Does the following work?
when: "inventory_hostname in item.*value*.access_to"
I have used dicts a little for users, and that is how I reference details
for users.
Joanna
On Friday, November 13, 2015 at 12:02:25 PM UTC-6, Ralph Bolton wrote:
>
> Hi,
>
> I'm trying to manage a small number of Unix users on a smallish estate of
> servers (~100 servers). My users are either devs, sysadmins or support, and
> need different access to different boxes. I've got a nice way to give them
> differing levels of sudo access, but now want to figure out how to grant
> and revoke access to different boxes. Obviously, I've got a variety of
> groups in my ansible hosts file, and I have a Yaml definition for my users
> and groups.
>
> For example, the devs really only need access to the host groups
> dev_servers and test_servers. However, let's say user Fred needs temporary
> access to production, I'd like to add him to a group, run Ansible and then
> let him do his work. When he's done, remove him from that group and then
> run Ansible to revoke his access.
>
> So far, I have a vars/main.yml that looks something like:
>
> ---
> unix_groups:
> - group: general
> state: present
> gid: 1500
>
> unix_users:
> - user: fred
> state: present
> uid: 5000
> group: general
> root_access: restricted
> - user: barney
> state: present
> uid: 5001
> group: general
> root_access: none
> - user: wilma
> state: present
> uid: 5002
> group: general
> root_access: full
>
>
>
> ...and a tasks/main.yml that contains:
>
> - name: Pull in user/group variables from role_vars
> include_vars: main.yml
>
> - name: Create Unix groups from the groups.yml file
> action: group name={{ item.group }} state={{ item.state }} gid={{ item.gid
> }}
> with_items: unix_groups
>
> - name: Create Unix users from the users.yml file
> action: user name={{ item.user }} state={{ item.state }} group={{ item.
> group | default(None) }} uid={{ item.uid | default(None) }} shell=/bin/bash
> expires=0
> with_items: unix_users
>
> - name: Create sudoers file if the user is allowed root access
> template: src=../templates/sudoers-{{ item.root_access|default(None) }}.j2
> dest=/etc/sudoers.d/{{ item.user }} owner=root group=root mode=0440
> when: item.state == "present" and (item.root_access|default(None) ==
> "full" or item.root_access|default(None) == "restricted")
> with_items: unix_users
>
> - name: Revoke root access if user is not allowed it
> file: dest=/etc/sudoers.d/{{ item.user }} state=absent
> when: item.state != "present" or (item.root_access|default(None) !=
> "full" and item.root_access|default(None) != 'restricted')
> with_items: unix_users
>
> All of this works nicely - if I were to set Wilma's root_access to
> 'restricted' or 'none', then her sudo config would either change or be
> removed entirely. Likewise, if I set her 'state' to 'absent' her account if
> removed from the systems. This works nicely for all the hosts I apply this
> role to (which at the moment is all of them). So far so good...
>
> Now I'd like to be able to add users to certain hosts (I'm guessing host
> groups makes most sense). I tried adding something like
>
> access_to: test_hosts, dev_hosts
>
> ...and
>
> access_to:
> - test_hosts
> - dev_hosts
>
> ...to vars/main.yml and then tried various permutations of "when" clause
> in my user creation. For example:
>
> when: "inventory_hostname in item.access_to"
>
> ...but nothing I've tried seems to work. I realise the normal pattern is
> to apply a role to certain host groups, and so perhaps I need to apply
> different roles to different groups and yet somehow supply them with my
> single Yaml user definition. I'm not sure how I'd revoke access if I'm not
> running against a group of hosts, but I'm sure I could figure something out
> there.
>
> All this feels like I've made this a lot harder for myself than I should
> have done. What's the "right" way to do this sort of thing? Any ideas if I
> can make what I have work in some sensible way, or should I be reworking it
> somehow else?
>
> Cheers,
>
> ...Ralph
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/cc367cbf-7691-47e5-aaf3-f2266dfa5073%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
