Skip to content

C
configuration
Commit 60ca75f7 by John Jarvis
Options

Merge pull request #820 from edx/jarv/user-refactor 

Jarv/user refactor
parents 3b733295 bc52e74f
Showing with 341 additions and 327 deletions
playbooks/edx-east/create_all_user_types.yml 0 → 100644
# This is a test play that creates all supported user
# types using the user role. Example only, not meant
# to be run on a real system
- name: Create all user types (test play)
hosts: all
sudo: True
gather_facts: False
vars_files:
- 'roles/edxapp/defaults/main.yml'
- 'roles/common/defaults/main.yml'
- 'roles/analytics-server/defaults/main.yml'
- 'roles/analytics/defaults/main.yml'
pre_tasks:
- fail: msg="You must pass a user into this play"
when: user is not defined
- name: give access with no sudo
set_fact:
user_info:
- name: "{{ user }}"
github: true
- name: test-admin-user
type: admin
- name: test-normal-user
- name: test-restricted-user-edxapp
type: restricted
sudoers_template: 99-edxapp-manage-cmds.j2
- name: test-restricted-user-anayltics
type: restricted
sudoers_template: 99-analytics-manage-cmds.j2
roles:
- user
playbooks/edx-east/create_user.yml
# Creates a single user on a server
# By default no super-user privileges
# By default no super-user privileges
# Example: ansible-playbook -i "jarv.m.sandbox.edx.org," ./create_user.yml -e "user=jarv"
# Create a user with sudo privileges
# Create a user with sudo privileges
# Example: ansible-playbook -i "jarv.m.sandbox.edx.org," ./create_user.yml -e "user=jarv" -e "give_sudo=true"
- name: Create a single user
hosts: all
sudo: True
gather_facts: False
vars:
give_sudo: False
pre_tasks:
- fail: msg="You must pass a user into this play"
when: not user
when: user is not defined
- name: give access with no sudo
set_fact:
gh_users_no_sudo:
- "{{ user }}"
when: not give_sudo or give_sudo == "false"
user_info:
- name: "{{ user }}"
github: true
when: give_sudo is not defined
- name: give access with sudo
set_fact:
gh_users:
- "{{ user }}"
when: give_sudo
user_info:
- name: "{{ user }}"
type: admin
github: true
when: give_sudo is defined
roles:
- gh_users
- user
playbooks/edx-east/deployer.yml
......@@ -6,7 +6,7 @@
sudo: True
gather_facts: False
roles:
- gh_users
- user
# Configure an admin instance with jenkins and asgard.
- name: Configure instance(s)
hosts: tag_role_admin
......@@ -14,6 +14,5 @@
gather_facts: True
roles:
- common
- gh_users
- jenkins_master
- hotg
playbooks/edx-east/edx_provision.yml
......@@ -67,9 +67,6 @@
- forum
nginx_default_sites:
- lms
# gh_users hash must be passed
# in as a -e variable
- gh_users
post_tasks:
- name: get instance id for elb registration
local_action:
......
playbooks/edx-east/edx_vpc.yml
......@@ -5,7 +5,7 @@
- "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
- "{{ secure_dir }}/vars/common/common.yml"
roles:
- gh_users
- user
- role: 'mongo'
mongo_create_users: yes
#- hosts: tag_role_mongo:!first_in_tag_role_mongo
......@@ -14,7 +14,7 @@
# - "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
# - "{{ secure_dir }}/vars/common/common.yml"
# roles:
# - gh_users
# - user
# - mongo
- hosts: first_in_tag_role_edxapp
sudo: True
......@@ -23,7 +23,7 @@
- "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
- "{{ secure_dir }}/vars/common/common.yml"
roles:
- gh_users
- user
- datadog
- role: nginx
nginx_sites:
......@@ -44,7 +44,7 @@
- "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
- "{{ secure_dir }}/vars/common/common.yml"
roles:
- gh_users
- user
- datadog
- role: nginx
nginx_sites:
......@@ -62,7 +62,7 @@
- "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
- "{{ secure_dir }}/vars/common/common.yml"
roles:
- gh_users
- user
- datadog
- role: nginx
nginx_sites:
......@@ -81,7 +81,7 @@
- "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
- "{{ secure_dir }}/vars/common/common.yml"
roles:
- gh_users
- user
- role: nginx
nginx_sites:
- xserver
......@@ -94,7 +94,7 @@
- "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
- "{{ secure_dir }}/vars/common/common.yml"
roles:
- gh_users
- user
- rabbitmq
- splunkforwarder
- hosts: first_in_tag_role_xqueue
......@@ -103,7 +103,7 @@
- "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
- "{{ secure_dir }}/vars/common/common.yml"
roles:
- gh_users
- user
- role: nginx
nginx_sites:
- xqueue
......@@ -116,7 +116,7 @@
- "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
- "{{ secure_dir }}/vars/common/common.yml"
roles:
- gh_users
- user
- role: nginx
nginx_sites:
- xqueue
......@@ -128,7 +128,7 @@
- "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
- "{{ secure_dir }}/vars/common/common.yml"
roles:
- gh_users
- user
- oraclejdk
- elasticsearch
- forum
playbooks/edx-east/elasticsearch.yml
......@@ -5,6 +5,5 @@
- "{{ secure_dir }}/vars/stage/stage-edx.yml"
roles:
- common
- gh_users
- oraclejdk
- elasticsearch
playbooks/edx-east/jenkins_master.yml
......@@ -10,5 +10,4 @@
COMMON_DATA_DIR: "/mnt"
roles:
- common
- gh_users
- jenkins_master
playbooks/edx-west/prod-jumpbox.yml
......@@ -8,18 +8,35 @@
roles:
- common
- supervisor
- role: gh_users
gh_users:
- sefk
- jbau
- jrbl
- ali123
- caesar2164
- dcadams
- nparlante
gh_users_no_sudo:
- jinpa
- gbruhns
- paepcke
- akshayak
- role: user
user_data:
- name: sefk
github: true
type: admin
- name: jbau
github: true
type: admin
- name: jrbl
github: true
type: admin
- name: ali123
github: true
type: admin
- name: caesar2164
github: true
type: admin
- name: dcadams
github: true
type: admin
- name: nparlante
github: true
type: admin
- name: jinpa
github: true
- name: gbruhns
github: true
- name: paepcke
github: true
- name: akshayak
github: true
tags: users
playbooks/roles/analytics-server/defaults/main.yml
......@@ -19,6 +19,9 @@ AS_SERVER_PORT: '9000'
AS_ENV_LANG: 'en_US.UTF-8'
AS_LOG_LEVEL: 'INFO'
AS_WORKERS: '4'
# add public keys to enable the automator user
# for running manage.py commands
AS_AUTOMATOR_AUTHORIZED_KEYS: []
DATABASES:
default: &databases_default
......@@ -43,7 +46,7 @@ analytics_auth_config:
MONGO_STORED_QUERIES_COLLECTION: $AS_DB_RESULTS_COLLECTION
as_role_name: "analytics-server"
as_user: "analytics-server"
as_user: "analytics-server"
as_home: "/opt/wwc/analytics-server"
as_venv_dir: "{{ as_home }}/virtualenvs/analytics-server"
as_source_repo: "git@github.com:edx/analytics-server.git"
......@@ -63,14 +66,6 @@ as_env_vars:
ANALYTICS_SERVER_LOG_LEVEL: "{{ AS_LOG_LEVEL }}"
#
# Used by the included role, automated.
# See meta/main.yml
#
as_automated_rbash_links:
- /usr/bin/sudo
- /usr/bin/scp
#
# OS packages
#
......
playbooks/roles/analytics-server/files/etc/sudoers.d/99-automator-analytics-server deleted 100644 → 0
automator ALL=(www-data) NOPASSWD:SETENV:/opt/wwc/analytics-server/virtualenvs/analytics-server/bin/django-admin.py run_all_queries *
playbooks/roles/analytics-server/meta/main.yml
---
dependencies:
- {
role: automated,
automated_rbash_links: $as_automated_rbash_links,
autmoated_sudoers_dest: '99-automator-analytics-server',
automated_sudoers_template: 'roles/analytics-server/templates/etc/sudoers.d/99-automator-analytics-server.j2'
}
- role: user
user_info:
- name: automator
type: restricted
sudoers_template: '99-automator-analytics.j2'
user_authorized_keys: "{{ AS_AUTOMATOR_AUTHORIZED_KEYS }}"
user_rbash_links:
- /usr/bin/sudo
- /usr/bin/scp
when: AS_AUTOMATOR_AUTHORIZED_KEYS|length != 0
playbooks/roles/analytics-server/tasks/main.yml
......@@ -21,7 +21,7 @@
#
# common role
#
# Depends upon the automated role
# Depends upon the user role
#
# Example play:
#
......
playbooks/roles/analytics/defaults/main.yml
......@@ -43,7 +43,7 @@ analytics_auth_config:
MONGO_STORED_QUERIES_COLLECTION: $ANALYTICS_DB_RESULTS_COLLECTION
analytics_role_name: "analytics"
analytics_user: "analytics"
analytics_user: "analytics"
analytics_home: "/opt/wwc/analytics"
analytics_venv_dir: "{{ analytics_home }}/virtualenvs/analytics"
analytics_source_repo: "git@github.com:edx/analytics-server.git"
......@@ -63,7 +63,7 @@ analytics_env_vars:
ANALYTICS_LOG_LEVEL: "{{ ANALYTICS_LOG_LEVEL }}"
#
# Used by the included role, automated.
# Used by the included role, user.
# See meta/main.yml
#
analytics_automated_rbash_links:
......
playbooks/roles/analytics/tasks/main.yml
......@@ -21,7 +21,7 @@
#
# common role
#
# Depends upon the automated role
# user role to set up a restricted user
#
# Example play:
#
......
playbooks/roles/analytics/templates/etc/sudoers.d/99-automator-analytics.j2 deleted 100644 → 0
automator ALL=({{ analytics_web_user }}) NOPASSWD:SETENV:{{ analytics_venv_dir }}/bin/django-admin.py run_all_queries *
playbooks/roles/automated/tasks/main.yml deleted 100644 → 0
---
#
# edX Configuration
#
# github: https://github.com/edx/configuration
# wiki: https://github.com/edx/configuration/wiki
# code style: https://github.com/edx/configuration/wiki/Ansible-Coding-Conventions
# license: https://github.com/edx/configuration/blob/master/LICENSE.TXT
#
# Tasks for role automated
#
# Overview:
#
# This role is included as a dependency by other roles which provide
# automated jobs. Automation occurs over ssh. The automator user
# is assigned to a managed rbash shell and is, potentially, allowed to run
# explicitly listed commands via sudo. Both the commands that are
# allowed via rbash and the sudoers file are provided by the
# including role.
#
# Dependencies:
#
# This role depends upon variables provided by an including role
# via the my_role/meta/main.yml file. Includes take the following forms:
#
# dependencies:
# - {
# role: automated,
# automated_rbash_links: $as_automated_rbash_links,
# automated_sudoers_dest: '99-my_role'
# automated_sudoers_file: 'roles/my_role/files/etc/sudoers.d/99-my_role'
# }
#
# or
#
# dependencies:
# - {
# role: automated,
# automated_rbash_links: $as_automated_rbash_links,
# automated_sudoers_dest: '99-my_role'
# automated_sudoers_template: 'roles/my_role/templates/etc/sudoers.d/99-my_role.j2'
# }
#
# The sudoers file is optional. Note that for sudo to work it must be
# included in the rbash links list.
#
# That list should be provided via my_role's defaults
#
# role_automated_rbash_links:
# - /usr/bin/sudo
# - /usr/bin/scp
#
- fail: automated_rbash_links required for role
when: automated_rbash_links is not defined
- fail: automated_sudoers_dest required for role
when: automated_sudoers_dest is not defined
- name: create automated user
user:
name={{ automated_user }} state=present shell=/bin/rbash
home={{ automated_home }} createhome=yes
- name: create sudoers file from file
copy:
dest=/etc/sudoers.d/{{ automated_sudoers_dest }}
src={{ automated_sudoers_file }} owner="root"
group="root" mode=0440 validate='visudo -cf %s'
when: automated_sudoers_file
- name: create sudoers file from template
template:
dest=/etc/sudoers.d/{{ automated_sudoers_dest }}
src={{ automated_sudoers_template }} owner="root"
group="root" mode=0440 validate='visudo -cf %s'
when: automated_sudoers_template
#
# Prevent user from updating their PATH and
# environment.
#
- name: update shell file mode
file:
path={{ automated_home }}/{{ item }} mode=0640
state=file owner="root" group={{ automated_user }}
with_items:
- .bashrc
- .profile
- .bash_logout
- name: change ~automated ownership
file:
path={{ automated_home }} mode=0750 state=directory
owner="root" group={{ automated_user }}
#
# This ensures that the links are updated with each run
# and that links that were remove from the role are
# removed.
#
- name: remove ~automated/bin directory
file:
path={{ automated_home }}/bin state=absent
ignore_errors: yes
- name: create ~automated/bin directory
file:
path={{ automated_home }}/bin state=directory mode=0750
owner="root" group={{ automated_user }}
- name: re-write .profile
copy:
src=home/automator/.profile
dest={{ automated_home }}/.profile
owner="root"
group={{ automated_user }}
mode="0744"
- name: re-write .bashrc
copy:
src=home/automator/.bashrc
dest={{ automated_home }}/.bashrc
owner="root"
group={{ automated_user }}
mode="0744"
- name: create .ssh directory
file:
path={{ automated_home }}/.ssh state=directory mode=0700
owner={{ automated_user }} group={{ automated_user }}
- name: build authorized_keys file
template:
src=home/automator/.ssh/authorized_keys.j2
dest={{ automated_home }}/.ssh/authorized_keys mode=0600
owner={{ automated_user }} group={{ automated_user }}
- name: create allowed command links
file:
src={{ item }} dest={{ automated_home }}/bin/{{ item.split('/').pop() }}
state=link
with_items: automated_rbash_links
\ No newline at end of file
playbooks/roles/automated/templates/home/automator/.ssh/authorized_keys.j2 deleted 100644 → 0
# {{ ansible_managed }}
{% for line in automated_authorized_keys -%}
{{ line }}
{%- endfor %}
\ No newline at end of file
playbooks/roles/edxapp/defaults/main.yml
......@@ -123,12 +123,8 @@ EDXAPP_PYTHON_SANDBOX: false
# it puts the sandbox in 'complain' mode, for reporting but not enforcement
EDXAPP_SANDBOX_ENFORCE: true
# Supply authorized keys used for remote management via the automated
# role, see meta/main.yml. Ensure you know what this does before
# enabling. The boolean flag determines whether the role is included.
# This is done to make it possible to disable remote access easily by
# setting the flag to true and providing an empty array.
EDXAPP_INCLUDE_AUTOMATOR_ROLE: false
# Supply authorized keys used for remote management via the user
# role.
EDXAPP_AUTOMATOR_AUTHORIZED_KEYS: []
EDXAPP_USE_GIT_IDENTITY: false
......@@ -516,10 +512,3 @@ edxapp_cms_variant: cms
# Worker Settings
worker_django_settings_module: 'aws'
# This array is used by the automator role to provide
# access to a limited set of commands via rbash. The
# commands listed here will be symlinked to ~/bin/ for
# the automator user.
edxapp_automated_rbash_links:
- /usr/bin/sudo
playbooks/roles/edxapp/meta/main.yml
......@@ -6,9 +6,10 @@ dependencies:
rbenv_dir: "{{ edxapp_app_dir }}"
rbenv_ruby_version: "{{ edxapp_ruby_version }}"
- devpi
- role: automated
automated_rbash_links: "{{ edxapp_automated_rbash_links }}"
automated_sudoers_dest: '99-automator-edxapp-server'
automated_sudoers_template: 'roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp-server.j2'
automated_authorized_keys: "{{ EDXAPP_AUTOMATOR_AUTHORIZED_KEYS }}"
when: EDXAPP_INCLUDE_AUTOMATOR_ROLE
- role: user
user_info:
name: automator
type: restricted
sudoers_template: '99-edxapp-manage-cmds.j2'
user_authorized_keys: "{{ EDXAPP_AUTOMATOR_AUTHORIZED_KEYS }}"
when: EDXAPP_AUTOMATOR_AUTHORIZED_KEYS|length != 0
playbooks/roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp-server.j2 deleted 100644 → 0
automator ALL=({{ common_web_user }}) NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py migrate *
automator ALL=({{ common_web_user }}) NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py seed_permissions_roles *
automator ALL=({{ common_web_user }}) NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py set_staff *
automator ALL=({{ common_web_user }}) NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py transfer_students *
playbooks/roles/gh_users/defaults/main.yml deleted 100644 → 0
# override this var to add a prefix to the prompt
# also need to set commont_update_bashrc for to
# update the system bashrc default
GH_USERS_PROMPT: ""
gh_users: []
gh_users_no_sudo: []
playbooks/roles/gh_users/tasks/main.yml deleted 100644 → 0
---
# gh_users
#
# Creates OS accounts for users based on their github credential.
# Takes a list gh_users as a parameter which is a list of users
#
# roles:
# - role: gh_users
# gh_users:
# - joe
# - mark
# gh_users_no_sudo:
# - tourist_dave
- name: creating default .bashrc
template: >
src=default.bashrc.j2 dest=/etc/skel/.bashrc
mode=0644 owner=root group=root
- name: create gh group
group: name=gh state=present
# TODO: give limited sudo access to this group
- name: grant full sudo access to gh group
copy: >
content="%gh ALL=(ALL) NOPASSWD:ALL"
dest=/etc/sudoers.d/gh owner=root group=root
mode=0440 validate='visudo -cf %s'
- name: create sudo github users
user:
name={{ item }} groups=gh
shell=/bin/bash
with_items: gh_users
- name: create non-sudo github users
user:
name={{ item }}
shell=/bin/bash
with_items: gh_users_no_sudo
- name: create .ssh directory
file:
path=/home/{{ item }}/.ssh state=directory mode=0700
owner={{ item }}
with_items: gh_users + gh_users_no_sudo
- name: copy github key[s] to .ssh/authorized_keys
get_url:
url=https://github.com/{{ item }}.keys
dest=/home/{{ item }}/.ssh/authorized_keys mode=0600
owner={{ item }}
with_items: gh_users + gh_users_no_sudo
playbooks/roles/automated/defaults/main.yml playbooks/roles/user/defaults/main.yml
......@@ -8,23 +8,26 @@
# license: https://github.com/edx/configuration/blob/master/LICENSE.TXT
#
##
# Vars for role automated
#
# Vars for role user
#
#
# vars are namespace with the module name.
#
automated_role_name: automated
automated_user: "automator"
automated_home: "/home/automator"
automated_rbash_links: !!null
automated_sudoers_template: !!null
automated_sudoers_file: !!null
#
# OS packages
#
user_role_name: user
# Role parameters
# Override this list
user_info: []
automated_debian_pkgs: []
# override this var to add a prefix to the prompt
# also need to set commont_update_bashrc for to
# update the system bashrc default
USER_CMD_PROMPT: ""
automated_redhat_pkgs: []
# these are the default links to create in the
# restricted user's ~/bin directory
# defaults to sudo, more can be added by overriding
# this var
user_rbash_links:
- /usr/bin/sudo
playbooks/roles/user/tasks/main.yml 0 → 100644
---
# edX Configuration
#
# github: https://github.com/edx/configuration
# wiki: https://github.com/edx/configuration/wiki
# code style: https://github.com/edx/configuration/wiki/Ansible-Coding-Conventions
# license: https://github.com/edx/configuration/blob/master/LICENSE.TXT
#
# Tasks for role user
#
# Overview:
#
# This role is included as a dependency by other roles or as a standalone
# paramaterized role to create users.
#
# There are generally three classes of users:
# (1) normal login users without any special permissions
# (2) admin users with full sudo permissions
# (3) restricted users that use rbash and are locked down to specific sudo commands
#
# The parameter "type" sets the user in one of these three categories:
# (1) type not set
# (2) type=admin
# (3) type=restricted
#
# Dependencies:
#
# This role has no dependencies but requires parameters
#
# Example:
#
# # Create a few users, one restricted
# # one admin with a github key and one with
# # a regular key.
# #
# # All user types can use a key from github
# # and also have additional authorized keys defined
# #
#
# - role: user
# user_info:
# # This restricted user is defined in meta/
# # for edxapp, it creates a user that can only
# # run manage.py commands
# - name: automator
# type: restricted
# # The sudoers file is optional.
# sudoers_template: '99-edxapp-manage-cmds.j2'
# authorized_keys:
# - ssh-rsa abcdef...
# - ssh-rsa ghiklm...
#
# # More users passed to the role, this one is a user
# # with full sudo, key fetched from github
# - name: frank
# github: true
# type: admin
#
# # This user is a normal login user without sudo, with
# # a couple keys passed in as parameters
# - name: sally
# authorized_keys:
# - ssh-rsa abcdef...
# - ssh-rsa ghiklm...
#
# By default for restricted users we only allow sudo, if you
# want to provide more binaries add them to user_rbash_links
# which can be passed in as a paramter to the role.
#
- debug: var=user_info
- name: create the edxadmin group
group: name=edxadmin state=present
# give full sudo admin access to the edxadmin group
- name: grant full sudo access to the edxadmin group
copy: >
content="%edxadmin ALL=(ALL) NOPASSWD:ALL"
dest=/etc/sudoers.d/edxadmin owner=root group=root
mode=0440 validate='visudo -cf %s'
- name: create the users
user:
name={{ item.name }}
shell=/bin/bash
with_items: user_info
- name: create .ssh directory
file:
path=/home/{{ item.name }}/.ssh state=directory mode=0750
owner={{ item.name }}
with_items: user_info
- name: assign admin role to admin users
user:
name={{ item.name }}
groups=edxadmin
when: item.type is defined and item.type == 'admin'
with_items: user_info
# authorized_keys2 used here so that personal
# keys can be copied to authorized_keys
- name: copy github key[s] to .ssh/authorized_keys2
get_url:
url=https://github.com/{{ item.name }}.keys
dest=/home/{{ item.name }}/.ssh/authorized_keys2 mode=0640
owner={{ item.name }}
when: item.github is defined
with_items: user_info
- name: copy additional authorized keys
copy: >
content="{{ "\n".join(item.authorized_keys) }}"
dest=/home/{{ item.name }}/.ssh/authorized_keys mode=0640
owner={{ item.name }}
mode=0440 validate='visudo -cf %s'
when: item.authorized_keys is defined
with_items: user_info
- name: create bashrc file for normal users
template: >
src=default.bashrc.j2
dest=/home/{{ item.name }}/.bashrc mode=0640
owner={{ item.name }}
when: not (item.type is defined and item.type == 'restricted')
with_items: user_info
- name: create .profile for all users
template: >
src=default.profile.j2
dest=/home/{{ item.name }}/.profile mode=0640
owner={{ item.name }}
with_items: user_info
########################################################
# All tasks below this line are for restricted users
- name: modify shell for restricted users
user:
name={{ item.name }}
shell=/bin/rbash
when: item.type is defined and item.type == 'restricted'
with_items: user_info
- name: create bashrc file for restricted users
template: >
src=restricted.bashrc.j2
dest=/home/{{ item.name }}/.bashrc mode=0640
owner={{ item.name }}
when: item.type is defined and item.type == 'restricted'
with_items: user_info
- name: create sudoers file from template
template:
dest=/etc/sudoers.d/{{ item.sudoers_template|basename|replace('.j2','') }}
src=etc/sudoers.d/{{ item.sudoers_template }} owner="root"
group="root" mode=0440 validate='visudo -cf %s'
when: item.type is defined and item.type == 'restricted' and item.sudoers_template is defined
with_items: user_info
# Prevent restricted user from updating their PATH and
# environment by ensuring root ownership
- name: change home directory ownership to root for restricted users
shell: "chown -R root:{{ item.name }} /home/{{ item.name }}"
when: item.type is defined and item.type == 'restricted'
with_items: user_info
- name: create ~/bin directory
file:
path=/home/{{ item.name }}/bin state=directory mode=0750
owner="root" group={{ item.name }}
when: item.type is defined and item.type == 'restricted'
with_items: user_info
- name: create allowed command links
file:
src: "{{ item[1] }}"
dest: "/home/{{ item[0].name }}/bin/{{ item[1]|basename }}"
state: link
when: item[0].type is defined and item[0].type == 'restricted'
with_nested:
- user_info
- user_rbash_links
playbooks/roles/gh_users/templates/default.bashrc.j2 playbooks/roles/user/templates/default.bashrc.j2
......@@ -54,9 +54,9 @@ if [ -n "$force_color_prompt" ]; then
fi
if [ "$color_prompt" = yes ]; then
PS1='{{ GH_USERS_PROMPT }}${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
PS1='{{ USER_CMD_PROMPT }}${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='{{ GH_USERS_PROMPT}}${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
PS1='{{ USER_CMD_PROMPT}}${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
......@@ -73,9 +73,6 @@ esac
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'
alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
......@@ -85,6 +82,7 @@ fi
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'
alias h='ls ~/.bash_histories/*/* | sort | xargs grep -i '
# better bash history
......
playbooks/roles/user/templates/default.profile.j2 0 → 100644
# change default umask
umask 077
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
playbooks/roles/user/templates/etc/sudoers.d/99-analytics-manage-cmds.j2 0 → 100644
{{ item.name }} ALL=({{ analytics_web_user }}) NOPASSWD:SETENV:{{ analytics_venv_dir }}/bin/django-admin.py run_all_queries *
playbooks/roles/user/templates/etc/sudoers.d/99-edxapp-manage-cmds.j2 0 → 100644
{{ item.name }} ALL=({{ common_web_user }}) NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py migrate *
{{ item.name }} ALL=({{ common_web_user }}) NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py seed_permissions_roles *
{{ item.name }} ALL=({{ common_web_user }}) NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py set_staff *
{{ item.name }} ALL=({{ common_web_user }}) NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py transfer_students *
playbooks/vagrant-fullstack.yml
......@@ -11,7 +11,7 @@
- "group_vars/all"
roles:
- edx_ansible
- gh_users
- user
- role: nginx
nginx_sites:
- cms
......
util/jenkins/ansible-provision.sh
......@@ -172,11 +172,13 @@ instance_tags:
owner: $BUILD_USER
root_ebs_size: $root_ebs_size
name_tag: $name_tag
gh_users:
- ${github_username}
user_data:
- name: ${github_username}
github: true
type: admin
dns_zone: $dns_zone
rabbitmq_refresh: True
GH_USERS_PROMPT: '[$name_tag] '
USER_CMD_PROMPT: '[$name_tag] '
elb: $elb
EOF
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment