Here's an easier way that avoids the messy Jinja2 in the playbook, which we
as a community like to discourage (it's the reason Ansible templates don't
evaluate into YAML, but are YAML... Jinja2 is intended to be just a quick
way to get variables, unless you are in a template)
In ansible, a host specification that is a regex starts with "~"
# hosts endsing in devdomain or qadomain:
hosts: "~(devdomain.net|qadomain.net)$"
Thus you can have multiple plays in the playbook
- hosts: all
roles:
- foo
- hosts: "~(devdomain.net|qadomain.net)$"
roles:
- setup_my_users
- hosts: all
tasks:
- # more steps here
Etc
On Wed, Aug 13, 2014 at 10:51 AM, Alex Wheeler <[email protected]> wrote:
> Here's how I solved this problem for myself:
> https://gist.github.com/awheeler/a3e4c500f1bb70bd31dd
> You can define groups that users should be members of with a host
> specification that is a regex, so:
>
> users: devdomain.net$
>
> would say that the user should be in the users group on all hosts with
> ansible_fqdn that end with devdomain.net.
> You can get just as complex as you want:
>
> wheel: ((host1|differenthost2|cluster_nodes[0123])-[0-9]+.proddomain.com|
> devdomain.net|another.devhost.dev)$
>
> The thing that makes this possible is the fact that you can embed complex
> jinja2 in the middle of an Ansible task, a fact which is not immediately
> apparent.
>
> On Tuesday, August 12, 2014 5:25:06 AM UTC-4, P wrote:
>>
>> I would like to use ansible for our user management (I know there are
>> software for it like LDAP but not for now ...).
>> This is typical definition of users and their groups:
>>
>> Groups and users:
>>
>> - group1
>>
>>
>> - user1
>> - user2
>>
>>
>> - group2
>>
>>
>> - user1
>> - user2
>> - user3
>>
>>
>> - group3
>>
>>
>> - user1
>> - user2
>> - user3
>> - user4
>>
>> The problem I have is that every server is going to have subset of all
>> groups, i.e:
>>
>>
>> - server1
>> - group1
>> - group3
>> - server2
>> - group3
>> - server3
>> - group1
>>
>> Then there is a request from business/developers/managers/whatever that
>> particular group of users should have access to particular servers so we
>> need to modify ansible config and add e.g. group3 to server3.
>>
>> Is it possible to create a role with a sort of "map" file where I could
>> specify which server will have particular user groups
>> so we could modify this one (!) file, run site.yml and done (the role and
>> its file knows where to create each group).
>>
>> I would like to avoid redundancy in terms of user definitions (error
>> prone) and have just one file with all users defined in it.
>>
>> That way I could include this role in every playbook and it would
>> automatically create (or not) particular group of users
>> on every host.
>> Is it possible to do that ?
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/46c0f594-3f1f-4265-9de7-83c99ce10377%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/46c0f594-3f1f-4265-9de7-83c99ce10377%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyD5VGekoqQrJ%3Doe_P2LsEenKFiJ90nc-igejzJsrek%2Bg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
