit v1.2.3


From 40ca512e39add508ee20c913efa71648fd5e2275 Mon Sep 17 00:00:00 2001
From: Brenton Leanhardt <bleanhar@redhat.com>
Date: Tue, 16 Feb 2016 10:14:10 -0500
Subject: Handle case where the user already had access to the scc

---
 roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'roles')

diff --git a/roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml b/roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml
index 628df4540..1efab9466 100644
--- a/roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml
+++ b/roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml
@@ -26,9 +26,12 @@
 - name: Add security context constraint for {{ item }}
   lineinfile:
     dest: /tmp/openshift/scc.yaml
-    line: "- system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item }}"
+    line: "- system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}"
     insertafter: "^users:$"
-  with_items: openshift_serviceaccounts_names
+  when: "item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}"
+  with_nested:
+  - openshift_serviceaccounts_names
+  - scc_test.results
 
 - name: Apply new scc rules for service accounts
   command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1"
-- 
cgit v1.2.3