Additional lists of users and data directories. See https://support.d4science.org/issues/2447

2019-04-09 15:56:36 +02:00 · 2019-04-09 15:56:36 +02:00 · bc000807bc
parent 6621c75cc2
commit bc000807bc
7 changed files with 124 additions and 28 deletions
--- a/user_services_perms/defaults/main.yml
+++ b/user_services_perms/defaults/main.yml
@ -7,8 +7,12 @@ common_users_group: service_g
 #  - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
 #  - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
 #  - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' }
+#
+# Use additional_data_directories_adjunct to list more directories in addition to the ones specified into additional_data_directories

 # Define the following array when you want to add commands to the sudoers file
 #service_sudo_commands:
 #  - /etc/init.d/virtuoso-opensource-7
 #  - /sbin/reboot
+#
+# Use service_sudo_commands_adjunct to list more commands in addition to the ones specified into services_sudo_commands
--- a/user_services_perms/tasks/common-users-data-dirs.yml
+++ b/user_services_perms/tasks/common-users-data-dirs.yml
@ -4,14 +4,28 @@
    group: name={{ common_users_group }} state=present system=yes
    when: additional_data_directories is defined

+  tags: [ 'users', 'users_acl' ]
+
+- block:
  - name: Add selected users to the commong group
    user: name={{ item.login }} groups={{ common_users_group }} append=yes
-    with_items: '{{ users_system_users | default([]) }}'
-    when: additional_data_directories is defined
+    with_items: '{{ users_system_users }}'

+  when: users_system_users is defined
+  tags: [ 'users', 'users_acl' ]
+
+- block:
+  - name: Add additional users to the commong group
+    user: name={{ item.login }} groups={{ common_users_group }} append=yes
+    with_items: '{{ users_system_users_adjunct }}'
+
+  when: users_system_users_adjunct is defined
+  tags: [ 'users', 'users_acl' ]
+
+- block:
  - name: Create the users additional data dirs
    file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
-    with_items: '{{ additional_data_directories | default([]) }}'
+    with_items: '{{ additional_data_directories }}'
    when: item.create and not item.file

  - name: Set the read/write/access permissions on the users additional data dirs
@ -22,4 +36,23 @@
    acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
    with_items: '{{ additional_data_directories | default([])  }}'

+  when: additional_data_directories is defined
  tags: [ 'users', 'users_acl' ]
+
+- block:
+  - name: Create more additional data dirs
+    file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
+    with_items: '{{ additional_data_directories_adjunct }}'
+    when: item.create and not item.file
+
+  - name: Set the read/write/access permissions on the additional data dirs
+    acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes
+    with_items: '{{ additional_data_directories_adjunct }}'
+
+  - name: Set the default read/write/access permissions on the additional data dirs
+    acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
+    with_items: '{{ additional_data_directories_adjunct }}'
+
+  when: additional_data_directories_adjunct is defined
+  tags: [ 'users', 'users_acl' ]
+
--- a/user_services_perms/tasks/sudo-config.yml
+++ b/user_services_perms/tasks/sudo-config.yml
@ -1,6 +1,5 @@
 ---
 - name: Install the sudoers config that allows users to execute some privileged commands
  template: src=service-sudoers.j2 dest=/etc/sudoers.d/service-group owner=root group=root mode=0440
-  when: service_sudo_commands is defined
  tags: [ 'service', 'sudo', 'users' ]

--- a/user_services_perms/tasks/sudoers-groups.yml
+++ b/user_services_perms/tasks/sudoers-groups.yml
@ -2,8 +2,7 @@
 - block:
  - name: Add the additional service groups
    group: name={{ item }} state=present
-    with_items:
-      - '{{ service_sudoers_group }}'
+    with_items: '{{ service_sudoers_group }}'
    
  - name: Add selected users to the limited sudoers group
    user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
@ -15,4 +14,19 @@
    with_items: '{{ users_system_users | default([]) }}'
    when: not item.limited_sudoers_user

+  when: users_system_users is defined
+  tags: [ 'services', 'users' ]
+
+- block:
+  - name: Add additional users to the limited sudoers group
+    user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
+    with_items: '{{ users_system_users_adjunct }}'
+    when: item.limited_sudoers_user
+
+  - name: Remove additional users to the limited sudoers group
+    user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
+    with_items: '{{ users_system_users_adjunct }}'
+    when: not item.limited_sudoers_user
+
+  when: users_system_users_adjunct is defined
  tags: [ 'services', 'users' ]
--- a/user_services_perms/templates/service-sudoers.j2
+++ b/user_services_perms/templates/service-sudoers.j2
@ -1,2 +1,3 @@
-%{{ service_sudoers_group }}  ALL=(ALL) NOPASSWD:   {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %}
-
+{% if service_sudo_commands is defined %}
+%{{ service_sudoers_group }}  ALL=(ALL) NOPASSWD:   {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %} {% if service_sudo_commands_adjunct is defined %}, {% for cmd in service_sudo_commands_adjunct %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %}{% endif %}
+{% endif %}
--- a/users/defaults/main.yml
+++ b/users/defaults/main.yml
@ -15,5 +15,6 @@ users_default_password: '*'
 users_update_password: 'on_create'
 #users_system_users:
 #  - { login: 'foo', name: "Foo Bar", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ foo_ssh_key }}', shell: '/bin/bash', admin: False, log_as_root: False }
+#users_system_users_adjunct: same as above, can be used to add more users to the original list
 #users_additional_groups:
 #  - { group: 'foo' }
--- a/users/tasks/main.yml
+++ b/users/tasks/main.yml
@ -8,11 +8,17 @@
      template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }}
      when: users_sudoers_create_sudo_conf

+  tags: users
+
+- block:
    - name: Manage additional groups
      group: name={{ item.group }} state={{ item.state | default('present') }}
      with_items: '{{ users_additional_groups }}'
-      when: users_additional_groups is defined
-  
+
+  when: users_additional_groups is defined
+  tags: users
+
+- block:
    - name: Create users
      user: name={{ item.login }} group={{ item.group | default(omit) }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} password={{ item.password | default('*') }} update_password={{ item.update_password | default('on_create') }}
      with_items: '{{ users_system_users | default([]) }}'
@ -29,7 +35,59 @@
        - item.admin
        - ansible_distribution_file_variety == "Debian" 

-    - name: Permit sudo without password
+    - name: Add the admin users to the sudoers group on rh/centos systems
+      user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
+      with_items: '{{ users_system_users }}'
+      when:
+        - item.admin
+        - ansible_distribution_file_variety == "RedHat" 
+
+    - name: ensure that the users can login with their ssh keys as root if we want ensure direct access
+      authorized_key: user=root key="{{ item.ssh_key }}" state=present
+      with_items: '{{ users_system_users }}'
+      when:
+        - item.ssh_key is defined
+        - ( item.log_as_root is defined ) and ( item.log_as_root )
+
+  when: users_system_users is defined
+  tags: users
+
+- block:
+    - name: Create additional users
+      user: name={{ item.login }} group={{ item.group | default(omit) }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} password={{ item.password | default('*') }} update_password={{ item.update_password | default('on_create') }}
+      with_items: '{{ users_system_users_adjunct }}'
+
+    - name: ensure that the additional users can login with their ssh keys
+      authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present
+      with_items: '{{ users_system_users_adjunct }}'
+      when: item.ssh_key is defined
+
+    - name: Add the additional admin users to the sudoers group on debian based systems
+      user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes
+      with_items: '{{ users_system_users_adjunct }}'
+      when:
+        - item.admin
+        - ansible_distribution_file_variety == "Debian" 
+
+    - name: Add the additional admin users to the sudoers group on rh/centos systems
+      user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
+      with_items: '{{ users_system_users_adjunct }}'
+      when:
+        - item.admin
+        - ansible_distribution_file_variety == "RedHat" 
+
+    - name: ensure that the additional users can login with their ssh keys as root if we want ensure direct access
+      authorized_key: user=root key="{{ item.ssh_key }}" state=present
+      with_items: '{{ users_system_users_adjunct }}'
+      when:
+        - item.ssh_key is defined
+        - ( item.log_as_root is defined ) and ( item.log_as_root )
+
+  when: users_system_users_adjunct is defined
+  tags: users
+
+- block:
+    - name: Permit sudo without password on Deb based systems
      lineinfile:
        path: /etc/sudoers
        state: present
@ -38,27 +96,13 @@
      when: ansible_distribution_file_variety == "Debian"
      tags: [ 'users', 'sudo_wheel' ]

-    - name: Add the admin users to the sudoers group on rh/centos systems
-      user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
-      with_items: '{{ users_system_users | default([]) }}'
-      when:
-        - item.admin
-        - ansible_distribution_file_variety == "RedHat" 
-
-    - name: Permit sudo without password
+    - name: Change the sudo configuration to permit sudo without password on RH/CentOS systems
      lineinfile:
        path: /etc/sudoers
        state: present
        regexp: '^%{{ rh_users_sudoers_group }}\s'
        line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
-      when: ansible_distribution_file_variety == "RedHat" 
-      tags: [ 'users', 'sudo_wheel' ]
+        when: ansible_distribution_file_variety == "RedHat" 

-    - name: ensure that the users can login with their ssh keys as root if we want ensure direct access
-      authorized_key: user=root key="{{ item.ssh_key }}" state=present
-      with_items: '{{ users_system_users | default([]) }}'
-      when:
-        - item.ssh_key is defined
-        - ( item.log_as_root is defined ) and ( item.log_as_root )
+  tags: [ 'users', 'sudo_wheel' ]

-  tags: users