Additional lists of users and data directories. See https://support.d4science.org/issues/2447

This commit is contained in:
Andrea Dell'Amico 2019-04-09 15:56:36 +02:00
parent 6621c75cc2
commit bc000807bc
7 changed files with 124 additions and 28 deletions

View File

@ -7,8 +7,12 @@ common_users_group: service_g
# - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' } # - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
# - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' } # - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
# - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' } # - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' }
#
# Use additional_data_directories_adjunct to list more directories in addition to the ones specified into additional_data_directories
# Define the following array when you want to add commands to the sudoers file # Define the following array when you want to add commands to the sudoers file
#service_sudo_commands: #service_sudo_commands:
# - /etc/init.d/virtuoso-opensource-7 # - /etc/init.d/virtuoso-opensource-7
# - /sbin/reboot # - /sbin/reboot
#
# Use service_sudo_commands_adjunct to list more commands in addition to the ones specified into services_sudo_commands

View File

@ -4,14 +4,28 @@
group: name={{ common_users_group }} state=present system=yes group: name={{ common_users_group }} state=present system=yes
when: additional_data_directories is defined when: additional_data_directories is defined
tags: [ 'users', 'users_acl' ]
- block:
- name: Add selected users to the commong group - name: Add selected users to the commong group
user: name={{ item.login }} groups={{ common_users_group }} append=yes user: name={{ item.login }} groups={{ common_users_group }} append=yes
with_items: '{{ users_system_users | default([]) }}' with_items: '{{ users_system_users }}'
when: additional_data_directories is defined
when: users_system_users is defined
tags: [ 'users', 'users_acl' ]
- block:
- name: Add additional users to the commong group
user: name={{ item.login }} groups={{ common_users_group }} append=yes
with_items: '{{ users_system_users_adjunct }}'
when: users_system_users_adjunct is defined
tags: [ 'users', 'users_acl' ]
- block:
- name: Create the users additional data dirs - name: Create the users additional data dirs
file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }} file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
with_items: '{{ additional_data_directories | default([]) }}' with_items: '{{ additional_data_directories }}'
when: item.create and not item.file when: item.create and not item.file
- name: Set the read/write/access permissions on the users additional data dirs - name: Set the read/write/access permissions on the users additional data dirs
@ -22,4 +36,23 @@
acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
with_items: '{{ additional_data_directories | default([]) }}' with_items: '{{ additional_data_directories | default([]) }}'
when: additional_data_directories is defined
tags: [ 'users', 'users_acl' ] tags: [ 'users', 'users_acl' ]
- block:
- name: Create more additional data dirs
file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
with_items: '{{ additional_data_directories_adjunct }}'
when: item.create and not item.file
- name: Set the read/write/access permissions on the additional data dirs
acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes
with_items: '{{ additional_data_directories_adjunct }}'
- name: Set the default read/write/access permissions on the additional data dirs
acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
with_items: '{{ additional_data_directories_adjunct }}'
when: additional_data_directories_adjunct is defined
tags: [ 'users', 'users_acl' ]

View File

@ -1,6 +1,5 @@
--- ---
- name: Install the sudoers config that allows users to execute some privileged commands - name: Install the sudoers config that allows users to execute some privileged commands
template: src=service-sudoers.j2 dest=/etc/sudoers.d/service-group owner=root group=root mode=0440 template: src=service-sudoers.j2 dest=/etc/sudoers.d/service-group owner=root group=root mode=0440
when: service_sudo_commands is defined
tags: [ 'service', 'sudo', 'users' ] tags: [ 'service', 'sudo', 'users' ]

View File

@ -2,8 +2,7 @@
- block: - block:
- name: Add the additional service groups - name: Add the additional service groups
group: name={{ item }} state=present group: name={{ item }} state=present
with_items: with_items: '{{ service_sudoers_group }}'
- '{{ service_sudoers_group }}'
- name: Add selected users to the limited sudoers group - name: Add selected users to the limited sudoers group
user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
@ -15,4 +14,19 @@
with_items: '{{ users_system_users | default([]) }}' with_items: '{{ users_system_users | default([]) }}'
when: not item.limited_sudoers_user when: not item.limited_sudoers_user
when: users_system_users is defined
tags: [ 'services', 'users' ]
- block:
- name: Add additional users to the limited sudoers group
user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
with_items: '{{ users_system_users_adjunct }}'
when: item.limited_sudoers_user
- name: Remove additional users to the limited sudoers group
user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
with_items: '{{ users_system_users_adjunct }}'
when: not item.limited_sudoers_user
when: users_system_users_adjunct is defined
tags: [ 'services', 'users' ] tags: [ 'services', 'users' ]

View File

@ -1,2 +1,3 @@
%{{ service_sudoers_group }} ALL=(ALL) NOPASSWD: {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %} {% if service_sudo_commands is defined %}
%{{ service_sudoers_group }} ALL=(ALL) NOPASSWD: {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %} {% if service_sudo_commands_adjunct is defined %}, {% for cmd in service_sudo_commands_adjunct %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %}{% endif %}
{% endif %}

View File

@ -15,5 +15,6 @@ users_default_password: '*'
users_update_password: 'on_create' users_update_password: 'on_create'
#users_system_users: #users_system_users:
# - { login: 'foo', name: "Foo Bar", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ foo_ssh_key }}', shell: '/bin/bash', admin: False, log_as_root: False } # - { login: 'foo', name: "Foo Bar", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ foo_ssh_key }}', shell: '/bin/bash', admin: False, log_as_root: False }
#users_system_users_adjunct: same as above, can be used to add more users to the original list
#users_additional_groups: #users_additional_groups:
# - { group: 'foo' } # - { group: 'foo' }

View File

@ -8,11 +8,17 @@
template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }} template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }}
when: users_sudoers_create_sudo_conf when: users_sudoers_create_sudo_conf
tags: users
- block:
- name: Manage additional groups - name: Manage additional groups
group: name={{ item.group }} state={{ item.state | default('present') }} group: name={{ item.group }} state={{ item.state | default('present') }}
with_items: '{{ users_additional_groups }}' with_items: '{{ users_additional_groups }}'
when: users_additional_groups is defined
when: users_additional_groups is defined
tags: users
- block:
- name: Create users - name: Create users
user: name={{ item.login }} group={{ item.group | default(omit) }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} password={{ item.password | default('*') }} update_password={{ item.update_password | default('on_create') }} user: name={{ item.login }} group={{ item.group | default(omit) }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} password={{ item.password | default('*') }} update_password={{ item.update_password | default('on_create') }}
with_items: '{{ users_system_users | default([]) }}' with_items: '{{ users_system_users | default([]) }}'
@ -29,7 +35,59 @@
- item.admin - item.admin
- ansible_distribution_file_variety == "Debian" - ansible_distribution_file_variety == "Debian"
- name: Permit sudo without password - name: Add the admin users to the sudoers group on rh/centos systems
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
with_items: '{{ users_system_users }}'
when:
- item.admin
- ansible_distribution_file_variety == "RedHat"
- name: ensure that the users can login with their ssh keys as root if we want ensure direct access
authorized_key: user=root key="{{ item.ssh_key }}" state=present
with_items: '{{ users_system_users }}'
when:
- item.ssh_key is defined
- ( item.log_as_root is defined ) and ( item.log_as_root )
when: users_system_users is defined
tags: users
- block:
- name: Create additional users
user: name={{ item.login }} group={{ item.group | default(omit) }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} password={{ item.password | default('*') }} update_password={{ item.update_password | default('on_create') }}
with_items: '{{ users_system_users_adjunct }}'
- name: ensure that the additional users can login with their ssh keys
authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present
with_items: '{{ users_system_users_adjunct }}'
when: item.ssh_key is defined
- name: Add the additional admin users to the sudoers group on debian based systems
user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes
with_items: '{{ users_system_users_adjunct }}'
when:
- item.admin
- ansible_distribution_file_variety == "Debian"
- name: Add the additional admin users to the sudoers group on rh/centos systems
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
with_items: '{{ users_system_users_adjunct }}'
when:
- item.admin
- ansible_distribution_file_variety == "RedHat"
- name: ensure that the additional users can login with their ssh keys as root if we want ensure direct access
authorized_key: user=root key="{{ item.ssh_key }}" state=present
with_items: '{{ users_system_users_adjunct }}'
when:
- item.ssh_key is defined
- ( item.log_as_root is defined ) and ( item.log_as_root )
when: users_system_users_adjunct is defined
tags: users
- block:
- name: Permit sudo without password on Deb based systems
lineinfile: lineinfile:
path: /etc/sudoers path: /etc/sudoers
state: present state: present
@ -38,27 +96,13 @@
when: ansible_distribution_file_variety == "Debian" when: ansible_distribution_file_variety == "Debian"
tags: [ 'users', 'sudo_wheel' ] tags: [ 'users', 'sudo_wheel' ]
- name: Add the admin users to the sudoers group on rh/centos systems - name: Change the sudo configuration to permit sudo without password on RH/CentOS systems
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
with_items: '{{ users_system_users | default([]) }}'
when:
- item.admin
- ansible_distribution_file_variety == "RedHat"
- name: Permit sudo without password
lineinfile: lineinfile:
path: /etc/sudoers path: /etc/sudoers
state: present state: present
regexp: '^%{{ rh_users_sudoers_group }}\s' regexp: '^%{{ rh_users_sudoers_group }}\s'
line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL' line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
when: ansible_distribution_file_variety == "RedHat" when: ansible_distribution_file_variety == "RedHat"
tags: [ 'users', 'sudo_wheel' ]
- name: ensure that the users can login with their ssh keys as root if we want ensure direct access tags: [ 'users', 'sudo_wheel' ]
authorized_key: user=root key="{{ item.ssh_key }}" state=present
with_items: '{{ users_system_users | default([]) }}'
when:
- item.ssh_key is defined
- ( item.log_as_root is defined ) and ( item.log_as_root )
tags: users