User Management
Document Control
TODO:
- Overall structure.
- Initial draft complete
- Add update_password on_create with vault stored password
- Generate random password, use filters and retrieve it locally to file.
- Testing
- Ready
User Story: Linux User Management
As a: UNIX and Linux system administrator
I want to:
- add users and groups to the system from a list
- configure defined or random passwords, optionally store them in a vault
- configure SSH key access
So that: I can automate my OS post-deployment and user management steps.
Group and User Creation
Creating the user and group devops for use with ansible
The user will be added to the sudoers file, and set up with an ssh key.
Creating the devops user, group and sudoers entry
- name: groups are created group: name: devops become: true
- name: User, shell and secondary groups setup user: name: devops shell: /bin/bash comment: DevOps user used by ansible groups: devops append: true become: true
- name: Update user password user: name: devops password: "{{ "$ecure_Passw0rd" | password_hash('sha512') }}" update_password: always become: true
- name: Set authorized key taken from file authorized_key: user: devops key: "paste_your_key_here" state: present become: true
- name: sudo package is installed package: name: sudo state: present become: true
- name: add defined groups to sudoers template: src: sudoers.j2 dest: "/etc/sudoers.d/devops" validate: 'visudo -cf %s' mode: "0440" when: item.sudo become: true
Parametrization
Creating defined users and groups
The user will be added to the sudoers file, and set up with an ssh key. The list of users and groups is defined in a variables file.
Using a dictionary to create multiple users and groups
Example command with shell, yaml and output
users_groups: - wheel - docker users_username: - name: devops sudo: true shell: /usr/bin/bash groups: wheel ssh_key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}" comment: 'Ansible user' - name: docker sudo: true shell: /usr/bin/zsh groups: docker ssh_key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}" comment: 'Regular user for use with docker'
- name: groups are created group: name: "{{ item }}" loop: "{{ users_groups }}"
- name: User, shell and secondary groups setup user: name: "{{ item.name }}" shell: "{{ item.shell | default('/bin/bash') }}" comment: "{{ item.comment }}" groups: "{{ item.groups | default(omit) }}" append: true become: true
- name: Set authorized key taken from file authorized_key: user: "{{ item.name }}" key: "{{ item.ssh_key }}" state: present when: item.ssh_key is defined become: true
- name: add defined groups to sudoers template: src: sudoers.j2 dest: "/etc/sudoers.d/{{ item.name }}" validate: 'visudo -cf %s' mode: "0440" when: item.sudo become: true
Generating a random password
Using lookup plugins and hashing filters to set a random password
- name: Set user password to random and store it in a file vars: password: "{{ lookup('password', 'credentials/mypass' + ' length=9 chars=ascii_letters,digits,hexdigits,punctuation') }}" user: name: devops password: "{{ password | password_hash('sha512') }}" update_password: always become: true
Notice how the password variable is used to simplify the playbook
Creating and using a role
Use a role to setup the devops user
You can create a role under roles/users or download crivetimihai.users using ansible-galaxy. Create a playbook called users-playbook.yml that defines / overrides the default variables of the role.
Using the role in a playbook
--- - name: Install users on localhost hosts: - localhost connection: local tasks: - name: users is configured import_role: name: crivetimihai.users vars: users_groups: - wheel users_username: - name: devops sudo: true shell: /usr/bin/bash groups: wheel ssh_key: "{{ lookup('file', lookup('env','HOME') \ + '/.ssh/id_rsa.pub') }}" comment: 'Created by ansible' tags: users
# Install the role ansible-galaxy install crivetimihai.users # Run the playbook ansible-playbook users-playbook.yml
Last update: 2020-02-03