Reactivating the role and files of variables for the management of records on host groups
-
General situation
- There's a N division of different staff + M insufficient machines.
- There are lots of hosts. Parts are used for tests, others on battle, and they can be grouped by tasks.
- We need to manage user access to the hosts, keeping the configuration in one place. It may be necessary:
- Provide the user with access to the host or group by setting up a user system and registering ssh.
- Remove access, e.g. removing ssh-con,
- Insert or disconnect
sudo♪ - Limit.
sudo♪ - Insert or disconnect
NOPASSWD♪
Current decision
Now, to record the users, I'm using a pattern like this (as long as I'm only testing two hosts and two users):
Its own label and the role in which standard modules are used:
- http://docs.ansible.com/ansible/user_module.html (creates the user, can transmit the xash password
passwd --method=SHA-512) - http://docs.ansible.com/ansible/authorized_key_module.html (the mandatory public key is added in .ssh/authorized_hosts of the intended user)
Plus its own task, which creates
/etc/sudoers.d/username:copy: content: "{{ item.key }} ALL=(ALL) NOPASSWD:ALL" dest: "/etc/sudoers.d/{{ item.key }}" owner: root group: root mode: 0400 with_dict: "{{ users_list }}" when: users_list is defined become: true
- http://docs.ansible.com/ansible/user_module.html (creates the user, can transmit the xash password
General inventory files (ibid. for other playbooks)
Files
group_vars/hostname.yamlwhere public keys and hexes are stored. They're stored as a dictionary:users_list: username: ssh_key: "ssh-rsa ..." password: "$6$..." comment: "User Name"
This exercise compels me to keep a separate document for every host or group of hosts that repeats user data. That makes support unbelievable.
Output desired
I'd like to put this in some way:
Fail
user_credentials.yamlone on all:user_credentials: username: ssh_key: "ssh-rsa ..." password: "$6$..." comment: "User Name" username_2: ...Each
group_vars/hostname.yaml:users_list: username: sudoer: yes nopasswd: yes username_2: sudoer: yes nopasswd: no some_fired_employee: state: absentNow that the rights change, you just need to change the configuration in the same place and do a playbook for the right group of hosts.
Problem
I don't know how to write specific slippers so they can take the values from the right files. Somehow, you have to set up a dictionary in which the data from
user_credentials.yaml, filtered on the basis that the user is a userusers_listcombined with data fromusers_list♪
-
The exactness of the decision you see as perfect can be true, but it will certainly be cumbersome because of the combination of lookups and the verification of different conditions.
But if a little corroborating your vision of an ideal solution, you can make an easy and delicate decision. And it's gonna be easier than the current one.
Let me try to offer a few small cubes, of which you will easily choose the most appropriate solution for you.
Imagine that you have a file of files/peoples/ containing ivanov and petrov files. In ivanov folder, two files: key.pub and pass.txt
We'll have a type of record in the host files:
ans_users: - user: username: ivanov ssh_key_file: "files/people/ivanov/key.pub" password_file: "files/people/ivanov/pass.txt" - user: username: petrov ssh_key_file: "files/people/petrov/key.pub" password_file: "files/people/petrov/pass.txt"And we're going to be a simple crypt:
- name: adding users user: name={{ item.username}} password="{{ lookup('file', '"files/people/{{ item.username }}/key.pub"') }}" with_items: - "{{ ans_users }}"- name: add ssh keys
authorized_key:
user={{ item.username}}
key="{{ lookup('file', '{{ item.ssh_key_file }}') }}"
state=present
with_items:- "{{ ans_users }}"
- "{{ ans_users }}"
Agree that we've already improved the reading of the violin because the name of the file is reader than sha512_hash.
Let's try to figure out how much you're willing to sacrifice supercentricity. You don't have a centralized user design. In my view, it's a little and a loss: this file wasn't needed at all in the first place, and the best proof of it is that I've got the host configurations exactly the same as your perfect decision. This supercentralization is an overly hard thing, and it's useless.
We're moving to re-activate. We have simplified user creation and the management of their keys, and we need to figure out how we're gonna run sudo.
Just a few words about best practice. Rather than requiring a lineinfile to overload a permanent sudoers file, it is recommended to operate user groups. You only need two groups: sudo with passwordless sudo. It's been set up and forgotten.
I suggest that, instead of the two parameters (sudoers, password password), users in the configuration file just sign the DIN parameter - the user group. The configuration's getting bigger, reader. The mission code's going to make a lot easier, too.
Next, we will consider the question of the modification of rights, especially disposal.
- Addition of new user -- trivial
- Modification of passwords, keys, sudo -- trivial
- Remove the rights of one group of hosts -- keep two files in the files /people with a key that no one knows the password, and a whip of an unknown password: enough to see in the configuration
ssh_key_file: "files/people/null_key.pub"And it's gonna make sense that this user of this group of hosts won't come in. - The staff member ' s resignation is a number-time move away from all groups of hosts, access is cleaned, but there's still debris left in the configuration, and it'll be up until the cleaning day. On the day of cleaning, we start a separate play that accepts the user ' s name and then passes through all the canvass, removes the undercut - and as soon as it does - clean user configurations and file catalogues.
Anyway, that's it. It seems to me that the general direction is clear and further details will be considered. If I misunderstood your input, try adding more details to the description of the task, I'll show you what else you can offer.
- name: add ssh keys
