Let’s assume we have any array of users that should be present on any host with some defined permissions. To do that with ansible, the modules ‘user’ and ‘authorized_key’ are perfect tools.
What I would like to achieve in addition is to make sure that no other user accounts are available on my hosts. My thinking is to go through the following steps:
-
Get a list of all user accounts on the host.
-
For all users in that list that are not in my list of allowed users, take some action:
-
Lock the user: usermod -L USERNAME
-
Clean the authorized_keys file in $HOMEDIR/.ssh
This should make sure that neither login through passwords nor with certificates should be possible for those accounts but we do not delete them, as there are many system accounts that you never really want to delete.
I’m sure this could be done with shell scripts but wouldn’t it be nicer if the Ansible modules could offer that as well?
Also, using the module authorized_key is always adding new public keys to a given user account. What’s missing seems to be a reset option, so that all previous public keys get removed and only the ones being added will be valid from then on. A rest isn’t that difficult and can be done by deleting the existing $HOMEDIR/.ssh/authorized_keys file, but that required the knowledge of the home dir which isn’t available through Ansible either.
Maybe extending the facts might help? If we knew all users, their state and their homedir, that would allow us to do much more already with existing modules.
Just looking for ideas and how others are approaching this.
Hi,
I'm new to ansible and I'd like to know if the software only deals with
repositories or is it able to download latest sources and install them ?
I didn't find any docs on that "maybe" feature.
Thank you
The yum and apt repositories mainly deal with configured repositories, however (with at least the yum module I know), you can specify a URL or local path for the package name and it will be installed just as it would with yum. You can use the apt_repository module to add source repos, or with yum you can deploy the .repo files with the template or copy module.
You could always add that information through a local fact.d script (http://www.ansibleworks.com/docs/playbooks_variables.html#local-facts-facts-d). Enumerating every installed user’s information in facts could be a ton of information, especially if your system is authenticating through a directory service, so that’s not something most users would want to be on by default.
Yep, it’s a big part of app deployment to push things that aren’t packages, so we have lots of ways to do that.
Take a look at the module index, and you’ll find a lot of useful modules.
get_url is ideal for fetching a tarball, but there are also modules for checking out source code from git, svn, hg, and bzr.
The “unarchive” module in 1.4 can also push a tarball and automatically extract it.
http://ansibleworks.com/docs/modules.html
http://ansibleworks.com/docs/modules.html#source-control
http://ansibleworks.com/docs/modules.html#files
http://ansibleworks.com/docs/modules.html#network
Hope this helps and let us know if you have other questions!
–Michael
Oops, missing '-a' in perl oneliner. That should be
perl -ane -F: 'print $F[0] if $F[1] > 499'
K
Arghhh! Not enough coffee. Got my index's wrong too. I should be
perl -ane -F: 'print $F[0],"\n" if $F[2] > 499'
There is an open pull request for a 'capture' jinja filter that would
make all that unnecessary, but that should be discussed on the devel
list 
K
Using
cat /etc/passwd | perl -ane -F: ‘print $F[0],“\n” if $F[2] > 499’
Generates the following error message:
Warning: Use of “-F” without parentheses is ambiguous at -e line 1.
syntax error at -e line 1, near “F:”
Execution of -e aborted due to compilation errors.
I have buried my Perl book and have it guarded by many layers of traps
That all being said, this would be a great thing to capture into a role, so it’s abstracted away and other people can use it, and then the complexity is reduced.
Our Galaxy site is launching next week so this might be a good one to think about including.
cat /etc/passwd | perl -aF: -ne 'print $F[0],"\n" if $F[2] > 499'
Arghh! -e must precede the expression -- yesterday was not a good day.
K
Kahlil (Kal) Hodgson GPG: C9A02289
Head of Technology (m) +61 (0) 4 2573 0382
DealMax Pty Ltd (w) +61 (0) 3 9008 5281
Suite 1415
401 Docklands Drive
Docklands VIC 3008 Australia
"All parts should go together without forcing. You must remember that
the parts you are reassembling were disassembled by you. Therefore,
if you can't get them together again, there must be a reason. By all
means, do not use a hammer." -- IBM maintenance manual, 1925
Great, that works. And with $F[5] we also get the home directory for each user. So I’ll see if I can turn that into a default playbook for general us as Michael DeHaan suggested.
Here is the Ansible role on github.com: https://github.com/jurgenhaas/ansible-user-management
It can be executed as a role, e.g. like this:
- name: “Manage Users”
hosts: “all”
connection: ssh
gather_facts: false
sudo: yes
roles:
- users
Enjoy!
My plan is to further enhance that role so that it is going to become the full user management role including the creation of user accounts and management of ssh keys plus many more ideas hopefully to come.
Another approach occurs that does not require the Perl Crazy Glue:
- name: grab passwd entries for this host
shell: cat /etc/passwd'
register: passwd
- name: lock unknown users
user: name={{ item.split(':').0 }} password='!!'
when: item.split(':').0 not in known_users
and item.split(':').2|int > 499
with_items: passwd.stdout_lines
- name: lock out unknown users
command: rm -rf {{ item.split(':').5 }}/.ssh
when: item.split(':').0 not in known_users
and item.split(':').2|int > 499
with_items: passwd.stdout_lines
Kahlil (Kal) Hodgson GPG: C9A02289
Head of Technology (m) +61 (0) 4 2573 0382
DealMax Pty Ltd (w) +61 (0) 3 9008 5281
Suite 1415
401 Docklands Drive
Docklands VIC 3008 Australia
"All parts should go together without forcing. You must remember that
the parts you are reassembling were disassembled by you. Therefore,
if you can't get them together again, there must be a reason. By all
means, do not use a hammer." -- IBM maintenance manual, 1925
Like that. Any objection if I included that in the github role?
No objection. Enjoy!
K
Kahlil (Kal) Hodgson GPG: C9A02289
Head of Technology (m) +61 (0) 4 2573 0382
DealMax Pty Ltd (w) +61 (0) 3 9008 5281
Suite 1415
401 Docklands Drive
Docklands VIC 3008 Australia
"All parts should go together without forcing. You must remember that
the parts you are reassembling were disassembled by you. Therefore,
if you can't get them together again, there must be a reason. By all
means, do not use a hammer." -- IBM maintenance manual, 1925