Hi,
I'm trying to manage a small number of Unix users on a smallish estate of
servers (~100 servers). My users are either devs, sysadmins or support, and
need different access to different boxes. I've got a nice way to give them
differing levels of sudo access, but now want to figure out how to grant
and revoke access to different boxes. Obviously, I've got a variety of
groups in my ansible hosts file, and I have a Yaml definition for my users
and groups.
For example, the devs really only need access to the host groups
dev_servers and test_servers. However, let's say user Fred needs temporary
access to production, I'd like to add him to a group, run Ansible and then
let him do his work. When he's done, remove him from that group and then
run Ansible to revoke his access.
So far, I have a vars/main.yml that looks something like:
---
unix_groups:
- group: general
state: present
gid: 1500
unix_users:
- user: fred
state: present
uid: 5000
group: general
root_access: restricted
- user: barney
state: present
uid: 5001
group: general
root_access: none
- user: wilma
state: present
uid: 5002
group: general
root_access: full
...and a tasks/main.yml that contains:
- name: Pull in user/group variables from role_vars
include_vars: main.yml
- name: Create Unix groups from the groups.yml file
action: group name={{ item.group }} state={{ item.state }} gid={{ item.gid
}}
with_items: unix_groups
- name: Create Unix users from the users.yml file
action: user name={{ item.user }} state={{ item.state }} group={{ item.
group | default(None) }} uid={{ item.uid | default(None) }} shell=/bin/bash
expires=0
with_items: unix_users
- name: Create sudoers file if the user is allowed root access
template: src=../templates/sudoers-{{ item.root_access|default(None) }}.j2
dest=/etc/sudoers.d/{{ item.user }} owner=root group=root mode=0440
when: item.state == "present" and (item.root_access|default(None) ==
"full" or item.root_access|default(None) == "restricted")
with_items: unix_users
- name: Revoke root access if user is not allowed it
file: dest=/etc/sudoers.d/{{ item.user }} state=absent
when: item.state != "present" or (item.root_access|default(None) != "full"
and item.root_access|default(None) != 'restricted')
with_items: unix_users
All of this works nicely - if I were to set Wilma's root_access to
'restricted' or 'none', then her sudo config would either change or be
removed entirely. Likewise, if I set her 'state' to 'absent' her account if
removed from the systems. This works nicely for all the hosts I apply this
role to (which at the moment is all of them). So far so good...
Now I'd like to be able to add users to certain hosts (I'm guessing host
groups makes most sense). I tried adding something like
access_to: test_hosts, dev_hosts
...and
access_to:
- test_hosts
- dev_hosts
...to vars/main.yml and then tried various permutations of "when" clause in
my user creation. For example:
when: "inventory_hostname in item.access_to"
...but nothing I've tried seems to work. I realise the normal pattern is to
apply a role to certain host groups, and so perhaps I need to apply
different roles to different groups and yet somehow supply them with my
single Yaml user definition. I'm not sure how I'd revoke access if I'm not
running against a group of hosts, but I'm sure I could figure something out
there.
All this feels like I've made this a lot harder for myself than I should
have done. What's the "right" way to do this sort of thing? Any ideas if I
can make what I have work in some sensible way, or should I be reworking it
somehow else?
Cheers,
...Ralph
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/9c279d80-cbef-4e54-9c09-4304de5d7176%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
