Oh my word... I've just cracked it:
- name: Create Unix users from the users.yml file
action: user name={{ item.0.user }} state={{ item.0.state }} group={{ item
.0.group | default(None) }} uid={{ item.0.uid | default(None) }}
shell=/bin/bash
expires=0
when: "item.1 == 'all' or inventory_hostname in groups[item.1]"
with_subelements:
- unix_users
- access_to
I spent a lot of Friday looking for some patterns for this and found very
little. It seems it was in the doco all along:
http://docs.ansible.com/ansible/playbooks_loops.html#looping-over-subelements.
This approach effectively checks the user against each group of hosts
separately, which has lots more screen output but not a great deal more
execution time.
I'd love to use LDAP or some such for this - it would be way more
convenient and would mean I could do things like enforce password policies
and whatnot too. As it stands, I don't have scope to set up any sort of
'auth server', so unfortunately, Ansible is the best I've got. For the
scale of what I've got to solve for, it's actually not as bad as that
sounds - I'm sure that once we've got lots of people in multiple different
roles and needing different levels of access then an LDAP solution would be
forthcoming.
Thanks all for your help and suggestions - it gave me the 'shove' I needed
to get to the solution.
Cheers,
...Ralph
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/5d562fde-ec9b-4737-b85d-b1ee2ff108bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
