I’m trying to manage a small number of Unix users on a smallish estate of servers (~100 servers). My users are either devs, sysadmins or support, and need different access to different boxes. I’ve got a nice way to give them differing levels of sudo access, but now want to figure out how to grant and revoke access to different boxes. Obviously, I’ve got a variety of groups in my ansible hosts file, and I have a Yaml definition for my users and groups.
For example, the devs really only need access to the host groups dev_servers and test_servers. However, let’s say user Fred needs temporary access to production, I’d like to add him to a group, run Ansible and then let him do his work. When he’s done, remove him from that group and then run Ansible to revoke his access.
So far, I have a vars/main.yml that looks something like:
Thanks for the suggestion - Unfortunately it doesn’t work for me I get:
`
TASK: [users | Create Unix users from the users.yml file] *********************
fatal: [ralph] => error while evaluating conditional: inventory_hostname in item.value.access_to
FATAL: all hosts have already failed – aborting
`
I tried this in the play:
`
name: debug output
debug: msg=“access to is {{item.access_to }}”
with_items: unix_users
`
…and got this as output:
`
“msg”: “access to is [‘dev_hosts’, ‘test_hosts’, ‘uat_hosts’]”
`
…so it’s getting it, and even knows its a list of names. If I put the hostname in the list it matches and we’re all good - but I’d really rather use Ansible host groups. I guess I need a way to ‘eval()’ the list so that each of items in the list is looked up in groups. I tried to do this as a template, and successfully made up the right sort of ‘code’ as text, but then couldn’t find a way to have it re-evaluated into actual data.
I’m thinking I need to find a whole different way to do this, but can’t find any good advice on how I should approach the problem.
have you thought about managing those users with LDAP and sssd? The permissions could be managed with groups.
Maybe this approach is easier to maintain. In case of on or off boarding, just create or disable the user. No need to run Ansible just because someone left your organization.
name: Create Unix users from the users.yml file
action: user name={{ item.0.user }} state={{ item.0.state }} group={{ item.0.group | default(None) }} uid={{ item.0.uid | default(None) }} shell=/bin/bash expires=0
when: “item.1 == ‘all’ or inventory_hostname in groups[item.1]”
with_subelements:
unix_users
access_to
`
I spent a lot of Friday looking for some patterns for this and found very little. It seems it was in the doco all along: http://docs.ansible.com/ansible/playbooks_loops.html#looping-over-subelements. This approach effectively checks the user against each group of hosts separately, which has lots more screen output but not a great deal more execution time.
I’d love to use LDAP or some such for this - it would be way more convenient and would mean I could do things like enforce password policies and whatnot too. As it stands, I don’t have scope to set up any sort of ‘auth server’, so unfortunately, Ansible is the best I’ve got. For the scale of what I’ve got to solve for, it’s actually not as bad as that sounds - I’m sure that once we’ve got lots of people in multiple different roles and needing different levels of access then an LDAP solution would be forthcoming.
Thanks all for your help and suggestions - it gave me the ‘shove’ I needed to get to the solution.
I get: