Here's how I solved this problem for myself: https://gist.github.com/awheeler/a3e4c500f1bb70bd31dd You can define groups that users should be members of with a host specification that is a regex, so:
users: devdomain.net$ would say that the user should be in the users group on all hosts with ansible_fqdn that end with devdomain.net. You can get just as complex as you want: wheel: ((host1|differenthost2|cluster_nodes[0123])-[0-9]+.proddomain.com|devdomain.net|another.devhost.dev)$ The thing that makes this possible is the fact that you can embed complex jinja2 in the middle of an Ansible task, a fact which is not immediately apparent. On Tuesday, August 12, 2014 5:25:06 AM UTC-4, P wrote: > > I would like to use ansible for our user management (I know there are > software for it like LDAP but not for now ...). > This is typical definition of users and their groups: > > Groups and users: > > - group1 > > > - user1 > - user2 > > > - group2 > > > - user1 > - user2 > - user3 > > > - group3 > > > - user1 > - user2 > - user3 > - user4 > > The problem I have is that every server is going to have subset of all > groups, i.e: > > > - server1 > - group1 > - group3 > - server2 > - group3 > - server3 > - group1 > > Then there is a request from business/developers/managers/whatever that > particular group of users should have access to particular servers so we > need to modify ansible config and add e.g. group3 to server3. > > Is it possible to create a role with a sort of "map" file where I could > specify which server will have particular user groups > so we could modify this one (!) file, run site.yml and done (the role and > its file knows where to create each group). > > I would like to avoid redundancy in terms of user definitions (error > prone) and have just one file with all users defined in it. > > That way I could include this role in every playbook and it would > automatically create (or not) particular group of users > on every host. > Is it possible to do that ? > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/46c0f594-3f1f-4265-9de7-83c99ce10377%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
