forked from ISTI-ansible-roles/ansible-roles
Additional lists of users and data directories. See https://support.d4science.org/issues/2447
This commit is contained in:
parent
6621c75cc2
commit
bc000807bc
|
@ -7,8 +7,12 @@ common_users_group: service_g
|
||||||
# - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
|
# - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
|
||||||
# - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
|
# - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
|
||||||
# - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' }
|
# - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' }
|
||||||
|
#
|
||||||
|
# Use additional_data_directories_adjunct to list more directories in addition to the ones specified into additional_data_directories
|
||||||
|
|
||||||
# Define the following array when you want to add commands to the sudoers file
|
# Define the following array when you want to add commands to the sudoers file
|
||||||
#service_sudo_commands:
|
#service_sudo_commands:
|
||||||
# - /etc/init.d/virtuoso-opensource-7
|
# - /etc/init.d/virtuoso-opensource-7
|
||||||
# - /sbin/reboot
|
# - /sbin/reboot
|
||||||
|
#
|
||||||
|
# Use service_sudo_commands_adjunct to list more commands in addition to the ones specified into services_sudo_commands
|
||||||
|
|
|
@ -4,14 +4,28 @@
|
||||||
group: name={{ common_users_group }} state=present system=yes
|
group: name={{ common_users_group }} state=present system=yes
|
||||||
when: additional_data_directories is defined
|
when: additional_data_directories is defined
|
||||||
|
|
||||||
|
tags: [ 'users', 'users_acl' ]
|
||||||
|
|
||||||
|
- block:
|
||||||
- name: Add selected users to the commong group
|
- name: Add selected users to the commong group
|
||||||
user: name={{ item.login }} groups={{ common_users_group }} append=yes
|
user: name={{ item.login }} groups={{ common_users_group }} append=yes
|
||||||
with_items: '{{ users_system_users | default([]) }}'
|
with_items: '{{ users_system_users }}'
|
||||||
when: additional_data_directories is defined
|
|
||||||
|
|
||||||
|
when: users_system_users is defined
|
||||||
|
tags: [ 'users', 'users_acl' ]
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Add additional users to the commong group
|
||||||
|
user: name={{ item.login }} groups={{ common_users_group }} append=yes
|
||||||
|
with_items: '{{ users_system_users_adjunct }}'
|
||||||
|
|
||||||
|
when: users_system_users_adjunct is defined
|
||||||
|
tags: [ 'users', 'users_acl' ]
|
||||||
|
|
||||||
|
- block:
|
||||||
- name: Create the users additional data dirs
|
- name: Create the users additional data dirs
|
||||||
file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
|
file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
|
||||||
with_items: '{{ additional_data_directories | default([]) }}'
|
with_items: '{{ additional_data_directories }}'
|
||||||
when: item.create and not item.file
|
when: item.create and not item.file
|
||||||
|
|
||||||
- name: Set the read/write/access permissions on the users additional data dirs
|
- name: Set the read/write/access permissions on the users additional data dirs
|
||||||
|
@ -22,4 +36,23 @@
|
||||||
acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
|
acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
|
||||||
with_items: '{{ additional_data_directories | default([]) }}'
|
with_items: '{{ additional_data_directories | default([]) }}'
|
||||||
|
|
||||||
|
when: additional_data_directories is defined
|
||||||
tags: [ 'users', 'users_acl' ]
|
tags: [ 'users', 'users_acl' ]
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Create more additional data dirs
|
||||||
|
file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
|
||||||
|
with_items: '{{ additional_data_directories_adjunct }}'
|
||||||
|
when: item.create and not item.file
|
||||||
|
|
||||||
|
- name: Set the read/write/access permissions on the additional data dirs
|
||||||
|
acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes
|
||||||
|
with_items: '{{ additional_data_directories_adjunct }}'
|
||||||
|
|
||||||
|
- name: Set the default read/write/access permissions on the additional data dirs
|
||||||
|
acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
|
||||||
|
with_items: '{{ additional_data_directories_adjunct }}'
|
||||||
|
|
||||||
|
when: additional_data_directories_adjunct is defined
|
||||||
|
tags: [ 'users', 'users_acl' ]
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
---
|
---
|
||||||
- name: Install the sudoers config that allows users to execute some privileged commands
|
- name: Install the sudoers config that allows users to execute some privileged commands
|
||||||
template: src=service-sudoers.j2 dest=/etc/sudoers.d/service-group owner=root group=root mode=0440
|
template: src=service-sudoers.j2 dest=/etc/sudoers.d/service-group owner=root group=root mode=0440
|
||||||
when: service_sudo_commands is defined
|
|
||||||
tags: [ 'service', 'sudo', 'users' ]
|
tags: [ 'service', 'sudo', 'users' ]
|
||||||
|
|
||||||
|
|
|
@ -2,8 +2,7 @@
|
||||||
- block:
|
- block:
|
||||||
- name: Add the additional service groups
|
- name: Add the additional service groups
|
||||||
group: name={{ item }} state=present
|
group: name={{ item }} state=present
|
||||||
with_items:
|
with_items: '{{ service_sudoers_group }}'
|
||||||
- '{{ service_sudoers_group }}'
|
|
||||||
|
|
||||||
- name: Add selected users to the limited sudoers group
|
- name: Add selected users to the limited sudoers group
|
||||||
user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
|
user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
|
||||||
|
@ -15,4 +14,19 @@
|
||||||
with_items: '{{ users_system_users | default([]) }}'
|
with_items: '{{ users_system_users | default([]) }}'
|
||||||
when: not item.limited_sudoers_user
|
when: not item.limited_sudoers_user
|
||||||
|
|
||||||
|
when: users_system_users is defined
|
||||||
|
tags: [ 'services', 'users' ]
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Add additional users to the limited sudoers group
|
||||||
|
user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
|
||||||
|
with_items: '{{ users_system_users_adjunct }}'
|
||||||
|
when: item.limited_sudoers_user
|
||||||
|
|
||||||
|
- name: Remove additional users to the limited sudoers group
|
||||||
|
user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
|
||||||
|
with_items: '{{ users_system_users_adjunct }}'
|
||||||
|
when: not item.limited_sudoers_user
|
||||||
|
|
||||||
|
when: users_system_users_adjunct is defined
|
||||||
tags: [ 'services', 'users' ]
|
tags: [ 'services', 'users' ]
|
||||||
|
|
|
@ -1,2 +1,3 @@
|
||||||
%{{ service_sudoers_group }} ALL=(ALL) NOPASSWD: {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %}
|
{% if service_sudo_commands is defined %}
|
||||||
|
%{{ service_sudoers_group }} ALL=(ALL) NOPASSWD: {% for cmd in service_sudo_commands %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %} {% if service_sudo_commands_adjunct is defined %}, {% for cmd in service_sudo_commands_adjunct %}{{ cmd }}{% if not loop.last %}, {% endif %}{% endfor %}{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
|
|
@ -15,5 +15,6 @@ users_default_password: '*'
|
||||||
users_update_password: 'on_create'
|
users_update_password: 'on_create'
|
||||||
#users_system_users:
|
#users_system_users:
|
||||||
# - { login: 'foo', name: "Foo Bar", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ foo_ssh_key }}', shell: '/bin/bash', admin: False, log_as_root: False }
|
# - { login: 'foo', name: "Foo Bar", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ foo_ssh_key }}', shell: '/bin/bash', admin: False, log_as_root: False }
|
||||||
|
#users_system_users_adjunct: same as above, can be used to add more users to the original list
|
||||||
#users_additional_groups:
|
#users_additional_groups:
|
||||||
# - { group: 'foo' }
|
# - { group: 'foo' }
|
||||||
|
|
|
@ -8,11 +8,17 @@
|
||||||
template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }}
|
template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }}
|
||||||
when: users_sudoers_create_sudo_conf
|
when: users_sudoers_create_sudo_conf
|
||||||
|
|
||||||
|
tags: users
|
||||||
|
|
||||||
|
- block:
|
||||||
- name: Manage additional groups
|
- name: Manage additional groups
|
||||||
group: name={{ item.group }} state={{ item.state | default('present') }}
|
group: name={{ item.group }} state={{ item.state | default('present') }}
|
||||||
with_items: '{{ users_additional_groups }}'
|
with_items: '{{ users_additional_groups }}'
|
||||||
when: users_additional_groups is defined
|
|
||||||
|
|
||||||
|
when: users_additional_groups is defined
|
||||||
|
tags: users
|
||||||
|
|
||||||
|
- block:
|
||||||
- name: Create users
|
- name: Create users
|
||||||
user: name={{ item.login }} group={{ item.group | default(omit) }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} password={{ item.password | default('*') }} update_password={{ item.update_password | default('on_create') }}
|
user: name={{ item.login }} group={{ item.group | default(omit) }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} password={{ item.password | default('*') }} update_password={{ item.update_password | default('on_create') }}
|
||||||
with_items: '{{ users_system_users | default([]) }}'
|
with_items: '{{ users_system_users | default([]) }}'
|
||||||
|
@ -29,7 +35,59 @@
|
||||||
- item.admin
|
- item.admin
|
||||||
- ansible_distribution_file_variety == "Debian"
|
- ansible_distribution_file_variety == "Debian"
|
||||||
|
|
||||||
- name: Permit sudo without password
|
- name: Add the admin users to the sudoers group on rh/centos systems
|
||||||
|
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
|
||||||
|
with_items: '{{ users_system_users }}'
|
||||||
|
when:
|
||||||
|
- item.admin
|
||||||
|
- ansible_distribution_file_variety == "RedHat"
|
||||||
|
|
||||||
|
- name: ensure that the users can login with their ssh keys as root if we want ensure direct access
|
||||||
|
authorized_key: user=root key="{{ item.ssh_key }}" state=present
|
||||||
|
with_items: '{{ users_system_users }}'
|
||||||
|
when:
|
||||||
|
- item.ssh_key is defined
|
||||||
|
- ( item.log_as_root is defined ) and ( item.log_as_root )
|
||||||
|
|
||||||
|
when: users_system_users is defined
|
||||||
|
tags: users
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Create additional users
|
||||||
|
user: name={{ item.login }} group={{ item.group | default(omit) }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} password={{ item.password | default('*') }} update_password={{ item.update_password | default('on_create') }}
|
||||||
|
with_items: '{{ users_system_users_adjunct }}'
|
||||||
|
|
||||||
|
- name: ensure that the additional users can login with their ssh keys
|
||||||
|
authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present
|
||||||
|
with_items: '{{ users_system_users_adjunct }}'
|
||||||
|
when: item.ssh_key is defined
|
||||||
|
|
||||||
|
- name: Add the additional admin users to the sudoers group on debian based systems
|
||||||
|
user: name={{ item.login }} groups={{ deb_users_sudoers_group }} append=yes
|
||||||
|
with_items: '{{ users_system_users_adjunct }}'
|
||||||
|
when:
|
||||||
|
- item.admin
|
||||||
|
- ansible_distribution_file_variety == "Debian"
|
||||||
|
|
||||||
|
- name: Add the additional admin users to the sudoers group on rh/centos systems
|
||||||
|
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
|
||||||
|
with_items: '{{ users_system_users_adjunct }}'
|
||||||
|
when:
|
||||||
|
- item.admin
|
||||||
|
- ansible_distribution_file_variety == "RedHat"
|
||||||
|
|
||||||
|
- name: ensure that the additional users can login with their ssh keys as root if we want ensure direct access
|
||||||
|
authorized_key: user=root key="{{ item.ssh_key }}" state=present
|
||||||
|
with_items: '{{ users_system_users_adjunct }}'
|
||||||
|
when:
|
||||||
|
- item.ssh_key is defined
|
||||||
|
- ( item.log_as_root is defined ) and ( item.log_as_root )
|
||||||
|
|
||||||
|
when: users_system_users_adjunct is defined
|
||||||
|
tags: users
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Permit sudo without password on Deb based systems
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/sudoers
|
path: /etc/sudoers
|
||||||
state: present
|
state: present
|
||||||
|
@ -38,27 +96,13 @@
|
||||||
when: ansible_distribution_file_variety == "Debian"
|
when: ansible_distribution_file_variety == "Debian"
|
||||||
tags: [ 'users', 'sudo_wheel' ]
|
tags: [ 'users', 'sudo_wheel' ]
|
||||||
|
|
||||||
- name: Add the admin users to the sudoers group on rh/centos systems
|
- name: Change the sudo configuration to permit sudo without password on RH/CentOS systems
|
||||||
user: name={{ item.login }} groups={{ rh_users_sudoers_group }} append=yes
|
|
||||||
with_items: '{{ users_system_users | default([]) }}'
|
|
||||||
when:
|
|
||||||
- item.admin
|
|
||||||
- ansible_distribution_file_variety == "RedHat"
|
|
||||||
|
|
||||||
- name: Permit sudo without password
|
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/sudoers
|
path: /etc/sudoers
|
||||||
state: present
|
state: present
|
||||||
regexp: '^%{{ rh_users_sudoers_group }}\s'
|
regexp: '^%{{ rh_users_sudoers_group }}\s'
|
||||||
line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
|
line: '%{{ rh_users_sudoers_group }} ALL=(ALL) NOPASSWD: ALL'
|
||||||
when: ansible_distribution_file_variety == "RedHat"
|
when: ansible_distribution_file_variety == "RedHat"
|
||||||
tags: [ 'users', 'sudo_wheel' ]
|
|
||||||
|
|
||||||
- name: ensure that the users can login with their ssh keys as root if we want ensure direct access
|
tags: [ 'users', 'sudo_wheel' ]
|
||||||
authorized_key: user=root key="{{ item.ssh_key }}" state=present
|
|
||||||
with_items: '{{ users_system_users | default([]) }}'
|
|
||||||
when:
|
|
||||||
- item.ssh_key is defined
|
|
||||||
- ( item.log_as_root is defined ) and ( item.log_as_root )
|
|
||||||
|
|
||||||
tags: users
|
|
||||||
|
|
Loading…
Reference in New Issue