Can you please check this as well:
when: item.get('state', 'present') == 'present'
I am just sending this reply quickly without reading the whole question,
but I think that will solve your problem.
For Reference, please check this role:
https://github.com/edx/configuration/blob/master/playbooks/roles/user/tasks/main.yml#L118
On Monday, November 16, 2015 at 2:38:05 PM UTC+5, Ralph Bolton wrote:
>
> Thanks for the suggestion - Unfortunately it doesn't work for me :-( I get:
>
> TASK: [users | Create Unix users from the users.yml file]
> *********************
> fatal: [ralph] => error while evaluating conditional: inventory_hostname
> in item.value.access_to
>
> FATAL: all hosts have already failed -- aborting
>
>
> I tried this in the play:
>
> - name: debug output
> debug: msg="access to is {{item.access_to }}"
> with_items: unix_users
>
> ...and got this as output:
>
> "msg": "access to is ['dev_hosts', 'test_hosts', 'uat_hosts']"
>
>
> ...so it's getting it, and even knows its a list of names. If I put the
> hostname in the list it matches and we're all good - but I'd really rather
> use Ansible host groups. I guess I need a way to 'eval()' the list so that
> each of items in the list is looked up in groups[]. I tried to do this as a
> template, and successfully made up the right sort of 'code' as text, but
> then couldn't find a way to have it re-evaluated into actual data.
>
> I'm thinking I need to find a whole different way to do this, but can't
> find any good advice on how I should approach the problem.
>
> Cheers,
>
> ...Ralph
>
> On Friday, 13 November 2015 18:24:18 UTC, Joanna Delaporte wrote:
>>
>> Does the following work?
>>
>> when: "inventory_hostname in item.*value*.access_to"
>>
>> I have used dicts a little for users, and that is how I reference details
>> for users.
>>
>> Joanna
>>
>> On Friday, November 13, 2015 at 12:02:25 PM UTC-6, Ralph Bolton wrote:
>>>
>>> Hi,
>>>
>>> I'm trying to manage a small number of Unix users on a smallish estate
>>> of servers (~100 servers). My users are either devs, sysadmins or support,
>>> and need different access to different boxes. I've got a nice way to give
>>> them differing levels of sudo access, but now want to figure out how to
>>> grant and revoke access to different boxes. Obviously, I've got a variety
>>> of groups in my ansible hosts file, and I have a Yaml definition for my
>>> users and groups.
>>>
>>> For example, the devs really only need access to the host groups
>>> dev_servers and test_servers. However, let's say user Fred needs temporary
>>> access to production, I'd like to add him to a group, run Ansible and then
>>> let him do his work. When he's done, remove him from that group and then
>>> run Ansible to revoke his access.
>>>
>>> So far, I have a vars/main.yml that looks something like:
>>>
>>> ---
>>> unix_groups:
>>> - group: general
>>> state: present
>>> gid: 1500
>>>
>>> unix_users:
>>> - user: fred
>>> state: present
>>> uid: 5000
>>> group: general
>>> root_access: restricted
>>> - user: barney
>>> state: present
>>> uid: 5001
>>> group: general
>>> root_access: none
>>> - user: wilma
>>> state: present
>>> uid: 5002
>>> group: general
>>> root_access: full
>>>
>>>
>>>
>>> ...and a tasks/main.yml that contains:
>>>
>>> - name: Pull in user/group variables from role_vars
>>> include_vars: main.yml
>>>
>>> - name: Create Unix groups from the groups.yml file
>>> action: group name={{ item.group }} state={{ item.state }} gid={{ item
>>> .gid }}
>>> with_items: unix_groups
>>>
>>> - name: Create Unix users from the users.yml file
>>> action: user name={{ item.user }} state={{ item.state }} group={{ item
>>> .group | default(None) }} uid={{ item.uid | default(None) }}
>>> shell=/bin/bash
>>> expires=0
>>> with_items: unix_users
>>>
>>> - name: Create sudoers file if the user is allowed root access
>>> template: src=../templates/sudoers-{{ item.root_access|default(None)
>>> }}.j2 dest=/etc/sudoers.d/{{ item.user }} owner=root group=root mode=
>>> 0440
>>> when: item.state == "present" and (item.root_access|default(None) ==
>>> "full" or item.root_access|default(None) == "restricted")
>>> with_items: unix_users
>>>
>>> - name: Revoke root access if user is not allowed it
>>> file: dest=/etc/sudoers.d/{{ item.user }} state=absent
>>> when: item.state != "present" or (item.root_access|default(None) !=
>>> "full" and item.root_access|default(None) != 'restricted')
>>> with_items: unix_users
>>>
>>> All of this works nicely - if I were to set Wilma's root_access to
>>> 'restricted' or 'none', then her sudo config would either change or be
>>> removed entirely. Likewise, if I set her 'state' to 'absent' her account if
>>> removed from the systems. This works nicely for all the hosts I apply this
>>> role to (which at the moment is all of them). So far so good...
>>>
>>> Now I'd like to be able to add users to certain hosts (I'm guessing host
>>> groups makes most sense). I tried adding something like
>>>
>>> access_to: test_hosts, dev_hosts
>>>
>>> ...and
>>>
>>> access_to:
>>> - test_hosts
>>> - dev_hosts
>>>
>>> ...to vars/main.yml and then tried various permutations of "when" clause
>>> in my user creation. For example:
>>>
>>> when: "inventory_hostname in item.access_to"
>>>
>>> ...but nothing I've tried seems to work. I realise the normal pattern is
>>> to apply a role to certain host groups, and so perhaps I need to apply
>>> different roles to different groups and yet somehow supply them with my
>>> single Yaml user definition. I'm not sure how I'd revoke access if I'm not
>>> running against a group of hosts, but I'm sure I could figure something out
>>> there.
>>>
>>> All this feels like I've made this a lot harder for myself than I should
>>> have done. What's the "right" way to do this sort of thing? Any ideas if I
>>> can make what I have work in some sensible way, or should I be reworking it
>>> somehow else?
>>>
>>> Cheers,
>>>
>>> ...Ralph
>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/0082cfa6-c60d-409b-a2f3-2d694c9540e4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
