Merge pull request #820 from edx/jarv/user-refactor

Jarv/user refactor

playbooks/edx-east/create_all_user_types.yml

+# This is a test play that creates all supported user
+# types using the user role. Example only, not meant
+# to be run on a real system
+- name: Create all user types (test play)
+  hosts: all
+  sudo: True
+  gather_facts: False
+  vars_files:
+    - 'roles/edxapp/defaults/main.yml'
+    - 'roles/common/defaults/main.yml'
+    - 'roles/analytics-server/defaults/main.yml'
+    - 'roles/analytics/defaults/main.yml'
+  pre_tasks:
+    - fail: msg="You must pass a user into this play"
+      when: user is not defined
+    - name: give access with no sudo
+      set_fact:
+        user_info:
+          - name: "{{ user }}"
+            github: true
+          - name: test-admin-user
+            type: admin
+          - name: test-normal-user
+          - name: test-restricted-user-edxapp
+            type: restricted
+            sudoers_template: 99-edxapp-manage-cmds.j2
+          - name: test-restricted-user-anayltics
+            type: restricted
+            sudoers_template: 99-analytics-manage-cmds.j2
+  roles:
+    - user

playbooks/edx-east/create_user.yml

 # Creates a single user on a server
-# By default no super-user privileges 
+# By default no super-user privileges
 # Example: ansible-playbook -i "jarv.m.sandbox.edx.org,"  ./create_user.yml -e "user=jarv"
-# Create a user with sudo privileges 
+# Create a user with sudo privileges
 # Example: ansible-playbook -i "jarv.m.sandbox.edx.org,"  ./create_user.yml -e "user=jarv" -e "give_sudo=true"
 - name: Create a single user
   hosts: all
   sudo: True
   gather_facts: False
-  vars:
-    give_sudo: False
   pre_tasks:
     - fail: msg="You must pass a user into this play"
-      when: not user
+      when: user is not defined
     - name: give access with no sudo
       set_fact:
-        gh_users_no_sudo:
-          - "{{ user }}"
-      when: not give_sudo or give_sudo == "false"
+        user_info:
+          - name: "{{ user }}"
+            github: true
+      when: give_sudo is not defined
     - name: give access with sudo
       set_fact:
-        gh_users:
-          - "{{ user }}"
-      when: give_sudo
+        user_info:
+          - name: "{{ user }}"
+            type: admin
+            github: true
+      when: give_sudo is defined
   roles:
-    - gh_users
+    - user

playbooks/edx-east/deployer.yml

@@ -6,7 +6,7 @@
   sudo: True
   gather_facts: False
   roles:
-  - gh_users
+  - user
 # Configure an admin instance with jenkins and asgard.
 - name: Configure instance(s)
   hosts: tag_role_admin
@@ -14,6 +14,5 @@
   gather_facts: True
   roles:
   - common
-  - gh_users
   - jenkins_master
   - hotg

playbooks/edx-east/edx_provision.yml

@@ -67,9 +67,6 @@
       - forum
       nginx_default_sites:
       - lms
-    # gh_users hash must be passed
-    # in as a -e variable
-    - gh_users
   post_tasks:
     - name: get instance id for elb registration
       local_action:

playbooks/edx-east/edx_vpc.yml

@@ -5,7 +5,7 @@
     - "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
     - "{{ secure_dir }}/vars/common/common.yml"
   roles:
-    - gh_users
+    - user
     - role: 'mongo'
       mongo_create_users: yes
 #- hosts: tag_role_mongo:!first_in_tag_role_mongo
@@ -14,7 +14,7 @@
 #    - "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
 #    - "{{ secure_dir }}/vars/common/common.yml"
 #  roles:
-#    - gh_users
+#    - user
 #    - mongo
 - hosts: first_in_tag_role_edxapp
   sudo: True
@@ -23,7 +23,7 @@
     - "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
     - "{{ secure_dir }}/vars/common/common.yml"
   roles:
-    - gh_users
+    - user
     - datadog
     - role: nginx
       nginx_sites:
@@ -44,7 +44,7 @@
     - "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
     - "{{ secure_dir }}/vars/common/common.yml"
   roles:
-    - gh_users
+    - user
     - datadog
     - role: nginx
       nginx_sites:
@@ -62,7 +62,7 @@
     - "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
     - "{{ secure_dir }}/vars/common/common.yml"
   roles:
-    - gh_users
+    - user
     - datadog
     - role: nginx
       nginx_sites:
@@ -81,7 +81,7 @@
     - "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
     - "{{ secure_dir }}/vars/common/common.yml"
   roles:
-    - gh_users
+    - user
     - role: nginx
       nginx_sites:
       - xserver
@@ -94,7 +94,7 @@
     - "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
     - "{{ secure_dir }}/vars/common/common.yml"
   roles:
-    - gh_users
+    - user
     - rabbitmq
     - splunkforwarder
 - hosts: first_in_tag_role_xqueue
@@ -103,7 +103,7 @@
     - "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
     - "{{ secure_dir }}/vars/common/common.yml"
   roles:
-    - gh_users
+    - user
     - role: nginx
       nginx_sites:
       - xqueue
@@ -116,7 +116,7 @@
     - "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
     - "{{ secure_dir }}/vars/common/common.yml"
   roles:
-    - gh_users
+    - user
     - role: nginx
       nginx_sites:
       - xqueue
@@ -128,7 +128,7 @@
     - "{{ secure_dir }}/vars/{{ENVIRONMENT}}/{{CLOUDFORMATION_STACK_NAME}}.yml"
     - "{{ secure_dir }}/vars/common/common.yml"
   roles:
-    - gh_users
+    - user
     - oraclejdk
     - elasticsearch
     - forum

playbooks/edx-east/elasticsearch.yml

@@ -5,6 +5,5 @@
     - "{{ secure_dir }}/vars/stage/stage-edx.yml"
   roles:
     - common
-    - gh_users
     - oraclejdk
     - elasticsearch

playbooks/edx-east/jenkins_master.yml

@@ -10,5 +10,4 @@
     COMMON_DATA_DIR: "/mnt"
   roles:
     - common
-    - gh_users
     - jenkins_master

playbooks/edx-west/prod-jumpbox.yml

@@ -8,18 +8,35 @@
   roles:
     - common
     - supervisor
-    - role: gh_users
-      gh_users:
-        - sefk
-        - jbau
-        - jrbl
-        - ali123
-        - caesar2164
-        - dcadams
-        - nparlante
-      gh_users_no_sudo:
-        - jinpa
-        - gbruhns
-        - paepcke
-        - akshayak
+    - role: user
+      user_data:
+        - name: sefk
+          github: true
+          type: admin
+        - name: jbau
+          github: true
+          type: admin
+        - name: jrbl
+          github: true
+          type: admin
+        - name: ali123
+          github: true
+          type: admin
+        - name: caesar2164
+          github: true
+          type: admin
+        - name: dcadams
+          github: true
+          type: admin
+        - name: nparlante
+          github: true
+          type: admin
+        - name: jinpa
+          github: true
+        - name: gbruhns
+          github: true
+        - name: paepcke
+          github: true
+        - name: akshayak
+          github: true
       tags: users

playbooks/roles/analytics-server/defaults/main.yml

@@ -19,6 +19,9 @@ AS_SERVER_PORT: '9000'
 AS_ENV_LANG: 'en_US.UTF-8'
 AS_LOG_LEVEL: 'INFO'
 AS_WORKERS: '4'
+# add public keys to enable the automator user
+# for running manage.py commands
+AS_AUTOMATOR_AUTHORIZED_KEYS: []
 
 DATABASES:
   default: &databases_default
@@ -43,7 +46,7 @@ analytics_auth_config:
     MONGO_STORED_QUERIES_COLLECTION: $AS_DB_RESULTS_COLLECTION
 
 as_role_name: "analytics-server"
-as_user: "analytics-server" 
+as_user: "analytics-server"
 as_home: "/opt/wwc/analytics-server"
 as_venv_dir: "{{ as_home }}/virtualenvs/analytics-server"
 as_source_repo: "git@github.com:edx/analytics-server.git"
@@ -63,14 +66,6 @@ as_env_vars:
   ANALYTICS_SERVER_LOG_LEVEL: "{{ AS_LOG_LEVEL }}"
 
 #
-# Used by the included role, automated.
-# See meta/main.yml
-#
-as_automated_rbash_links:
-  - /usr/bin/sudo
-  - /usr/bin/scp
-
-#
 # OS packages
 #
 

playbooks/roles/analytics-server/files/etc/sudoers.d/99-automator-analytics-server

-automator  ALL=(www-data) NOPASSWD:SETENV:/opt/wwc/analytics-server/virtualenvs/analytics-server/bin/django-admin.py	run_all_queries	*

playbooks/roles/analytics-server/meta/main.yml

 ---
 dependencies:
-  - {
-  role: automated,
-  automated_rbash_links: $as_automated_rbash_links,
-  autmoated_sudoers_dest: '99-automator-analytics-server',
-  automated_sudoers_template: 'roles/analytics-server/templates/etc/sudoers.d/99-automator-analytics-server.j2'
-  }
-
-
+  - role: user
+    user_info:
+    - name: automator
+      type: restricted
+      sudoers_template: '99-automator-analytics.j2'
+      user_authorized_keys: "{{ AS_AUTOMATOR_AUTHORIZED_KEYS }}"
+    user_rbash_links:
+      - /usr/bin/sudo
+      - /usr/bin/scp
+    when: AS_AUTOMATOR_AUTHORIZED_KEYS|length != 0

playbooks/roles/analytics-server/tasks/main.yml

@@ -21,7 +21,7 @@
 #
 # common role
 #
-# Depends upon the automated role
+# Depends upon the user role
 #
 # Example play:
 #

playbooks/roles/analytics/defaults/main.yml

@@ -43,7 +43,7 @@ analytics_auth_config:
     MONGO_STORED_QUERIES_COLLECTION: $ANALYTICS_DB_RESULTS_COLLECTION
 
 analytics_role_name: "analytics"
-analytics_user: "analytics" 
+analytics_user: "analytics"
 analytics_home: "/opt/wwc/analytics"
 analytics_venv_dir: "{{ analytics_home }}/virtualenvs/analytics"
 analytics_source_repo: "git@github.com:edx/analytics-server.git"
@@ -63,7 +63,7 @@ analytics_env_vars:
   ANALYTICS_LOG_LEVEL: "{{ ANALYTICS_LOG_LEVEL }}"
 
 #
-# Used by the included role, automated.
+# Used by the included role, user.
 # See meta/main.yml
 #
 analytics_automated_rbash_links:

playbooks/roles/analytics/tasks/main.yml

@@ -21,7 +21,7 @@
 #
 # common role
 #
-# Depends upon the automated role
+# user role to set up a restricted user
 #
 # Example play:
 #

playbooks/roles/analytics/templates/etc/sudoers.d/99-automator-analytics.j2

-automator  ALL=({{ analytics_web_user }}) NOPASSWD:SETENV:{{ analytics_venv_dir }}/bin/django-admin.py	run_all_queries	*

playbooks/roles/automated/files/home/automator/.profile

-. .bashrc

playbooks/roles/automated/tasks/main.yml

----
-#
-# edX Configuration
-#
-# github:     https://github.com/edx/configuration
-# wiki:       https://github.com/edx/configuration/wiki
-# code style: https://github.com/edx/configuration/wiki/Ansible-Coding-Conventions
-# license:    https://github.com/edx/configuration/blob/master/LICENSE.TXT
-#
-# Tasks for role automated
-# 
-# Overview:
-#
-# This role is included as a dependency by other roles which provide
-# automated jobs.  Automation occurs over ssh.  The automator user
-# is assigned to a managed rbash shell and is, potentially, allowed to run
-# explicitly listed commands via sudo.  Both the commands that are
-# allowed via rbash and the sudoers file are provided by the
-# including role.
-#
-# Dependencies:
-#
-# This role depends upon variables provided by an including role
-# via the my_role/meta/main.yml file.  Includes take the following forms:
-#
-#  dependencies:
-#  - {
-#  role: automated,
-#  automated_rbash_links: $as_automated_rbash_links,
-#  automated_sudoers_dest: '99-my_role'
-#  automated_sudoers_file: 'roles/my_role/files/etc/sudoers.d/99-my_role'
-#  }
-#
-# or
-#
-#  dependencies:
-#  - {
-#  role: automated,
-#  automated_rbash_links: $as_automated_rbash_links,
-#  automated_sudoers_dest: '99-my_role'
-#  automated_sudoers_template: 'roles/my_role/templates/etc/sudoers.d/99-my_role.j2'
-#  }
-#
-# The sudoers file is optional.  Note that for sudo to work it must be
-# included in the rbash links list.
-#
-# That list should be provided via my_role's defaults
-#
-# role_automated_rbash_links:
-#   - /usr/bin/sudo
-#   - /usr/bin/scp
-#
-
-- fail: automated_rbash_links required for role
-  when: automated_rbash_links is not defined
-
-- fail: automated_sudoers_dest required for role
-  when: automated_sudoers_dest is not defined
-  
-- name: create automated user
-  user: 
-    name={{ automated_user }} state=present shell=/bin/rbash 
-    home={{ automated_home }} createhome=yes
-
-- name: create sudoers file from file
-  copy:
-    dest=/etc/sudoers.d/{{ automated_sudoers_dest }}
-    src={{ automated_sudoers_file }} owner="root"
-    group="root" mode=0440 validate='visudo -cf %s'
-  when: automated_sudoers_file
-
-- name: create sudoers file from template
-  template:
-    dest=/etc/sudoers.d/{{ automated_sudoers_dest }}
-    src={{ automated_sudoers_template }} owner="root"
-    group="root" mode=0440 validate='visudo -cf %s'
-  when: automated_sudoers_template
-
-  #
-  # Prevent user from updating their PATH and
-  # environment.
-  #
-- name: update shell file mode
-  file:
-    path={{ automated_home }}/{{ item }} mode=0640
-    state=file owner="root" group={{ automated_user }}
-  with_items:
-    - .bashrc
-    - .profile
-    - .bash_logout
-  
-- name: change ~automated ownership
-  file: 
-    path={{ automated_home }} mode=0750 state=directory 
-    owner="root" group={{ automated_user }}
-
-  #
-  # This ensures that the links are updated with each run
-  # and that links that were remove from the role are
-  # removed.
-  #
-- name: remove ~automated/bin directory
-  file: 
-    path={{ automated_home }}/bin state=absent
-  ignore_errors: yes
-  
-- name: create ~automated/bin directory
-  file: 
-    path={{ automated_home }}/bin state=directory mode=0750 
-    owner="root" group={{ automated_user }}
-  
-- name: re-write .profile
-  copy:
-    src=home/automator/.profile 
-    dest={{ automated_home }}/.profile 
-    owner="root" 
-    group={{ automated_user }}
-    mode="0744"
-  
-- name: re-write .bashrc
-  copy:
-    src=home/automator/.bashrc
-    dest={{ automated_home }}/.bashrc 
-    owner="root" 
-    group={{ automated_user }}
-    mode="0744"
-  
-- name: create .ssh directory
-  file: 
-    path={{ automated_home }}/.ssh state=directory mode=0700 
-    owner={{ automated_user }} group={{ automated_user }}
-
-- name: build authorized_keys file
-  template:
-    src=home/automator/.ssh/authorized_keys.j2
-    dest={{ automated_home }}/.ssh/authorized_keys mode=0600 
-    owner={{ automated_user }} group={{ automated_user }}
-  
-- name: create allowed command links
-  file:
-    src={{ item }} dest={{ automated_home }}/bin/{{ item.split('/').pop() }}
-    state=link
-  with_items: automated_rbash_links
\ No newline at end of file

playbooks/roles/automated/templates/home/automator/.ssh/authorized_keys.j2

-# {{ ansible_managed }}
-
-{% for line in automated_authorized_keys -%}
-{{ line }}
-{%- endfor %}
\ No newline at end of file

playbooks/roles/common/meta/main.yml

 ---
 dependencies:
-  - gh_users
+  - user

playbooks/roles/edxapp/defaults/main.yml

@@ -123,12 +123,8 @@ EDXAPP_PYTHON_SANDBOX: false
 # it puts the sandbox in 'complain' mode, for reporting but not enforcement
 EDXAPP_SANDBOX_ENFORCE: true
 
-# Supply authorized keys used for remote management via the automated
-# role, see meta/main.yml.  Ensure you know what this does before
-# enabling.  The boolean flag determines whether the role is included.
-# This is done to make it possible to disable remote access easily by
-# setting the flag to true and providing an empty array.
-EDXAPP_INCLUDE_AUTOMATOR_ROLE: false
+# Supply authorized keys used for remote management via the user
+# role.
 EDXAPP_AUTOMATOR_AUTHORIZED_KEYS: []
 
 EDXAPP_USE_GIT_IDENTITY: false
@@ -516,10 +512,3 @@ edxapp_cms_variant: cms
 
 # Worker Settings
 worker_django_settings_module: 'aws'
-
-# This array is used by the automator role to provide
-# access to a limited set of commands via rbash.  The
-# commands listed here will be symlinked to ~/bin/ for
-# the automator user.
-edxapp_automated_rbash_links:
-  - /usr/bin/sudo

playbooks/roles/edxapp/meta/main.yml

@@ -6,9 +6,10 @@ dependencies:
     rbenv_dir: "{{ edxapp_app_dir }}"
     rbenv_ruby_version: "{{ edxapp_ruby_version }}"
   - devpi
-  - role: automated
-    automated_rbash_links: "{{ edxapp_automated_rbash_links }}"
-    automated_sudoers_dest: '99-automator-edxapp-server'
-    automated_sudoers_template: 'roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp-server.j2'
-    automated_authorized_keys: "{{ EDXAPP_AUTOMATOR_AUTHORIZED_KEYS }}"
-    when: EDXAPP_INCLUDE_AUTOMATOR_ROLE
+  - role: user
+    user_info:
+      name: automator
+      type: restricted
+      sudoers_template: '99-edxapp-manage-cmds.j2'
+      user_authorized_keys: "{{ EDXAPP_AUTOMATOR_AUTHORIZED_KEYS }}"
+    when: EDXAPP_AUTOMATOR_AUTHORIZED_KEYS|length != 0

playbooks/roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp-server.j2

-automator	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	migrate *
-automator	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	seed_permissions_roles *
-automator	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	set_staff *
-automator	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	transfer_students *
-

playbooks/roles/gh_users/defaults/main.yml

-# override this var to add a prefix to the prompt
-# also need to set commont_update_bashrc for to
-# update the system bashrc default
-GH_USERS_PROMPT: ""
-gh_users: []
-gh_users_no_sudo: []

playbooks/roles/gh_users/tasks/main.yml

----
-
-# gh_users
-#
-# Creates OS accounts for users based on their github credential.
-# Takes a list gh_users as a parameter which is a list of users
-#
-# roles:
-#   - role: gh_users
-#     gh_users:
-#      - joe
-#      - mark
-#     gh_users_no_sudo:
-#      - tourist_dave
-
-
-- name: creating default .bashrc
-  template: >
-    src=default.bashrc.j2 dest=/etc/skel/.bashrc
-    mode=0644 owner=root group=root
-
-- name: create gh group
-  group: name=gh state=present
-
-# TODO: give limited sudo access to this group
-- name: grant full sudo access to gh group
-  copy: >
-    content="%gh ALL=(ALL) NOPASSWD:ALL"
-    dest=/etc/sudoers.d/gh owner=root group=root
-    mode=0440 validate='visudo -cf %s'
-
-- name: create sudo github users
-  user:
-    name={{ item }} groups=gh
-    shell=/bin/bash
-  with_items: gh_users
-
-- name: create non-sudo github users
-  user:
-    name={{ item }}
-    shell=/bin/bash
-  with_items: gh_users_no_sudo
-
-- name: create .ssh directory
-  file:
-    path=/home/{{ item }}/.ssh state=directory mode=0700
-    owner={{ item }}
-  with_items: gh_users + gh_users_no_sudo
-
-- name: copy github key[s] to .ssh/authorized_keys
-  get_url:
-    url=https://github.com/{{ item }}.keys
-    dest=/home/{{ item }}/.ssh/authorized_keys mode=0600
-    owner={{ item }}
-  with_items: gh_users + gh_users_no_sudo
-

playbooks/roles/automated/defaults/main.yml → playbooks/roles/user/defaults/main.yml

@@ -8,23 +8,26 @@
 # license:    https://github.com/edx/configuration/blob/master/LICENSE.TXT
 #
 ##
-# Vars for role automated
-# 
+# Vars for role user
+#
 
 #
 # vars are namespace with the module name.
 #
-automated_role_name: automated
-automated_user: "automator"
-automated_home: "/home/automator"
-automated_rbash_links: !!null
-automated_sudoers_template: !!null
-automated_sudoers_file: !!null
-  
-  #
-# OS packages
-#
+user_role_name: user
+
+# Role parameters
+# Override this list
+user_info: []
 
-automated_debian_pkgs: []
+# override this var to add a prefix to the prompt
+# also need to set commont_update_bashrc for to
+# update the system bashrc default
+USER_CMD_PROMPT: ""
 
-automated_redhat_pkgs: []
+# these are the default links to create in the
+# restricted user's ~/bin directory
+# defaults to sudo, more can be added by overriding
+# this var
+user_rbash_links:
+  - /usr/bin/sudo

playbooks/roles/user/tasks/main.yml

+---
+
+# edX Configuration
+#
+# github:     https://github.com/edx/configuration
+# wiki:       https://github.com/edx/configuration/wiki
+# code style: https://github.com/edx/configuration/wiki/Ansible-Coding-Conventions
+# license:    https://github.com/edx/configuration/blob/master/LICENSE.TXT
+#
+# Tasks for role user
+#
+# Overview:
+#
+# This role is included as a dependency by other roles or as a standalone
+# paramaterized role to create users.
+#
+# There are generally three classes of users:
+# (1) normal login users without any special permissions
+# (2) admin users with full sudo permissions
+# (3) restricted users that use rbash and are locked down to specific sudo commands
+#
+# The parameter "type" sets the user in one of these three categories:
+#   (1) type not set
+#   (2) type=admin
+#   (3) type=restricted
+#
+# Dependencies:
+#
+# This role has no dependencies but requires parameters
+#
+# Example:
+#
+#   # Create a few users, one restricted
+#   # one admin with a github key and one with
+#   # a regular key.
+#   #
+#   # All user types can use a key from github
+#   # and also have additional authorized keys defined
+#   #
+#
+#   - role: user
+#     user_info:
+#       # This restricted user is defined in meta/
+#       # for edxapp, it creates a user that can only
+#       # run manage.py commands
+#       - name: automator
+#         type: restricted
+#         # The sudoers file is optional.
+#         sudoers_template: '99-edxapp-manage-cmds.j2'
+#         authorized_keys:
+#         - ssh-rsa abcdef...
+#         - ssh-rsa ghiklm...
+#
+#       # More users passed to the role, this one is a user
+#       # with full sudo, key fetched from github
+#       - name: frank
+#         github: true
+#         type: admin
+#
+#       # This user is a normal login user without sudo, with
+#       # a couple keys passed in as parameters
+#       - name: sally
+#         authorized_keys:
+#         - ssh-rsa abcdef...
+#         - ssh-rsa ghiklm...
+#
+# By default for restricted users we only allow sudo, if you
+# want to provide more binaries add them to user_rbash_links
+# which can be passed in as a paramter to the role.
+#
+
+- debug: var=user_info
+
+- name: create the edxadmin group
+  group: name=edxadmin state=present
+
+# give full sudo admin access to the edxadmin group
+- name: grant full sudo access to the edxadmin group
+  copy: >
+    content="%edxadmin ALL=(ALL) NOPASSWD:ALL"
+    dest=/etc/sudoers.d/edxadmin owner=root group=root
+    mode=0440 validate='visudo -cf %s'
+
+- name: create the users
+  user:
+    name={{ item.name }}
+    shell=/bin/bash
+  with_items: user_info
+
+- name: create .ssh directory
+  file:
+    path=/home/{{ item.name }}/.ssh state=directory mode=0750
+    owner={{ item.name }}
+  with_items: user_info
+
+- name: assign admin role to admin users
+  user:
+    name={{ item.name }}
+    groups=edxadmin
+  when: item.type is defined and item.type == 'admin'
+  with_items: user_info
+
+# authorized_keys2 used here so that personal
+# keys can be copied to authorized_keys
+- name: copy github key[s] to .ssh/authorized_keys2
+  get_url:
+    url=https://github.com/{{ item.name }}.keys
+    dest=/home/{{ item.name }}/.ssh/authorized_keys2 mode=0640
+    owner={{ item.name }}
+  when: item.github is defined
+  with_items: user_info
+
+- name: copy additional authorized keys
+  copy: >
+    content="{{ "\n".join(item.authorized_keys) }}"
+    dest=/home/{{ item.name }}/.ssh/authorized_keys mode=0640
+    owner={{ item.name }}
+    mode=0440 validate='visudo -cf %s'
+  when: item.authorized_keys is defined
+  with_items: user_info
+
+- name: create bashrc file for normal users
+  template: >
+    src=default.bashrc.j2
+    dest=/home/{{ item.name }}/.bashrc mode=0640
+    owner={{ item.name }}
+  when: not (item.type is defined and item.type == 'restricted')
+  with_items: user_info
+
+- name: create .profile for all users
+  template: >
+    src=default.profile.j2
+    dest=/home/{{ item.name }}/.profile mode=0640
+    owner={{ item.name }}
+  with_items: user_info
+
+########################################################
+# All tasks below this line are for restricted users
+
+- name: modify shell for restricted users
+  user:
+    name={{ item.name }}
+    shell=/bin/rbash
+  when: item.type is defined and item.type == 'restricted'
+  with_items: user_info
+
+- name: create bashrc file for restricted users
+  template: >
+    src=restricted.bashrc.j2
+    dest=/home/{{ item.name }}/.bashrc mode=0640
+    owner={{ item.name }}
+  when: item.type is defined and item.type == 'restricted'
+  with_items: user_info
+
+- name: create sudoers file from template
+  template:
+    dest=/etc/sudoers.d/{{ item.sudoers_template|basename|replace('.j2','') }}
+    src=etc/sudoers.d/{{ item.sudoers_template }} owner="root"
+    group="root" mode=0440 validate='visudo -cf %s'
+  when: item.type is defined and item.type == 'restricted' and item.sudoers_template is defined
+  with_items: user_info
+
+  # Prevent restricted user from updating their PATH and
+  # environment by ensuring root ownership
+
+- name: change home directory ownership to root for restricted users
+  shell: "chown -R root:{{ item.name }} /home/{{ item.name }}"
+  when: item.type is defined and item.type == 'restricted'
+  with_items: user_info
+
+- name: create ~/bin directory
+  file:
+    path=/home/{{ item.name }}/bin state=directory mode=0750
+    owner="root" group={{ item.name }}
+  when: item.type is defined and item.type == 'restricted'
+  with_items: user_info
+
+- name: create allowed command links
+  file:
+    src: "{{ item[1] }}"
+    dest: "/home/{{ item[0].name }}/bin/{{ item[1]|basename }}"
+    state: link
+  when: item[0].type is defined and item[0].type == 'restricted'
+  with_nested:
+    - user_info
+    - user_rbash_links

playbooks/roles/gh_users/templates/default.bashrc.j2 → playbooks/roles/user/templates/default.bashrc.j2

@@ -54,9 +54,9 @@ if [ -n "$force_color_prompt" ]; then
 fi
 
 if [ "$color_prompt" = yes ]; then
-    PS1='{{ GH_USERS_PROMPT }}${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
+    PS1='{{ USER_CMD_PROMPT }}${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
 else
-    PS1='{{ GH_USERS_PROMPT}}${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
+    PS1='{{ USER_CMD_PROMPT}}${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
 fi
 unset color_prompt force_color_prompt
 
@@ -73,9 +73,6 @@ esac
 if [ -x /usr/bin/dircolors ]; then
     test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
     alias ls='ls --color=auto'
-    #alias dir='dir --color=auto'
-    #alias vdir='vdir --color=auto'
-
     alias grep='grep --color=auto'
     alias fgrep='fgrep --color=auto'
     alias egrep='egrep --color=auto'
@@ -85,6 +82,7 @@ fi
 alias ll='ls -alF'
 alias la='ls -A'
 alias l='ls -CF'
+alias h='ls ~/.bash_histories/*/* | sort | xargs grep -i '
 
 # better bash history
 

playbooks/roles/user/templates/default.profile.j2

+# change default umask
+umask 077
+# if running bash
+if [ -n "$BASH_VERSION" ]; then
+    # include .bashrc if it exists
+    if [ -f "$HOME/.bashrc" ]; then
+        . "$HOME/.bashrc"
+    fi
+fi

playbooks/roles/user/templates/etc/sudoers.d/99-analytics-manage-cmds.j2

+{{ item.name }} ALL=({{ analytics_web_user }}) NOPASSWD:SETENV:{{ analytics_venv_dir }}/bin/django-admin.py	run_all_queries	*

playbooks/roles/user/templates/etc/sudoers.d/99-edxapp-manage-cmds.j2

+{{ item.name }}	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	migrate *
+{{ item.name }}	ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	seed_permissions_roles *
+{{ item.name }} ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	set_staff *
+{{ item.name }} ALL=({{ common_web_user }})	NOPASSWD:SETENV:{{ edxapp_venv_dir }}/bin/django-admin.py	transfer_students *
+

playbooks/vagrant-fullstack.yml

@@ -11,7 +11,7 @@
     - "group_vars/all"
   roles:
     - edx_ansible
-    - gh_users
+    - user
     - role: nginx
       nginx_sites:
       - cms

util/jenkins/ansible-provision.sh

@@ -172,11 +172,13 @@ instance_tags:
     owner: $BUILD_USER
 root_ebs_size: $root_ebs_size
 name_tag: $name_tag
-gh_users:
-  - ${github_username}
+user_data:
+  - name: ${github_username}
+    github: true
+    type: admin
 dns_zone: $dns_zone
 rabbitmq_refresh: True
-GH_USERS_PROMPT: '[$name_tag] '
+USER_CMD_PROMPT: '[$name_tag] '
 elb: $elb
 EOF