From e6531ac42cda1bffed107545349e7e86c77aa5e5 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 14 Feb 2019 15:18:05 +0100 Subject: [PATCH] user_services_perms: remove more stuff, fix some tasks so that they do not overlap with the users role. --- user_services_perms/defaults/main.yml | 16 +++---------- .../tasks/common-users-data-dirs.yml | 13 +++++++++-- user_services_perms/tasks/main.yml | 4 +--- .../tasks/services-data-dirs.yml | 23 ------------------- .../{common-groups.yml => sudoers-groups.yml} | 7 +----- 5 files changed, 16 insertions(+), 47 deletions(-) delete mode 100644 user_services_perms/tasks/services-data-dirs.yml rename user_services_perms/tasks/{common-groups.yml => sudoers-groups.yml} (71%) diff --git a/user_services_perms/defaults/main.yml b/user_services_perms/defaults/main.yml index 46373b9..8926572 100644 --- a/user_services_perms/defaults/main.yml +++ b/user_services_perms/defaults/main.yml @@ -1,21 +1,11 @@ --- -service_custom_installation: False -service_user: sys_admin -service_group: '{{ sys_user }}' service_sudoers_group: adminsu -service_data_directory: /var/lib/foo -#service_other_directories: -# - /var/lib/bar - -service_log_directories: - - /var/log/foo - - /var/log/foo/search - +common_users_group: service_g # Define the following if you want some directories readable and writable by the common group but outside the default app data dirs #additional_data_directories: -# - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ sys_group }}', aclperms: 'rwX' } -# - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ sys_group }}', aclperms: 'rwX' } +# - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' } +# - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' } # - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' } # Define the following array when you want to add commands to the sudoers file diff --git a/user_services_perms/tasks/common-users-data-dirs.yml b/user_services_perms/tasks/common-users-data-dirs.yml index 8ae7b1b..3a40bcd 100644 --- a/user_services_perms/tasks/common-users-data-dirs.yml +++ b/user_services_perms/tasks/common-users-data-dirs.yml @@ -1,16 +1,25 @@ --- - block: + - name: Create the common group used to setup acls + group: name={{ common_users_group }} state=present system=yes + when: additional_data_directories is defined + + - name: Add selected users to the commong group + user: name={{ item.login }} groups={{ common_users_group }} append=yes + with_items: '{{ users_system_users | default([]) }}' + when: additional_data_directories is defined + - name: Create the users additional data dirs file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }} with_items: '{{ additional_data_directories | default([]) }}' when: item.create and not item.file - name: Set the read/write/access permissions on the users additional data dirs - acl: name={{ item.name }} entity={{ service_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes + acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes with_items: '{{ additional_data_directories | default([]) }}' - name: Set the default read/write/access permissions on the users additional data dirs - acl: name={{ item.name }} entity={{ service_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes + acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes with_items: '{{ additional_data_directories | default([]) }}' tags: [ 'users', 'users_acl' ] diff --git a/user_services_perms/tasks/main.yml b/user_services_perms/tasks/main.yml index 2487c89..be1cc6f 100644 --- a/user_services_perms/tasks/main.yml +++ b/user_services_perms/tasks/main.yml @@ -1,7 +1,5 @@ --- -- import_tasks: common-groups.yml +- import_tasks: sudoers-groups.yml - import_tasks: sudo-config.yml -- import_tasks: services-data-dirs.yml - when: service_custom_installation - import_tasks: common-users-data-dirs.yml when: additional_data_directories is defined diff --git a/user_services_perms/tasks/services-data-dirs.yml b/user_services_perms/tasks/services-data-dirs.yml deleted file mode 100644 index 443e0fb..0000000 --- a/user_services_perms/tasks/services-data-dirs.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- block: - - name: Create the service data dirs - file: name={{ item }} state=directory owner={{ service_user }} group={{ service_group }} mode=0750 - with_items: '{{ service_other_directories }}' - - - name: Set the read/write permissions on the service data dirs - acl: name={{ item }} entity={{ service_group }} etype=group permissions=rwX state=present recursive=yes - with_items: '{{ service_other_directories | default([]) }}' - - - name: Set the default read/write permissions on the service data dirs - acl: name={{ item }} entity={{ service_group }} etype=group permissions=rwX state=present default=yes recursive=yes - with_items: '{{ service_other_directories | default([]) }}' - - - name: Set the read permissions on the service log dirs - acl: name={{ item }} entity={{ service_group }} etype=group permissions=rX state=present recursive=yes - with_items: '{{ service_log_directories }}' - - - name: Set the default read permissions on the service log dirs - acl: name={{ item }} entity={{ service_group }} etype=group permissions=rX state=present default=yes recursive=yes - with_items: '{{ service_log_directories }}' - - tags: [ 'service', 'users' ] diff --git a/user_services_perms/tasks/common-groups.yml b/user_services_perms/tasks/sudoers-groups.yml similarity index 71% rename from user_services_perms/tasks/common-groups.yml rename to user_services_perms/tasks/sudoers-groups.yml index 54ae849..bcacc8a 100644 --- a/user_services_perms/tasks/common-groups.yml +++ b/user_services_perms/tasks/sudoers-groups.yml @@ -1,12 +1,8 @@ --- - block: - - name: Create the service user, if it is not used to run the tomcat instances - user: name={{ service_user }} home={{ service_data_directory }} createhome=no shell=/usr/sbin/nologin - - name: Add the additional service groups group: name={{ item }} state=present with_items: - - '{{ service_group }}' - '{{ service_sudoers_group }}' - name: Add selected users to the limited sudoers group @@ -15,9 +11,8 @@ when: item.limited_sudoers_user - name: Remove selected users to the limited sudoers group - user: name={{ item.login }} groups={{ service_sudoers_group }} + user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes with_items: '{{ users_system_users | default([]) }}' when: not item.limited_sudoers_user - when: service_custom_installation tags: [ 'services', 'users' ]