directories and ACLs.

2020-05-28 16:46:43 +02:00 · 2020-05-28 16:46:43 +02:00 · 61dd0e231f
parent e412c2906c
commit 61dd0e231f
8 changed files with 166 additions and 69 deletions
--- a/README.md
+++ b/README.md
@ -1,31 +1,29 @@
 Role Name
 =========

-A brief description of the role goes here.
-
-Requirements
------------
-
-Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+A role that creates users.

 Role Variables
 --------------

-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+The list of directories and files with their ACLs.
+The list of commands that the users can run using sudo.
+
+``` yaml
+additional_data_directories: []
+  - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
+  - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
+  - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' }
+
+service_sudo_commands:
+  - /etc/init.d/virtuoso-opensource-7
+  - /sbin/reboot
+```

 Dependencies
 ------------

-A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
-
-Example Playbook
----------------
-
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
-
-    - hosts: servers
-      roles:
-         - { role: username.rolename, x: 42 }
+None

 License
 -------
@ -35,4 +33,4 @@ EUPL-1.2
 Author Information
 ------------------

-An optional section for the role authors to include contact information, or a website (HTML is not allowed).
+Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,2 +1,19 @@
 ---
-# defaults file for ansible-role-template
+service_sudoers_group: adminsu
+
+common_users_group: service_g
+# Define the following if you want some directories readable and writable by the common group but outside the default app data dirs
+additional_data_directories: []
+#  - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
+#  - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
+#  - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' }
+#
+# Use additional_data_directories_adjunct to list more directories in addition to the ones specified into additional_data_directories
+additional_data_directories_adjunct: []
+
+# Define the following array when you want to add commands to the sudoers file
+#service_sudo_commands:
+#  - /etc/init.d/virtuoso-opensource-7
+#  - /sbin/reboot
+#
+# Use service_sudo_commands_adjunct to list more commands in addition to the ones specified into services_sudo_commands
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,61 +1,29 @@
+---
 galaxy_info:
-  author: your name
-  description: your description
+  author: Andrea Dell'Amico
+  description: Systems Architect
  company: ISTI-CNR

-  # If the issue tracker for your role is not on github, uncomment the
-  # next line and provide a value
  issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning

-  # Some suggested licenses:
-  # - BSD (default)
-  # - MIT
-  # - GPLv2
-  # - GPLv3
-  # - Apache
-  # - CC-BY
-  license: EUPL-1.2
+  license: EUPL 1.2+

  min_ansible_version: 2.8

-  # If this a Container Enabled role, provide the minimum Ansible Container version.
-  # min_ansible_container_version:
-
-  # Optionally specify the branch Galaxy will use when accessing the GitHub
-  # repo for this role. During role install, if no tags are available,
-  # Galaxy will use this branch. During import Galaxy will access files on
-  # this branch. If Travis integration is configured, only notifications for this
-  # branch will be accepted. Otherwise, in all cases, the repo's default branch
-  # (usually master) will be used.
-  #github_branch:
-
-  #
-  # Provide a list of supported platforms, and for each platform a list of versions.
-  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
  # To view available platforms and versions (or releases), visit:
  # https://galaxy.ansible.com/api/v1/platforms/
  #
-  # platforms:
-  # - name: Fedora
-  #   versions:
-  #   - all
-  #   - 25
-  # - name: SomePlatform
-  #   versions:
-  #   - all
-  #   - 1.0
-  #   - 7
-  #   - 99.99
-
-  galaxy_tags: []
-    # List tags for your role here, one per line. A tag is a keyword that describes
-    # and categorizes the role. Users find roles by searching for tags. Be sure to
-    # remove the '[]' above, if you add tags to this list.
-    #
-    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
-    #       Maximum 20 tags per role.
-
-dependencies: []
-  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
-  # if you add dependencies to this list.
+  platforms:
+    - name: Ubuntu
+      versions:
+        - bionic
+    - name: EL
+      versions:
+        - 7
+        - 8

+  galaxy_tags:
+    - users
+    
+dependencies:
+  - 'users' 
--- a/tasks/common-users-data-dirs.yml
+++ b/tasks/common-users-data-dirs.yml
@ -0,0 +1,63 @@
+---
+- block:
+  - name: Create the common group used to setup acls
+    group: name={{ common_users_group }} state=present system=yes
+    when: additional_data_directories is defined
+
+  tags: [ 'users', 'users_acl' ]
+
+- block:
+  - name: Add selected users to the commong group
+    user: name={{ item.login }} groups={{ common_users_group }} append=yes
+    with_items: '{{ users_system_users }}'
+
+  when: users_system_users is defined
+  tags: [ 'users', 'users_acl' ]
+
+- block:
+  - name: Add additional users to the commong group
+    user: name={{ item.login }} groups={{ common_users_group }} append=yes
+    with_items: '{{ users_system_users_adjunct }}'
+
+  when: users_system_users_adjunct is defined
+  tags: [ 'users', 'users_acl' ]
+
+- block:
+  - name: Create the users additional data dirs
+    file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
+    with_items: '{{ additional_data_directories }}'
+    when: item.create and not item.file
+
+  tags: [ 'users', 'users_acl' ]
+
+- block:
+  - name: Create more additional data dirs
+    file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
+    with_items: '{{ additional_data_directories_adjunct }}'
+    when: item.create and not item.file
+
+  tags: [ 'users', 'users_acl' ]
+
+
+- block:
+  - name: Set the read/write/access permissions on the users additional data dirs
+    acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes
+    with_items: '{{ additional_data_directories }}'
+
+  - name: Set the default read/write/access permissions on the users additional data dirs
+    acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
+    with_items: '{{ additional_data_directories }}'
+
+  tags: [ 'users_acl' ]
+
+- block:
+  - name: Set the read/write/access permissions on the additional data dirs
+    acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes
+    with_items: '{{ additional_data_directories_adjunct }}'
+
+  - name: Set the default read/write/access permissions on the additional data dirs
+    acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
+    with_items: '{{ additional_data_directories_adjunct }}'
+
+  tags: [ 'users_acl' ]
+
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,2 +1,5 @@
 ---
-# tasks file for ansible-role-template
+- import_tasks: sudoers-groups.yml
+- import_tasks: sudo-config.yml
+- import_tasks: common-users-data-dirs.yml
+  when: additional_data_directories is defined
--- a/tasks/sudo-config.yml
+++ b/tasks/sudo-config.yml
@ -0,0 +1,5 @@
+---
+- name: Install the sudoers config that allows users to execute some privileged commands
+  template: src=service-sudoers.j2 dest=/etc/sudoers.d/service-group owner=root group=root mode=0440
+  tags: [ 'service', 'sudo', 'users' ]
+
--- a/tasks/sudoers-groups.yml
+++ b/tasks/sudoers-groups.yml
@ -0,0 +1,40 @@
+---
+- block:
+  - name: Add the additional service groups
+    group: name={{ item }} state=present
+    with_items: '{{ service_sudoers_group }}'
+
+  when: users_system_users is defined
+  tags: [ 'services', 'users' ]
+
+- block:
+  - name: Add selected users to the limited sudoers group
+    user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
+    with_items: '{{ users_system_users | default([]) }}'
+    when: item.limited_sudoers_user
+
+  - name: Remove selected users to the limited sudoers group
+    user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
+    with_items: '{{ users_system_users | default([]) }}'
+    when: not item.limited_sudoers_user
+
+  when:
+    - users_system_users is defined
+    - item.limited_sudoers_user is defined
+  tags: [ 'services', 'users' ]
+
+- block:
+  - name: Add additional users to the limited sudoers group
+    user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
+    with_items: '{{ users_system_users_adjunct }}'
+    when: item.limited_sudoers_user
+
+  - name: Remove additional users to the limited sudoers group
+    user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
+    with_items: '{{ users_system_users_adjunct }}'
+    when: not item.limited_sudoers_user
+
+  when:
+    - users_system_users_adjunct is defined
+    - item.limited_sudoers_user is defined
+  tags: [ 'services', 'users' ]
--- a/templates/service-sudoers.j2
+++ b/templates/service-sudoers.j2
@ -0,0 +1,3 @@
+{% if service_sudo_commands is defined %}
+%{{ service_sudoers_group }}  ALL=(ALL) NOPASSWD:   {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %} {% if service_sudo_commands_adjunct is defined %}, {% for cmd in service_sudo_commands_adjunct %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %}{% endif %}
+{% endif %}