From bc000807bce1ac26fb4d961087f731bfd8e7a46c Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 9 Apr 2019 15:56:36 +0200 Subject: [PATCH] Additional lists of users and data directories. See https://support.d4science.org/issues/2447 --- user_services_perms/defaults/main.yml | 4 + .../tasks/common-users-data-dirs.yml | 39 ++++++++- user_services_perms/tasks/sudo-config.yml | 1 - user_services_perms/tasks/sudoers-groups.yml | 18 +++- .../templates/service-sudoers.j2 | 5 +- users/defaults/main.yml | 1 + users/tasks/main.yml | 84 ++++++++++++++----- 7 files changed, 124 insertions(+), 28 deletions(-) diff --git a/user_services_perms/defaults/main.yml b/user_services_perms/defaults/main.yml index 8926572e..7a69660e 100644 --- a/user_services_perms/defaults/main.yml +++ b/user_services_perms/defaults/main.yml @@ -7,8 +7,12 @@ common_users_group: service_g # - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' } # - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' } # - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' } +# +# Use additional_data_directories_adjunct to list more directories in addition to the ones specified into additional_data_directories # Define the following array when you want to add commands to the sudoers file #service_sudo_commands: # - /etc/init.d/virtuoso-opensource-7 # - /sbin/reboot +# +# Use service_sudo_commands_adjunct to list more commands in addition to the ones specified into services_sudo_commands diff --git a/user_services_perms/tasks/common-users-data-dirs.yml b/user_services_perms/tasks/common-users-data-dirs.yml index 3a40bcdb..2fc69b4f 100644 --- a/user_services_perms/tasks/common-users-data-dirs.yml +++ b/user_services_perms/tasks/common-users-data-dirs.yml @@ -4,14 +4,28 @@ group: name={{ common_users_group }} state=present system=yes when: additional_data_directories is defined + tags: [ 'users', 'users_acl' ] + +- block: - name: Add selected users to the commong group user: name={{ item.login }} groups={{ common_users_group }} append=yes - with_items: '{{ users_system_users | default([]) }}' - when: additional_data_directories is defined + with_items: '{{ users_system_users }}' + when: users_system_users is defined + tags: [ 'users', 'users_acl' ] + +- block: + - name: Add additional users to the commong group + user: name={{ item.login }} groups={{ common_users_group }} append=yes + with_items: '{{ users_system_users_adjunct }}' + + when: users_system_users_adjunct is defined + tags: [ 'users', 'users_acl' ] + +- block: - name: Create the users additional data dirs file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }} - with_items: '{{ additional_data_directories | default([]) }}' + with_items: '{{ additional_data_directories }}' when: item.create and not item.file - name: Set the read/write/access permissions on the users additional data dirs @@ -22,4 +36,23 @@ acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes with_items: '{{ additional_data_directories | default([]) }}' + when: additional_data_directories is defined tags: [ 'users', 'users_acl' ] + +- block: + - name: Create more additional data dirs + file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }} + with_items: '{{ additional_data_directories_adjunct }}' + when: item.create and not item.file + + - name: Set the read/write/access permissions on the additional data dirs + acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes + with_items: '{{ additional_data_directories_adjunct }}' + + - name: Set the default read/write/access permissions on the additional data dirs + acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes + with_items: '{{ additional_data_directories_adjunct }}' + + when: additional_data_directories_adjunct is defined + tags: [ 'users', 'users_acl' ] + diff --git a/user_services_perms/tasks/sudo-config.yml b/user_services_perms/tasks/sudo-config.yml index 77c20c58..852a4d67 100644 --- a/user_services_perms/tasks/sudo-config.yml +++ b/user_services_perms/tasks/sudo-config.yml @@ -1,6 +1,5 @@ --- - name: Install the sudoers config that allows users to execute some privileged commands template: src=service-sudoers.j2 dest=/etc/sudoers.d/service-group owner=root group=root mode=0440 - when: service_sudo_commands is defined tags: [ 'service', 'sudo', 'users' ] diff --git a/user_services_perms/tasks/sudoers-groups.yml b/user_services_perms/tasks/sudoers-groups.yml index bcacc8ae..60d71111 100644 --- a/user_services_perms/tasks/sudoers-groups.yml +++ b/user_services_perms/tasks/sudoers-groups.yml @@ -2,8 +2,7 @@ - block: - name: Add the additional service groups group: name={{ item }} state=present - with_items: - - '{{ service_sudoers_group }}' + with_items: '{{ service_sudoers_group }}' - name: Add selected users to the limited sudoers group user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes @@ -15,4 +14,19 @@ with_items: '{{ users_system_users | default([]) }}' when: not item.limited_sudoers_user + when: users_system_users is defined + tags: [ 'services', 'users' ] + +- block: + - name: Add additional users to the limited sudoers group + user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes + with_items: '{{ users_system_users_adjunct }}' + when: item.limited_sudoers_user + + - name: Remove additional users to the limited sudoers group + user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes + with_items: '{{ users_system_users_adjunct }}' + when: not item.limited_sudoers_user + + when: users_system_users_adjunct is defined tags: [ 'services', 'users' ] diff --git a/user_services_perms/templates/service-sudoers.j2 b/user_services_perms/templates/service-sudoers.j2 index b550ff8d..7226749a 100644 --- a/user_services_perms/templates/service-sudoers.j2 +++ b/user_services_perms/templates/service-sudoers.j2 @@ -1,2 +1,3 @@ -%{{ service_sudoers_group }} ALL=(ALL) NOPASSWD: {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %} - +{% if service_sudo_commands is defined %} +%{{ service_sudoers_group }} ALL=(ALL) NOPASSWD: {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %} {% if service_sudo_commands_adjunct is defined %}, {% for cmd in service_sudo_commands_adjunct %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %}{% endif %} +{% endif %} diff --git a/users/defaults/main.yml b/users/defaults/main.yml index 1ca43f58..f7cc9b46 100644 --- a/users/defaults/main.yml +++ b/users/defaults/main.yml @@ -15,5 +15,6 @@ users_default_password: '*' users_update_password: 'on_create' #users_system_users: # - { login: 'foo', name: "Foo Bar", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ foo_ssh_key }}', shell: '/bin/bash', admin: False, log_as_root: False } +#users_system_users_adjunct: same as above, can be used to add more users to the original list #users_additional_groups: # - { group: 'foo' } diff --git a/users/tasks/main.yml b/users/tasks/main.yml index 6622e6e8..0d80a56a 100644 --- a/users/tasks/main.yml +++ b/users/tasks/main.yml @@ -8,11 +8,17 @@ template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }} when: users_sudoers_create_sudo_conf + tags: users + +- block: - name: Manage additional groups group: name={{ item.group }} state={{ item.state | default('present') }} with_items: '{{ users_additional_groups }}' - when: users_additional_groups is defined - + + when: users_additional_groups is defined + tags: users + +- block: - name: Create users user: name={{ item.login }} group={{ item.group | default(omit) }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} password={{ item.password | default('*') }} update_password={{ item.update_password | default('on_create') }} with_items: '{{ users_system_users | default([]) }}' @@ -29,7 +35,59 @@ - item.admin - ansible_distribution_file_variety == "Debian" - - name: Permit sudo without password + - name: Add the admin users to the sudoers group on rh/centos systems + user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes + with_items: '{{ users_system_users }}' + when: + - item.admin + - ansible_distribution_file_variety == "RedHat" + + - name: ensure that the users can login with their ssh keys as root if we want ensure direct access + authorized_key: user=root key="{{ item.ssh_key }}" state=present + with_items: '{{ users_system_users }}' + when: + - item.ssh_key is defined + - ( item.log_as_root is defined ) and ( item.log_as_root ) + + when: users_system_users is defined + tags: users + +- block: + - name: Create additional users + user: name={{ item.login }} group={{ item.group | default(omit) }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} password={{ item.password | default('*') }} update_password={{ item.update_password | default('on_create') }} + with_items: '{{ users_system_users_adjunct }}' + + - name: ensure that the additional users can login with their ssh keys + authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present + with_items: '{{ users_system_users_adjunct }}' + when: item.ssh_key is defined + + - name: Add the additional admin users to the sudoers group on debian based systems + user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes + with_items: '{{ users_system_users_adjunct }}' + when: + - item.admin + - ansible_distribution_file_variety == "Debian" + + - name: Add the additional admin users to the sudoers group on rh/centos systems + user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes + with_items: '{{ users_system_users_adjunct }}' + when: + - item.admin + - ansible_distribution_file_variety == "RedHat" + + - name: ensure that the additional users can login with their ssh keys as root if we want ensure direct access + authorized_key: user=root key="{{ item.ssh_key }}" state=present + with_items: '{{ users_system_users_adjunct }}' + when: + - item.ssh_key is defined + - ( item.log_as_root is defined ) and ( item.log_as_root ) + + when: users_system_users_adjunct is defined + tags: users + +- block: + - name: Permit sudo without password on Deb based systems lineinfile: path: /etc/sudoers state: present @@ -38,27 +96,13 @@ when: ansible_distribution_file_variety == "Debian" tags: [ 'users', 'sudo_wheel' ] - - name: Add the admin users to the sudoers group on rh/centos systems - user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes - with_items: '{{ users_system_users | default([]) }}' - when: - - item.admin - - ansible_distribution_file_variety == "RedHat" - - - name: Permit sudo without password + - name: Change the sudo configuration to permit sudo without password on RH/CentOS systems lineinfile: path: /etc/sudoers state: present regexp: '^%{{ rh_users_sudoers_group }}\s' line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL' - when: ansible_distribution_file_variety == "RedHat" - tags: [ 'users', 'sudo_wheel' ] + when: ansible_distribution_file_variety == "RedHat" - - name: ensure that the users can login with their ssh keys as root if we want ensure direct access - authorized_key: user=root key="{{ item.ssh_key }}" state=present - with_items: '{{ users_system_users | default([]) }}' - when: - - item.ssh_key is defined - - ( item.log_as_root is defined ) and ( item.log_as_root ) + tags: [ 'users', 'sudo_wheel' ] - tags: users