Does the following work?
when: "inventory_hostname in item.*value*.access_to"
I have used dicts a little for users, and that is how I reference details
for users.
Joanna
On Friday, November 13, 2015 at 12:02:25 PM UTC-6, Ralph Bolton wrote:
>
> Hi,
>
> I'm trying to manage a small number of Unix users on a smallish estate of
> servers (~100 servers). My users are either devs, sysadmins or support, and
> need different access to different boxes. I've got a nice way to give them
> differing levels of sudo access, but now want to figure out how to grant
> and revoke access to different boxes. Obviously, I've got a variety of
> groups in my ansible hosts file, and I have a Yaml definition for my users
> and groups.
>
> For example, the devs really only need access to the host groups
> dev_servers and test_servers. However, let's say user Fred needs temporary
> access to production, I'd like to add him to a group, run Ansible and then
> let him do his work. When he's done, remove him from that group and then
> run Ansible to revoke his access.
>
> So far, I have a vars/main.yml that looks something like:
>
> ---
> unix_groups:
> - group: general
> state: present
> gid: 1500
>
> unix_users:
> - user: fred
> state: present
> uid: 5000
> group: general
> root_access: restricted
> - user: barney
> state: present
> uid: 5001
> group: general
> root_access: none
> - user: wilma
> state: present
> uid: 5002
> group: general
> root_access: full
>
>
>
> ...and a tasks/main.yml that contains:
>
> - name: Pull in user/group variables from role_vars
> include_vars: main.yml
>
> - name: Create Unix groups from the groups.yml file
> action: group name={{ item.group }} state={{ item.state }} gid={{ item.gid
> }}
> with_items: unix_groups
>
> - name: Create Unix users from the users.yml file
> action: user name={{ item.user }} state={{ item.state }} group={{ item.
> group | default(None) }} uid={{ item.uid | default(None) }} shell=/bin/bash
> expires=0
> with_items: unix_users
>
> - name: Create sudoers file if the user is allowed root access
> template: src=../templates/sudoers-{{ item.root_access|default(None) }}.j2
> dest=/etc/sudoers.d/{{ item.user }} owner=root group=root mode=0440
> when: item.state == "present" and (item.root_access|default(None) ==
> "full" or item.root_access|default(None) == "restricted")
> with_items: unix_users
>
> - name: Revoke root access if user is not allowed it
> file: dest=/etc/sudoers.d/{{ item.user }} state=absent
> when: item.state != "present" or (item.root_access|default(None) !=
> "full" and item.root_access|default(None) != 'restricted')
> with_items: unix_users
>
> All of this works nicely - if I were to set Wilma's root_access to
> 'restricted' or 'none', then her sudo config would either change or be
> removed entirely. Likewise, if I set her 'state' to 'absent' her account if
> removed from the systems. This works nicely for all the hosts I apply this
> role to (which at the moment is all of them). So far so good...
>
> Now I'd like to be able to add users to certain hosts (I'm guessing host
> groups makes most sense). I tried adding something like
>
> access_to: test_hosts, dev_hosts
>
> ...and
>
> access_to:
> - test_hosts
> - dev_hosts
>
> ...to vars/main.yml and then tried various permutations of "when" clause
> in my user creation. For example:
>
> when: "inventory_hostname in item.access_to"
>
> ...but nothing I've tried seems to work. I realise the normal pattern is
> to apply a role to certain host groups, and so perhaps I need to apply
> different roles to different groups and yet somehow supply them with my
> single Yaml user definition. I'm not sure how I'd revoke access if I'm not
> running against a group of hosts, but I'm sure I could figure something out
> there.
>
> All this feels like I've made this a lot harder for myself than I should
> have done. What's the "right" way to do this sort of thing? Any ideas if I
> can make what I have work in some sensible way, or should I be reworking it
> somehow else?
>
> Cheers,
>
> ...Ralph
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/cc367cbf-7691-47e5-aaf3-f2266dfa5073%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
