skylab/omni-ansible
Archived
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Overhaul local user management

Browse Source 
Fix user deletion on removal/reassignment
Improve efficiency and cross platform support
This commit is contained in:
Ethan Paul 2019-09-27 02:59:11 -04:00
parent 9e646c3308
commit dca25832c4
4 changed files with 110 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
groups/all.yml
View File

@ -2,3 +2,7 @@
ansible_user: ansible ansible_user: ansible
disable_gnome_user_list: True disable_gnome_user_list: True
protected_users:
- root
- ansible

1
playbooks/deploy-sshkeys.yml
View File

@ -13,6 +13,7 @@
state: directory state: directory
path: /home/{{ item.name }}/.ssh path: /home/{{ item.name }}/.ssh
loop: "{{ local_users | difference([None]) }}" loop: "{{ local_users | difference([None]) }}"
- name: Put keys on remote - name: Put keys on remote
when: item.keys != [] when: item.keys != []
authorized_key: authorized_key:

127
playbooks/update-users-local.yml
View File

@ -1,7 +1,7 @@
--- ---
- import_playbook: dependencies.yml - import_playbook: dependencies.yml
- hosts: all - hosts: all:!network
name: Update local user accounts and access controls name: Update local user accounts and access controls
tasks: tasks:
- import_tasks: tasks/users-preprocessing.yml - import_tasks: tasks/users-preprocessing.yml
@ -21,78 +21,58 @@
name: "{{ item.name }}" name: "{{ item.name }}"
comment: "{{ item.fullname | default('') }}" comment: "{{ item.fullname | default('') }}"
shell: /bin/bash shell: /bin/bash
groups: "{{ item.targets | intersect(targets) }} + {{ [ 'omni' ] if item.name != 'root' else [] }}" groups: "{{ item.targets | intersect(targets) + ['omni'] }}"
system: "{{ item.svc | default('no') }}" system: "{{ item.svc | default(False) }}"
state: present state: present
generate_ssh_key: "{{ 'yes' if generate_keys|bool == true else 'no' }}" generate_ssh_key: "{{ True if generate_keys | bool == true else False }}"
ssh_key_comment: "{{ item.name }}@{{ inventory_hostname }}" ssh_key_comment: "{{ item.name }}@{{ inventory_hostname }}"
ssh_key_bits: 4096 ssh_key_bits: 4096
ssh_key_type: ed25519 ssh_key_type: ed25519
password: "{{ item.password }}" password: "{{ item.password }}"
loop: "{{ local_users | difference([None]) }}" loop: "{{ local_users }}"
- name: Delete users that have been removed - name: Delete removed user accounts
tags: users_delete become: true
block: user:
- name: Determine existing users name: "{{ item }}"
shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"' state: absent
changed_when: false loop: "{{ local_removed_users | difference(protected_users) }}"
register: existing_users
- name: Coallate user names - name: Grant sudo permissions to admin user accounts
set_fact: become: true
user_names: "{{ user_names | default([]) + [item.name] }}" user:
loop: "{{ users }}" name: "{{ item.name }}"
groups: "{{ 'wheel' if ansible_os_family | lower == 'redhat' else 'sudo' }}"
state: present
loop: "{{ local_admin_users }}"
- name: Determine removed users - name: Disable sudo password for ansible
set_fact: become: true
removed_users: "{{ existing_users.stdout_lines | difference(local_users) | difference([None]) }}" lineinfile:
create: true
path: /etc/sudoers.d/30-ansible
line: "ansible ALL=(ALL) NOPASSWD:ALL"
mode: 0644
- name: Delete removed user accounts - name: Disable sudo password for admin users
become: true become: true
user: lineinfile:
name: "{{ item }}" create: true
state: absent path: /etc/sudoers.d/40-admin
loop: "{{ removed_users }}" line: "{{ item.name }} ALL=(ALL) NOPASSWD:ALL"
mode: 0644
- name: Grant sudo permissions state: "{{ 'absent' if disable_sudo_password | bool == false else 'present' }}"
tags: users_sudo loop: "{{ local_admin_users }}"
block:
- name: Add users to sudo group on Fedora/CentOS/RHEL
when: ansible_distribution == "Fedora" or ansible_distribution == "Red Hat Enterprise Linux" or ansible_distribution == "CentOS"
become: true
user:
name: "{{ item }}"
groups: wheel
state: present
loop: "{{ local_admin_users | difference([None]) }}"
- name: Disable sudo password for ansible
become: true
lineinfile:
create: yes
path: /etc/sudoers.d/30-ansible
line: "ansible ALL=(ALL) NOPASSWD:ALL"
mode: 0644
- name: Disable sudo password for admin users
become: true
lineinfile:
create: yes
path: /etc/sudoers.d/40-admin
line: "{{ item }} ALL=(ALL) NOPASSWD:ALL"
mode: 0644
state: "{{ 'absent' if disable_sudo_password|bool == false else 'present' }}"
loop: "{{ local_admin_users | difference([None] )}}"
- name: Configure GNOME - name: Configure GNOME
tags: users_gnome tags: users_gnome
when: ansible_distribution == "Fedora" and disable_gnome_user_list|bool == true when: ansible_distribution == "Fedora" and disable_gnome_user_list | bool == true
become: true become: true
block: block:
- name: Configure GDM profile - name: Configure GDM profile
blockinfile: blockinfile:
path: /etc/ssh/sshd_config create: true
path: /etc/dconf/profile/gdm
block: | block: |
user-db:user user-db:user
system-db:gdm system-db:gdm
@ -118,8 +98,35 @@
group: "{{ item.name }}" group: "{{ item.name }}"
owner: "{{ item.name }}" owner: "{{ item.name }}"
path: /home/{{ item.name }} path: /home/{{ item.name }}
recurse: yes recurse: true
state: directory state: directory
loop: "{{ local_users | difference([None]) }}" loop: "{{ local_users }}"
- import_playbook: deploy-sshkeys.yml # - hosts: router.net.enp.one
# name: Configure users on router
# connection: network_cli
# vars:
# ansible_network_os: edgeos
# tasks:
# - import_tasks: tasks/users-preprocessing.yml
#
# - name: Create users
# edgeos_config:
# lines:
# - set system login user {{ item.name }} authentication encrypted-password "{{ item.password }}"
# - set system login user {{ item.name }} full-name "{{ item.fullname if item.fullname is defined else "" }}"
# - set system login user {{ item.name }} level {{ 'operator' if item.name != 'ansible' else 'admin' }}
# loop: "{{ local_users | difference([None]) }}"
#
# - name: Grant administrative access to admin users
# edgeos_config:
# lines:
# - set system login user {{ item.name }} level admin
# loop: "{{ local_admin_users | difference([None]) }}"
#
# - name: Assemble key files for loadkey usage
# edgeos_command:
# commands: sudo tee /tmp/{{ item.name }}.keys<<<"{{ item.sshkeys | join('\n') }}"
# loop: "{{ local_admin_users | difference([None]) }}"
#
# - import_playbook: deploy-sshkeys.yml

52
tasks/users-preprocessing.yml
View File

@ -1,15 +1,39 @@
--- ---
- name: Pre-processing - name: Load users variables
tags: always include_vars:
block: file: users.yml
- name: Load users
include_vars: - name: Reconcile user targets with host targets to get host users
file: users.yml set_fact:
- name: Reconcile user targets with host targets to get host users local_users: >-
set_fact: {{
local_users: "{{ local_users | default([]) + [item if item.targets | intersect(targets) else None] }}" local_users | default([]) + ([item] if item.targets | intersect(targets) else [])
with_items: "{{ users }}" }}
- name: Get administrative users loop: "{{ users }}"
set_fact:
local_admin_users: "{{ local_admin_users | default([]) + [item.name if item.admin else None] }}" - name: Determine local user names
with_items: "{{ local_users | difference([None]) }}" set_fact:
local_user_names: "{{ local_user_names | default([]) + [item.name] }}"
loop: "{{ local_users }}"
- name: Determine administrative users
set_fact:
local_admin_users: >-
{{
local_admin_users | default([]) + ([item] if item.admin | default(False) else [])
}}
loop: "{{ local_users }}"
- name: Determine existing users
shell: 'grep omni /etc/group | cut -d: -f4 | tr "," "\n"'
changed_when: false
register: local_existing_users
- name: Determine removed users
set_fact:
local_removed_users: >-
{{
local_removed_users | default([]) +
([item] if item not in local_user_names else [])
}}
loop: "{{ local_existing_users.stdout_lines }}"