user_services_perms: remove more stuff, fix some tasks so that they do not overlap with the users role.
This commit is contained in:
parent
7220c2513f
commit
e6531ac42c
|
@ -1,21 +1,11 @@
|
|||
---
|
||||
service_custom_installation: False
|
||||
service_user: sys_admin
|
||||
service_group: '{{ sys_user }}'
|
||||
service_sudoers_group: adminsu
|
||||
|
||||
service_data_directory: /var/lib/foo
|
||||
#service_other_directories:
|
||||
# - /var/lib/bar
|
||||
|
||||
service_log_directories:
|
||||
- /var/log/foo
|
||||
- /var/log/foo/search
|
||||
|
||||
common_users_group: service_g
|
||||
# Define the following if you want some directories readable and writable by the common group but outside the default app data dirs
|
||||
#additional_data_directories:
|
||||
# - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ sys_group }}', aclperms: 'rwX' }
|
||||
# - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ sys_group }}', aclperms: 'rwX' }
|
||||
# - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
|
||||
# - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
|
||||
# - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' }
|
||||
|
||||
# Define the following array when you want to add commands to the sudoers file
|
||||
|
|
|
@ -1,16 +1,25 @@
|
|||
---
|
||||
- block:
|
||||
- name: Create the common group used to setup acls
|
||||
group: name={{ common_users_group }} state=present system=yes
|
||||
when: additional_data_directories is defined
|
||||
|
||||
- name: Add selected users to the commong group
|
||||
user: name={{ item.login }} groups={{ common_users_group }} append=yes
|
||||
with_items: '{{ users_system_users | default([]) }}'
|
||||
when: additional_data_directories is defined
|
||||
|
||||
- name: Create the users additional data dirs
|
||||
file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
|
||||
with_items: '{{ additional_data_directories | default([]) }}'
|
||||
when: item.create and not item.file
|
||||
|
||||
- name: Set the read/write/access permissions on the users additional data dirs
|
||||
acl: name={{ item.name }} entity={{ service_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes
|
||||
acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes
|
||||
with_items: '{{ additional_data_directories | default([]) }}'
|
||||
|
||||
- name: Set the default read/write/access permissions on the users additional data dirs
|
||||
acl: name={{ item.name }} entity={{ service_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
|
||||
acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
|
||||
with_items: '{{ additional_data_directories | default([]) }}'
|
||||
|
||||
tags: [ 'users', 'users_acl' ]
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
---
|
||||
- import_tasks: common-groups.yml
|
||||
- import_tasks: sudoers-groups.yml
|
||||
- import_tasks: sudo-config.yml
|
||||
- import_tasks: services-data-dirs.yml
|
||||
when: service_custom_installation
|
||||
- import_tasks: common-users-data-dirs.yml
|
||||
when: additional_data_directories is defined
|
||||
|
|
|
@ -1,23 +0,0 @@
|
|||
---
|
||||
- block:
|
||||
- name: Create the service data dirs
|
||||
file: name={{ item }} state=directory owner={{ service_user }} group={{ service_group }} mode=0750
|
||||
with_items: '{{ service_other_directories }}'
|
||||
|
||||
- name: Set the read/write permissions on the service data dirs
|
||||
acl: name={{ item }} entity={{ service_group }} etype=group permissions=rwX state=present recursive=yes
|
||||
with_items: '{{ service_other_directories | default([]) }}'
|
||||
|
||||
- name: Set the default read/write permissions on the service data dirs
|
||||
acl: name={{ item }} entity={{ service_group }} etype=group permissions=rwX state=present default=yes recursive=yes
|
||||
with_items: '{{ service_other_directories | default([]) }}'
|
||||
|
||||
- name: Set the read permissions on the service log dirs
|
||||
acl: name={{ item }} entity={{ service_group }} etype=group permissions=rX state=present recursive=yes
|
||||
with_items: '{{ service_log_directories }}'
|
||||
|
||||
- name: Set the default read permissions on the service log dirs
|
||||
acl: name={{ item }} entity={{ service_group }} etype=group permissions=rX state=present default=yes recursive=yes
|
||||
with_items: '{{ service_log_directories }}'
|
||||
|
||||
tags: [ 'service', 'users' ]
|
|
@ -1,12 +1,8 @@
|
|||
---
|
||||
- block:
|
||||
- name: Create the service user, if it is not used to run the tomcat instances
|
||||
user: name={{ service_user }} home={{ service_data_directory }} createhome=no shell=/usr/sbin/nologin
|
||||
|
||||
- name: Add the additional service groups
|
||||
group: name={{ item }} state=present
|
||||
with_items:
|
||||
- '{{ service_group }}'
|
||||
- '{{ service_sudoers_group }}'
|
||||
|
||||
- name: Add selected users to the limited sudoers group
|
||||
|
@ -15,9 +11,8 @@
|
|||
when: item.limited_sudoers_user
|
||||
|
||||
- name: Remove selected users to the limited sudoers group
|
||||
user: name={{ item.login }} groups={{ service_sudoers_group }}
|
||||
user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
|
||||
with_items: '{{ users_system_users | default([]) }}'
|
||||
when: not item.limited_sudoers_user
|
||||
|
||||
when: service_custom_installation
|
||||
tags: [ 'services', 'users' ]
|
Loading…
Reference in New Issue