Hey all,
i trying to write a idempotent user role, where basically on every run is checked if the non-system present_users is right.
Now i want to compare my list of user in vars with the present_users.
Here are my user vars:
→
users:
- username: ajaeger
groups: [‘…’]
- username: vagrant
groups: [‘…’]
groups: [‘…’]
←
here is my task:
→
- name: Get list of all users
shell: “awk -F: ‘$3 >= 1000 && $3 < 29999 {print $1}’ /etc/passwd”
register: existing_users
←
now i want to:
→
- user: name=“{{ item }}” state=absent remove=yes
with_items: “{{ to_be_installed_users | difference(existing_users) }}”
←
Any suggestions, would be greatly appreciated!
Cheers,
Alex
I’m not entirely sure what you are trying to achieve here.
The user module is idempotent and can be used to make sure that users are present or not… Are you trying to remove all users with UIDs between 1,000, and 29,999 that aren’t in your list?
How is this working for you? Have you tried this and had problems or are you just seeking advice?
I’m sure that this is possible, and your solution might work, but I honestly don’t know…
Adam
So you’re probably going to have problems above because one thing wants to return a basic list and the other list you’re trying to use is structured.
I’ve seen this pattern held by others in the past where they keep a list of users to remove, such as people who have left a company, and this may be a better approach – this way you wouldn’t remove some user account set down by an application or something (though I think that’s what your UID range is going for).
I think a much better option would be to manage those user accounts that you know about and use another tool to warn you about changes… AIDE (http://aide.sourceforge.net/) could easily be set up and automated to run on a periodic basis, this would let you know whether certain files had changed and you could decide whether those were acceptable changes. If you are just concerned about the addition of accounts then you can monitor the password file. On some of our systems we have Zabbix monitoring the password file and it tells us whenever there is a change (including when someone changes their password). That means that if we are concerned we can go in and check the password file for changes immediately and decide what action to take.
I think my biggest concern about using Ansible to manage unknown accounts (rather than known ones) is that you could remove an account that was deliberately added, for a very good reason, but not added to your list… If you are dealing with a uniform system build (same version, same users) then you might want to push the password file from ansible instead… But that seems pretty dangerous to me for the reasons that I gave above. Do remember that the passwords themselves will not usually be stored in /etc/passwd so you’re not going to be changing peoples passwords for the this way.
If you HAVE to do this programatically I would consider writing a shell script to create a local facts file consisting of a list of users NOT in your should exist list. Then gather facts again and remove the ones in the “removelist” if any are in there… To ensure that you have the right “should exist list” push that out from Ansible.
In other words you would have something like this pseudocode:-
Initial Play -
Next Play (so we can gather facts again)
The hardest part will be writing the shell script, but even that shouldn’t be too hard (look at the comm command)
Adam
As I rightly pointed out a second later this does NOT tell us when someone changes their password…
Adam
"I think my biggest concern about using Ansible to manage unknown accounts (rather than known ones) is that you could remove an account that was deliberately added, for a very good reason, but not added to your list… "
Generally if you are automating through Ansible (or another automation system) the best possible place to be in is applying infrastructure change exclusively through the automation system.
This is why I suggested removing explicit user accounts (blacklist), not just all users not matching a whitelist.
But yes, you can also run scanner-gizmos if you so desire.