Thanks for the suggestion - Unfortunately it doesn't work for me :-( I get:

TASK: [users | Create Unix users from the users.yml file] 
********************* 
fatal: [ralph] => error while evaluating conditional: inventory_hostname in 
item.value.access_to

FATAL: all hosts have already failed -- aborting


I tried this in the play:

  - name: debug output
    debug: msg="access to is {{item.access_to }}"
    with_items: unix_users

...and got this as output:

    "msg": "access to is ['dev_hosts', 'test_hosts', 'uat_hosts']"


...so it's getting it, and even knows its a list of names. If I put the 
hostname in the list it matches and we're all good - but I'd really rather 
use Ansible host groups. I guess I need a way to 'eval()' the list so that 
each of items in the list is looked up in groups[]. I tried to do this as a 
template, and successfully made up the right sort of 'code' as text, but 
then couldn't find a way to have it re-evaluated into actual data.

I'm thinking I need to find a whole different way to do this, but can't 
find any good advice on how I should approach the problem.

Cheers,

...Ralph

On Friday, 13 November 2015 18:24:18 UTC, Joanna Delaporte wrote:
>
> Does the following work?
>
>    when: "inventory_hostname in item.*value*.access_to"
>
> I have used dicts a little for users, and that is how I reference details 
> for users.
>
> Joanna
>
> On Friday, November 13, 2015 at 12:02:25 PM UTC-6, Ralph Bolton wrote:
>>
>> Hi,
>>
>> I'm trying to manage a small number of Unix users on a smallish estate of 
>> servers (~100 servers). My users are either devs, sysadmins or support, and 
>> need different access to different boxes. I've got a nice way to give them 
>> differing levels of sudo access, but now want to figure out how to grant 
>> and revoke access to different boxes. Obviously, I've got a variety of 
>> groups in my ansible hosts file, and I have a Yaml definition for my users 
>> and groups.
>>
>> For example, the devs really only need access to the host groups 
>> dev_servers and test_servers. However, let's say user Fred needs temporary 
>> access to production, I'd like to add him to a group, run Ansible and then 
>> let him do his work. When he's done, remove him from that group and then 
>> run Ansible to revoke his access.
>>
>> So far, I have a vars/main.yml that looks something like:
>>
>> ---
>> unix_groups:
>>   - group: general
>>     state: present
>>     gid: 1500
>>
>> unix_users:
>>    - user: fred
>>      state: present
>>      uid: 5000
>>      group: general
>>      root_access: restricted
>>   - user: barney
>>     state: present
>>     uid: 5001
>>     group: general
>>     root_access: none
>>   - user: wilma
>>     state: present
>>     uid: 5002
>>     group: general
>>     root_access: full
>>
>>
>>
>> ...and a tasks/main.yml that contains:
>>
>> - name: Pull in user/group variables from role_vars
>>   include_vars: main.yml
>>
>> - name: Create Unix groups from the groups.yml file
>>   action: group name={{ item.group }} state={{ item.state }} gid={{ item.gid 
>> }}
>>   with_items: unix_groups
>>
>> - name: Create Unix users from the users.yml file
>>   action: user name={{ item.user }} state={{ item.state }} group={{ item.
>> group | default(None) }} uid={{ item.uid | default(None) }} shell=/bin/bash 
>> expires=0
>>   with_items: unix_users
>>
>> - name: Create sudoers file if the user is allowed root access
>>   template: src=../templates/sudoers-{{ item.root_access|default(None) 
>> }}.j2 dest=/etc/sudoers.d/{{ item.user }} owner=root group=root mode=0440
>>   when: item.state == "present" and (item.root_access|default(None) == 
>> "full" or item.root_access|default(None) == "restricted")
>>   with_items: unix_users
>>
>> - name: Revoke root access if user is not allowed it
>>   file: dest=/etc/sudoers.d/{{ item.user }} state=absent
>>   when: item.state != "present" or (item.root_access|default(None) != 
>> "full" and item.root_access|default(None) != 'restricted')
>>   with_items: unix_users
>>
>> All of this works nicely - if I were to set Wilma's root_access to 
>> 'restricted' or 'none', then her sudo config would either change or be 
>> removed entirely. Likewise, if I set her 'state' to 'absent' her account if 
>> removed from the systems. This works nicely for all the hosts I apply this 
>> role to (which at the moment is all of them). So far so good...
>>
>> Now I'd like to be able to add users to certain hosts (I'm guessing host 
>> groups makes most sense). I tried adding something like
>>
>>     access_to: test_hosts, dev_hosts
>>
>> ...and
>>
>>     access_to:
>>     - test_hosts
>>     - dev_hosts
>>
>> ...to vars/main.yml and then tried various permutations of "when" clause 
>> in my user creation. For example:
>>
>>    when: "inventory_hostname in item.access_to"
>>
>> ...but nothing I've tried seems to work. I realise the normal pattern is 
>> to apply a role to certain host groups, and so perhaps I need to apply 
>> different roles to different groups and yet somehow supply them with my 
>> single Yaml user definition. I'm not sure how I'd revoke access if I'm not 
>> running against a group of hosts, but I'm sure I could figure something out 
>> there.
>>
>> All this feels like I've made this a lot harder for myself than I should 
>> have done. What's the "right" way to do this sort of thing? Any ideas if I 
>> can make what I have work in some sensible way, or should I be reworking it 
>> somehow else?
>>
>> Cheers,
>>
>> ...Ralph
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/b71648a5-1251-427c-9832-eb1c90d107ce%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to