Revert "modified the user role"

35827321 · Edward Zarecor · 20292b68 · 35827321 · 35827321 · 35827321
Commit 35827321 authored Jan 04, 2016 by Edward Zarecor
Hide whitespace changes
Inline Side-by-side

Showing with 90 additions and 61 deletions

playbooks/roles/user/defaults/main.yml
+3 -0

playbooks/roles/user/tasks/main.yml
+73 -61

playbooks/roles/user/templates/authorized_keys.j2
+14 -0

No files found.
--- a/playbooks/roles/user/defaults/main.yml
+++ b/playbooks/roles/user/defaults/main.yml
@@ -35,3 +35,6 @@ user_rbash_links:
 # will take precedence over the paramter
 user_info: []
+user_debian_pkgs:
+  # Need this to get keys.
+  - curl
--- a/playbooks/roles/user/tasks/main.yml
+++ b/playbooks/roles/user/tasks/main.yml
@@ -45,7 +45,6 @@
 #       # run manage.py commands
 #       - name: automator
 #         type: restricted
-#         state: present
 #         # The sudoers file is optional.
 #         sudoers_template: '99-edxapp-manage-cmds.j2'
 #         authorized_keys:
@@ -57,7 +56,6 @@
 #       - name: frank
 #         github: true
 #         type: admin
-#         state: present
 #
 #       # This user is a normal login user without sudo, with
 #       # a couple keys passed in as parameters
@@ -71,69 +69,90 @@
 # which can be passed in as a parameter to the role.
 #
- debug: 
+- debug: var=user_info
-    var: user_info
 - name: create the edxadmin group
-  group: 
+  group: name=edxadmin state=present
-    name: edxadmin 
+- name: Install role-independent useful system packages
+  # do this before log dir setup; rsyslog package guarantees syslog user present
+  apt:
+    pkg: "{{ item }}"
+    install_recommends: yes
    state: present
+    update_cache: yes
+  with_items: user_debian_pkgs
 # some AMIs (such as EMR master nodes) don't read the config files out of /etc/sudoers.d by default
 - name: ensure sudoers.d is read
-  lineinfile:
+  lineinfile: >
-    dest: /etc/sudoers 
+    dest=/etc/sudoers state=present
-    state: present
+    regexp='^#includedir /etc/sudoers.d' line='#includedir /etc/sudoers.d'
-    regexp: '^#includedir /etc/sudoers.d' 
+    validate='visudo -cf %s'
-    line: '#includedir /etc/sudoers.d'
-    validate: 'visudo -cf %s'
 # give full sudo admin access to the edxadmin group
 - name: grant full sudo access to the edxadmin group
-  copy: 
+  copy: >
-    content: "%edxadmin ALL=(ALL) NOPASSWD:ALL"
+    content="%edxadmin ALL=(ALL) NOPASSWD:ALL"
-    dest: /etc/sudoers.d/edxadmin 
+    dest=/etc/sudoers.d/edxadmin owner=root group=root
-    owner: root 
+    mode=0440 validate='visudo -cf %s'
-    group: root
-    mode: 0440 
-    validate: 'visudo -cf %s'
 - name: create the users
-  user:
+  user: >
-    name: "{{ item.name }}"
+    name={{ item.name }}
-    shell: /bin/bash
+    shell=/bin/bash
-    state: "{{ item.state | default('present') }}"
+    state={{ item.state | default('present') }}
+  with_items: user_info
+- name: create .ssh directory
+  file: >
+    path=/home/{{ item.name }}/.ssh state=directory mode=0750
+    owner={{ item.name }}
+  when: item.get('state', 'present') == 'present'
  with_items: user_info
 - name: assign admin role to admin users
-  user:
+  user: >
-    name: "{{ item.name }}"
+    name={{ item.name }}
-    groups: edxadmin
+    groups=edxadmin
  when: item.type is defined and item.type == 'admin' and item.get('state', 'present') == 'present'
  with_items: user_info
- name: get github key(s) and update the authorized_keys file
+# authorized_keys2 used here so that personal
-  authorized_key:
+# keys can be copied to authorized_keys
-    user: "{{ item.name }}"
+# 2014/10/14 - using curl instead of get_url because
-    key: "https://github.com/{{ item.name }}.keys"
+# get_url was failing due to certificate verification errors
+- name: get github key[s]
+  shell: >
+    curl https://github.com/{{ item.name }}.keys
+  sudo_user: "{{ item.name }}"
  when: item.github is defined and item.get('state', 'present') == 'present'
  with_items: user_info
+  register: github_keys
+- name: update the authorized_keys file
+  template:
+    src="authorized_keys.j2"
+    dest="/home/{{ item.name }}/.ssh/authorized_keys"
+    owner="{{ item.name }}"
+    mode="600"
+  when: item.get('state', 'present') == 'present'
+  with_items: user_info
 - name: create bashrc file for normal users
-  template: 
+  template: >
-    src: default.bashrc.j2
+    src=default.bashrc.j2
-    dest: "/home/{{ item.name }}/.bashrc" 
+    dest=/home/{{ item.name }}/.bashrc mode=0640
-    mode: 0640
+    owner={{ item.name }}
-    owner: "{{ item.name }}"
  when: not (item.type is defined and item.type == 'restricted') and item.get('state', 'present') == 'present'
  with_items: user_info
 - name: create .profile for all users
-  template:
+  template: >
-    src: default.profile.j2
+    src=default.profile.j2
-    dest: "/home/{{ item.name }}/.profile" 
+    dest=/home/{{ item.name }}/.profile mode=0640
-    mode: 0640
+    owner={{ item.name }}
-    owner: "{{ item.name }}"
  when: item.get('state', 'present') == 'present'
  with_items: user_info
@@ -141,29 +160,25 @@
 # All tasks below this line are for restricted users
 - name: modify shell for restricted users
-  user:
+  user: >
-    name: "{{ item.name }}"
+    name={{ item.name }}
-    shell: /bin/rbash
+    shell=/bin/rbash
  when: item.type is defined and item.type == 'restricted' and item.get('state', 'present') == 'present'
  with_items: user_info
 - name: create bashrc file for restricted users
-  template:
+  template: >
-    src: restricted.bashrc.j2
+    src=restricted.bashrc.j2
-    dest: "/home/{{ item.name }}/.bashrc" 
+    dest=/home/{{ item.name }}/.bashrc mode=0640
-    mode: 0640
+    owner={{ item.name }}
-    owner: "{{ item.name }}"
  when: item.type is defined and item.type == 'restricted' and item.get('state', 'present') == 'present'
  with_items: user_info
 - name: create sudoers file from template
-  template:
+  template: >
-    dest: /etc/sudoers.d/99-restricted
+    dest=/etc/sudoers.d/99-restricted
-    src: restricted.sudoers.conf.j2 
+    src=restricted.sudoers.conf.j2 owner="root"
-    owner: root
+    group="root" mode=0440 validate='visudo -cf %s'
-    group: root 
-    mode: 0440 
-    validate: 'visudo -cf %s'
  # Prevent restricted user from updating their PATH and
  # environment by ensuring root ownership
@@ -174,12 +189,9 @@
  with_items: user_info
 - name: create ~/bin directory
-  file:
+  file: >
-    path: "/home/{{ item.name }}/bin" 
+    path=/home/{{ item.name }}/bin state=directory mode=0750
-    state: directory 
+    owner="root" group={{ item.name }}
-    mode: 0750
-    owner: root 
-    group: "{{ item.name }}"
  when: item.type is defined and item.type == 'restricted' and item.get('state', 'present') == 'present'
  with_items: user_info

--- a/playbooks/roles/user/templates/authorized_keys.j2
+++ b/playbooks/roles/user/templates/authorized_keys.j2
+# Keys from github
+{% for github_key in github_keys.results -%}
+  {# None is lowercase in jinja... #}
+  {%- if github_key.changed -%}
+    {%- if github_key.item.name == item.name -%}
+      {{ github_key.stdout }}
+    {%- endif -%}
+  {%- endif -%}
+{% endfor %}
+{% if item.get('authorized_keys') %}
+# Explicitly specified keys
+{{ '\n'.join(item.authorized_keys) }}
+{% endif %}