user_services_perms: remove more stuff, fix some tasks so that they do not overlap with the users role.

This commit is contained in:
Andrea Dell'Amico 2019-02-14 15:18:05 +01:00
parent 7220c2513f
commit e6531ac42c
5 changed files with 16 additions and 47 deletions

View File

@ -1,21 +1,11 @@
--- ---
service_custom_installation: False
service_user: sys_admin
service_group: '{{ sys_user }}'
service_sudoers_group: adminsu service_sudoers_group: adminsu
service_data_directory: /var/lib/foo common_users_group: service_g
#service_other_directories:
# - /var/lib/bar
service_log_directories:
- /var/log/foo
- /var/log/foo/search
# Define the following if you want some directories readable and writable by the common group but outside the default app data dirs # Define the following if you want some directories readable and writable by the common group but outside the default app data dirs
#additional_data_directories: #additional_data_directories:
# - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ sys_group }}', aclperms: 'rwX' } # - { name: '/data/1', perms: 0755, create: True, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
# - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ sys_group }}', aclperms: 'rwX' } # - { name: '/data/2', create: False, perms: 0755, owner: 'root', group: '{{ common_users_group }}', aclperms: 'rwX' }
# - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' } # - { name: '/data/bah', create: False, perms: 0644, aclperms: 'rw' }
# Define the following array when you want to add commands to the sudoers file # Define the following array when you want to add commands to the sudoers file

View File

@ -1,16 +1,25 @@
--- ---
- block: - block:
- name: Create the common group used to setup acls
group: name={{ common_users_group }} state=present system=yes
when: additional_data_directories is defined
- name: Add selected users to the commong group
user: name={{ item.login }} groups={{ common_users_group }} append=yes
with_items: '{{ users_system_users | default([]) }}'
when: additional_data_directories is defined
- name: Create the users additional data dirs - name: Create the users additional data dirs
file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }} file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
with_items: '{{ additional_data_directories | default([]) }}' with_items: '{{ additional_data_directories | default([]) }}'
when: item.create and not item.file when: item.create and not item.file
- name: Set the read/write/access permissions on the users additional data dirs - name: Set the read/write/access permissions on the users additional data dirs
acl: name={{ item.name }} entity={{ service_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present recursive=yes
with_items: '{{ additional_data_directories | default([]) }}' with_items: '{{ additional_data_directories | default([]) }}'
- name: Set the default read/write/access permissions on the users additional data dirs - name: Set the default read/write/access permissions on the users additional data dirs
acl: name={{ item.name }} entity={{ service_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes acl: name={{ item.name }} entity={{ common_users_group }} etype=group permissions={{ item.aclperms | default('rwX') }} state=present default=yes recursive=yes
with_items: '{{ additional_data_directories | default([]) }}' with_items: '{{ additional_data_directories | default([]) }}'
tags: [ 'users', 'users_acl' ] tags: [ 'users', 'users_acl' ]

View File

@ -1,7 +1,5 @@
--- ---
- import_tasks: common-groups.yml - import_tasks: sudoers-groups.yml
- import_tasks: sudo-config.yml - import_tasks: sudo-config.yml
- import_tasks: services-data-dirs.yml
when: service_custom_installation
- import_tasks: common-users-data-dirs.yml - import_tasks: common-users-data-dirs.yml
when: additional_data_directories is defined when: additional_data_directories is defined

View File

@ -1,23 +0,0 @@
---
- block:
- name: Create the service data dirs
file: name={{ item }} state=directory owner={{ service_user }} group={{ service_group }} mode=0750
with_items: '{{ service_other_directories }}'
- name: Set the read/write permissions on the service data dirs
acl: name={{ item }} entity={{ service_group }} etype=group permissions=rwX state=present recursive=yes
with_items: '{{ service_other_directories | default([]) }}'
- name: Set the default read/write permissions on the service data dirs
acl: name={{ item }} entity={{ service_group }} etype=group permissions=rwX state=present default=yes recursive=yes
with_items: '{{ service_other_directories | default([]) }}'
- name: Set the read permissions on the service log dirs
acl: name={{ item }} entity={{ service_group }} etype=group permissions=rX state=present recursive=yes
with_items: '{{ service_log_directories }}'
- name: Set the default read permissions on the service log dirs
acl: name={{ item }} entity={{ service_group }} etype=group permissions=rX state=present default=yes recursive=yes
with_items: '{{ service_log_directories }}'
tags: [ 'service', 'users' ]

View File

@ -1,12 +1,8 @@
--- ---
- block: - block:
- name: Create the service user, if it is not used to run the tomcat instances
user: name={{ service_user }} home={{ service_data_directory }} createhome=no shell=/usr/sbin/nologin
- name: Add the additional service groups - name: Add the additional service groups
group: name={{ item }} state=present group: name={{ item }} state=present
with_items: with_items:
- '{{ service_group }}'
- '{{ service_sudoers_group }}' - '{{ service_sudoers_group }}'
- name: Add selected users to the limited sudoers group - name: Add selected users to the limited sudoers group
@ -15,9 +11,8 @@
when: item.limited_sudoers_user when: item.limited_sudoers_user
- name: Remove selected users to the limited sudoers group - name: Remove selected users to the limited sudoers group
user: name={{ item.login }} groups={{ service_sudoers_group }} user: name={{ item.login }} groups={{ service_sudoers_group }} append=yes
with_items: '{{ users_system_users | default([]) }}' with_items: '{{ users_system_users | default([]) }}'
when: not item.limited_sudoers_user when: not item.limited_sudoers_user
when: service_custom_installation
tags: [ 'services', 'users' ] tags: [ 'services', 'users' ]