Additional lists of users and data directories. See https://support.d4science.org/issues/2447
This commit is contained in:
parent
6621c75cc2
commit
bc000807bc
|
@ -7,8 +7,12 @@ common_users_group: service_g
|
|||
# - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
|
||||
# - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
|
||||
# - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' }
|
||||
#
|
||||
# Use additional_data_directories_adjunct to list more directories in addition to the ones specified into additional_data_directories
|
||||
|
||||
# Define the following array when you want to add commands to the sudoers file
|
||||
#service_sudo_commands:
|
||||
# - /etc/init.d/virtuoso-opensource-7
|
||||
# - /sbin/reboot
|
||||
#
|
||||
# Use service_sudo_commands_adjunct to list more commands in addition to the ones specified into services_sudo_commands
|
||||
|
|
|
@ -4,14 +4,28 @@
|
|||
group: name={{ common_users_group }} state=present system=yes
|
||||
when: additional_data_directories is defined
|
||||
|
||||
tags: [ 'users', 'users_acl' ]
|
||||
|
||||
- block:
|
||||
- name: Add selected users to the commong group
|
||||
user: name={{ item.login }} groups={{ common_users_group }} append=yes
|
||||
with_items: '{{ users_system_users | default([]) }}'
|
||||
when: additional_data_directories is defined
|
||||
with_items: '{{ users_system_users }}'
|
||||
|
||||
when: users_system_users is defined
|
||||
tags: [ 'users', 'users_acl' ]
|
||||
|
||||
- block:
|
||||
- name: Add additional users to the commong group
|
||||
user: name={{ item.login }} groups={{ common_users_group }} append=yes
|
||||
with_items: '{{ users_system_users_adjunct }}'
|
||||
|
||||
when: users_system_users_adjunct is defined
|
||||
tags: [ 'users', 'users_acl' ]
|
||||
|
||||
- block:
|
||||
- name: Create the users additional data dirs
|
||||
file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
|
||||
with_items: '{{ additional_data_directories | default([]) }}'
|
||||
with_items: '{{ additional_data_directories }}'
|
||||
when: item.create and not item.file
|
||||
|
||||
- name: Set the read/write/access permissions on the users additional data dirs
|
||||
|
@ -22,4 +36,23 @@
|
|||
acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
|
||||
with_items: '{{ additional_data_directories | default([]) }}'
|
||||
|
||||
when: additional_data_directories is defined
|
||||
tags: [ 'users', 'users_acl' ]
|
||||
|
||||
- block:
|
||||
- name: Create more additional data dirs
|
||||
file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
|
||||
with_items: '{{ additional_data_directories_adjunct }}'
|
||||
when: item.create and not item.file
|
||||
|
||||
- name: Set the read/write/access permissions on the additional data dirs
|
||||
acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes
|
||||
with_items: '{{ additional_data_directories_adjunct }}'
|
||||
|
||||
- name: Set the default read/write/access permissions on the additional data dirs
|
||||
acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
|
||||
with_items: '{{ additional_data_directories_adjunct }}'
|
||||
|
||||
when: additional_data_directories_adjunct is defined
|
||||
tags: [ 'users', 'users_acl' ]
|
||||
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
---
|
||||
- name: Install the sudoers config that allows users to execute some privileged commands
|
||||
template: src=service-sudoers.j2 dest=/etc/sudoers.d/service-group owner=root group=root mode=0440
|
||||
when: service_sudo_commands is defined
|
||||
tags: [ 'service', 'sudo', 'users' ]
|
||||
|
||||
|
|
|
@ -2,8 +2,7 @@
|
|||
- block:
|
||||
- name: Add the additional service groups
|
||||
group: name={{ item }} state=present
|
||||
with_items:
|
||||
- '{{ service_sudoers_group }}'
|
||||
with_items: '{{ service_sudoers_group }}'
|
||||
|
||||
- name: Add selected users to the limited sudoers group
|
||||
user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
|
||||
|
@ -15,4 +14,19 @@
|
|||
with_items: '{{ users_system_users | default([]) }}'
|
||||
when: not item.limited_sudoers_user
|
||||
|
||||
when: users_system_users is defined
|
||||
tags: [ 'services', 'users' ]
|
||||
|
||||
- block:
|
||||
- name: Add additional users to the limited sudoers group
|
||||
user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
|
||||
with_items: '{{ users_system_users_adjunct }}'
|
||||
when: item.limited_sudoers_user
|
||||
|
||||
- name: Remove additional users to the limited sudoers group
|
||||
user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
|
||||
with_items: '{{ users_system_users_adjunct }}'
|
||||
when: not item.limited_sudoers_user
|
||||
|
||||
when: users_system_users_adjunct is defined
|
||||
tags: [ 'services', 'users' ]
|
||||
|
|
|
@ -1,2 +1,3 @@
|
|||
%{{ service_sudoers_group }} ALL=(ALL) NOPASSWD: {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %}
|
||||
|
||||
{% if service_sudo_commands is defined %}
|
||||
%{{ service_sudoers_group }} ALL=(ALL) NOPASSWD: {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %} {% if service_sudo_commands_adjunct is defined %}, {% for cmd in service_sudo_commands_adjunct %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %}{% endif %}
|
||||
{% endif %}
|
||||
|
|
|
@ -15,5 +15,6 @@ users_default_password: '*'
|
|||
users_update_password: 'on_create'
|
||||
#users_system_users:
|
||||
# - { login: 'foo', name: "Foo Bar", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ foo_ssh_key }}', shell: '/bin/bash', admin: False, log_as_root: False }
|
||||
#users_system_users_adjunct: same as above, can be used to add more users to the original list
|
||||
#users_additional_groups:
|
||||
# - { group: 'foo' }
|
||||
|
|
|
@ -8,11 +8,17 @@
|
|||
template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }}
|
||||
when: users_sudoers_create_sudo_conf
|
||||
|
||||
tags: users
|
||||
|
||||
- block:
|
||||
- name: Manage additional groups
|
||||
group: name={{ item.group }} state={{ item.state | default('present') }}
|
||||
with_items: '{{ users_additional_groups }}'
|
||||
when: users_additional_groups is defined
|
||||
|
||||
when: users_additional_groups is defined
|
||||
tags: users
|
||||
|
||||
- block:
|
||||
- name: Create users
|
||||
user: name={{ item.login }} group={{ item.group | default(omit) }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} password={{ item.password | default('*') }} update_password={{ item.update_password | default('on_create') }}
|
||||
with_items: '{{ users_system_users | default([]) }}'
|
||||
|
@ -29,7 +35,59 @@
|
|||
- item.admin
|
||||
- ansible_distribution_file_variety == "Debian"
|
||||
|
||||
- name: Permit sudo without password
|
||||
- name: Add the admin users to the sudoers group on rh/centos systems
|
||||
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
|
||||
with_items: '{{ users_system_users }}'
|
||||
when:
|
||||
- item.admin
|
||||
- ansible_distribution_file_variety == "RedHat"
|
||||
|
||||
- name: ensure that the users can login with their ssh keys as root if we want ensure direct access
|
||||
authorized_key: user=root key="{{ item.ssh_key }}" state=present
|
||||
with_items: '{{ users_system_users }}'
|
||||
when:
|
||||
- item.ssh_key is defined
|
||||
- ( item.log_as_root is defined ) and ( item.log_as_root )
|
||||
|
||||
when: users_system_users is defined
|
||||
tags: users
|
||||
|
||||
- block:
|
||||
- name: Create additional users
|
||||
user: name={{ item.login }} group={{ item.group | default(omit) }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} password={{ item.password | default('*') }} update_password={{ item.update_password | default('on_create') }}
|
||||
with_items: '{{ users_system_users_adjunct }}'
|
||||
|
||||
- name: ensure that the additional users can login with their ssh keys
|
||||
authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present
|
||||
with_items: '{{ users_system_users_adjunct }}'
|
||||
when: item.ssh_key is defined
|
||||
|
||||
- name: Add the additional admin users to the sudoers group on debian based systems
|
||||
user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes
|
||||
with_items: '{{ users_system_users_adjunct }}'
|
||||
when:
|
||||
- item.admin
|
||||
- ansible_distribution_file_variety == "Debian"
|
||||
|
||||
- name: Add the additional admin users to the sudoers group on rh/centos systems
|
||||
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
|
||||
with_items: '{{ users_system_users_adjunct }}'
|
||||
when:
|
||||
- item.admin
|
||||
- ansible_distribution_file_variety == "RedHat"
|
||||
|
||||
- name: ensure that the additional users can login with their ssh keys as root if we want ensure direct access
|
||||
authorized_key: user=root key="{{ item.ssh_key }}" state=present
|
||||
with_items: '{{ users_system_users_adjunct }}'
|
||||
when:
|
||||
- item.ssh_key is defined
|
||||
- ( item.log_as_root is defined ) and ( item.log_as_root )
|
||||
|
||||
when: users_system_users_adjunct is defined
|
||||
tags: users
|
||||
|
||||
- block:
|
||||
- name: Permit sudo without password on Deb based systems
|
||||
lineinfile:
|
||||
path: /etc/sudoers
|
||||
state: present
|
||||
|
@ -38,27 +96,13 @@
|
|||
when: ansible_distribution_file_variety == "Debian"
|
||||
tags: [ 'users', 'sudo_wheel' ]
|
||||
|
||||
- name: Add the admin users to the sudoers group on rh/centos systems
|
||||
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
|
||||
with_items: '{{ users_system_users | default([]) }}'
|
||||
when:
|
||||
- item.admin
|
||||
- ansible_distribution_file_variety == "RedHat"
|
||||
|
||||
- name: Permit sudo without password
|
||||
- name: Change the sudo configuration to permit sudo without password on RH/CentOS systems
|
||||
lineinfile:
|
||||
path: /etc/sudoers
|
||||
state: present
|
||||
regexp: '^%{{ rh_users_sudoers_group }}\s'
|
||||
line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
|
||||
when: ansible_distribution_file_variety == "RedHat"
|
||||
|
||||
tags: [ 'users', 'sudo_wheel' ]
|
||||
|
||||
- name: ensure that the users can login with their ssh keys as root if we want ensure direct access
|
||||
authorized_key: user=root key="{{ item.ssh_key }}" state=present
|
||||
with_items: '{{ users_system_users | default([]) }}'
|
||||
when:
|
||||
- item.ssh_key is defined
|
||||
- ( item.log_as_root is defined ) and ( item.log_as_root )
|
||||
|
||||
tags: users
|
||||
|
|
Loading…
Reference in New Issue