singleplatform-eng / ansible-users Goto Github PK

View Code? Open in Web Editor NEW

207.0 20.0 146.0 49 KB

Ansible user creation role

Home Page: https://galaxy.ansible.com/singleplatform-eng/users/

License: MIT License

ansible-users's Introduction

ansible-users

Role to manage users on a system.

Role configuration

users_create_per_user_group (default: true) - when creating users, also create a group with the same username and make that the user's primary group.
users_group (default: users) - if users_create_per_user_group is not set, then this is the primary group for all created users.
users_default_shell (default: /bin/bash) - the default shell if none is specified for the user.
users_create_homedirs (default: true) - create home directories for new users. Set this to false if you manage home directories separately.
authorized_keys_file (default: .ssh/authorized_keys) - Set this if the ssh server is configured to use a non standard authorized keys file.

Creating users

Add a users variable containing the list of users to add. A good place to put this is in group_vars/all or group_vars/groupname if you only want the users to be on certain machines.

The following attributes are required for each user:

username - The user's username.
name - The full name of the user (gecos field).
home - The home directory of the user to create (optional, defaults to /home/username).
uid - The numeric user id for the user (optional). This is required for uid consistency across systems.
gid - The numeric group id for the group (optional). Otherwise, the uid will be used.
password - If a hash is provided then that will be used, but otherwise the account will be locked.
update_password - This can be either 'always' or 'on_create'
- 'always' will update passwords if they differ. (default)
- 'on_create' will only set the password for newly created users.
group - Optional primary group override.
groups - A list of supplementary groups for the user.
append - If yes, will only add groups, not set them to just the list in groups (optional).
profile - A string block for setting custom shell profiles.
ssh_key - This should be a list of SSH keys for the user (optional). Each SSH key should be included directly and should have no newlines.
generate_ssh_key - Whether to generate a SSH key for the user (optional, defaults to no).

In addition, the following items are optional for each user:

shell - The user's shell. This defaults to /bin/bash. The default is configurable using the users_default_shell variable if you want to give all users the same shell, but it is different than /bin/bash.

Example:

---
users:
  - username: foo
    name: Foo Barrington
    groups: ['wheel','systemd-journal']
    uid: 1001
    home: /local/home/foo
    profile: |
      alias ll='ls -lah'
    ssh_key:
      - "ssh-rsa AAAAA.... foo@machine"
      - "ssh-rsa AAAAB.... foo2@machine"
groups_to_create:
  - name: developers
    gid: 10000
users_deleted:
  - username: bar
    name: Bar User
    uid: 1002

Deleting users

The users_deleted variable contains a list of users who should no longer be in the system, and these will be removed on the next ansible run. The format is the same as for users to add, but the only required field is username. However, it is recommended that you also keep the uid field for reference so that numeric user ids are not accidentally reused.

You can optionally choose to remove the user's home directory and mail spool with the remove parameter, and force removal of files with the force parameter.

users_deleted:
  - username: bar
    uid: 1002
    remove: yes
    force: yes

ansible-users's People

Stargazers

Watchers

Forkers

craigjperry pinterb jdauphant bigal twc-openstack cougar tjbenator configuresystems oyonax timdev lingochamp-cookbooks lingochamp ming535 blue-bag gsfjohnson gnarf embl-ebi-tsi cdahlhausen cazulu gorazio lyletagawa hahnicity michaeljsmalley jakubjedelsky snailwalker joshmyers trumant jorgedlt verygood-ops pezzak wzur tg90nor substancelab mrummuka themiszamani jghamburg sdillomatt dothebart sot001 selim13 zz9pzza mockobject 4m3ndy neneko-kun tnation14 ktarasz hamnsk surechembl davidpristovnik danzelziggy ptqa mgla eniac111 dfr0 dastergon higgsmass rainbow-goblin stackhpc crystalstiletto snagoor jpalmergithub amasok aulvi jkhelil tandon-it alessandrolulli chladic vikaskedia mtbvang carta hartzell rasata thakilla sambaum tomelrod luqmaan786 stefanchauveau tau-ri slgevens joaocosta davidpesticcio perryk scigility colinhoglund gofrolist fwullschleger vaclav-kasal jladdy challaris mongodb-ansible-roles winnersoftlab keeper213 franck77 vinodbasa tarheeljeff janorn crrlcx msaf1980 chasinglogic kadapala-raghu

ansible-users's Issues

Deprecation Warning

Hi mivok,

just as a info with the newest ansible (2.0.1.0) version we get deprecation warnings.

example:
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your playbooks so that the environment value uses the full variable syntax ('{{users}}'). This feature will be removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

Role not idempotent for TASK [singleplatform-eng.users : User creation]

THere is a problem that even when there are no changes, role reports changed task for:
TASK [singleplatform-eng.users : User creation]

Also - is this project maintained? Last commit was like 1.5y ago, there are some not merged pull requests

repo migration

@mivok is no longer maintaining this repo.
There is a pile of PRs that never got merged, and he doesnt participate in the discussions.

I propose to move forward and use a fork mentioned here #26

Lets try to get together behind a single fork to get the benefits of the community :)

@bhardin, @choglundsp, @tony-caffe, @wzur , @akhon , @dphilpot, @trumant, @hahnicity, @lyletagawa, @gnarf, @olpia, @stucki, @rudibatt, @dphilpot

You guys submitted PRs that never got merged, please share your thoughts.

Why comment always same as name?

I'd like to use it as galaxy modules, but not sure why user comment has to be same as name.

https://github.com/mivok/ansible-users/blob/master/tasks/main.yml#L20

Support managing SSH private keys

When managing users with ansible, it make sense to manage the ssh private keys for a user.
Currently, it's only possible to manage the authorized_keys for a user.

It might be great to define a private keys for the user.

E.g.

users:
  - username: foo
    ssh_key:
      - <ssh public key content 1>
      - <ssh public key content 2>
    ssh_private_key: <ssh private key string>

usermod: user 's.test' does not exist in /etc/passwd\n",

Git tags

Can you please add tags for new versions?

Managing shell complexity

Shell scripting is not for the faint of heart. For example, .profile tends to be ignored by many different shell contexts. A decent flowchart is available from Shreevatsa:

https://shreevatsa.wordpress.com/2008/03/30/zshbash-startup-files-loading-order-bashrc-zshrc-etc/

I am not of a solid default could exist for the bash configuration path. .bashrc is better, though people often get confused about .bash_profile, and then there is also /etc/profile. And that's just for bash, it gets even crazier for other shells.

Additionally, inlining script contents is inadvisable as it makes it far more difficult to lint and syntax check shell scripts, compared to separate files... you probably want to run some basic ShellCheck commands for any /root configurations, since these will be running at high privilege.

Cronjob

I want to a cronjob which runs every week and checks if on all given host the users already exits. if not create them. if something changed reconfigure. Is there something like that ? If i run the task for users creation does it check if the user already exits or just simple appends to the file ?

Removing ssh keys

If a user has several ssh keys, removing one of them does not remove it from set on target machine.

Optional uid?

Is there a way to have the uid as optional? I have an environment in which sadly the uid are not unified under a single list. I tried to changed the code to skip this, but it didn't work for me
uid: "{{item.uid if item.uid is defined else false| default(omit)}}"

I tried several times, no luck

update_password: always not idempotent?

According to the README, update_password set to "always" will "update passwords if they differ," and is the default behaviour. The "user creation" task is always causing a change, however. Is this the intended behaviour? Should the line in the README be rephrased?

Unable to compare role versions

I was trying to download this Role using Ansible Galaxy and I got an error because the latest version number (1.2.6) is not in the same format as the rest (v1.2.x). Are you able to update the version number?

put users into hash instead list

Having hosts in multiple groups leads to the problem, that only the users from one group_vars file are considered.
Some one else had the same problem before: https://groups.google.com/forum/#!msg/ansible-project/l7KIwiL5pIU/ox_DeA1y6BgJ

Would it be an option to put "users" into a hash instead of using a list, so it would be possible to define users in different group_vars (if "hash_behaviour = merge")?

Specifying a gid when creating a user does not work

The following did not set the gid correctly:

users:

username: james_
name: James Beal
gid: 4000
uid: 5001

I will do a pull request so the following is accepted and works correctly.

users:

username: james_
name: James Beal
group: systems
uid: 5001

Per-user group creation error

I am getting the following error after upgrading ansible to 2.2.0.0

fatal: [xcp05.xxx.xxx.net]: FAILED! => {"failed": true, "msg": "the field 'args' has an invalid value, which appears to include a variable that is undefined. The error was: 'dict object' has no attribute 'uid'\n\nThe error appears to have been in '/etc/ansible/roles/mivok0.users/tasks/main.yml': line 7, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Per-user group creation\n ^ here\n"}

I cannot for the life of me work out what's going on here... any ideas?

password field?

Hello,
Did you consider adding a password field, where you could put an encrypted string in, and have the module set it? Would be nice to have (after all it can be done with the ansible 'user' module).

Make Password optional

Hi,

Can we change password to be optional if blank, a different setting for locking the account and then of course the hash option. Some users I dont want to manage passwords and I dont want to lock them out.

Hiding sensitive data

When running with a list of users, the SSH keys are displayed in plaintext in the Ansible output per item. Is there any nice way to hide this data? We keep it in a vault file normally, so it is not so nice if it leaks out in some shell history/log somewhere.

root passwd failed

Hi!
im get
msg: |-
usermod: user root is currently used by process 1

my vars

username: root
name: root
update_password: always
password:
ssh_key:

can you solve this?

Add setting to delete associated home directory when deleting a user

This role currently enables users to be easily deleted but this action leaves behind the old user's home directory.

It would be good if there was an option to also remove home directories when deleting users.

Removed from Ansible Galaxy?

The following page returns 404.

https://galaxy.ansible.com/mivok0/users/

Is this role no longer published in Ansible Galaxy?

Allow addition of standard bashrc for users

I'd like to administer a different version of bashrc for users than the standard one provided by my OS. It might be nice to just have a single stub file that admins can then modify as necessary. You could set the default for bashrc creation to false.

When users_create_per_user_group is false and profile is set there is an error

You need to follow the same logic in creating the profile as you do when creating the user.