adding type param to user role

e0a9c0e6 · John Jarvis · f2e9307e · e0a9c0e6 · e0a9c0e6 · e0a9c0e6
Commit e0a9c0e6 authored Feb 27, 2014 by John Jarvis
8 changed files
--- a/playbooks/edx-east/create_all_user_types.yml
+++ b/playbooks/edx-east/create_all_user_types.yml
+# Creates a single user on a server
+# By default no super-user privileges
+# Example: ansible-playbook -i "jarv.m.sandbox.edx.org,"  ./create_user.yml -e "user=jarv"
+# Create a user with sudo privileges
+# Example: ansible-playbook -i "jarv.m.sandbox.edx.org,"  ./create_user.yml -e "user=jarv" -e "give_sudo=true"
+- name: Create all user types (test play)
+  hosts: all
+  sudo: True
+  gather_facts: False
+  vars_files:
+    - 'roles/edxapp/defaults/main.yml'
+    - 'roles/common/defaults/main.yml'
+    - 'roles/analytics-server/defaults/main.yml'
+    - 'roles/analytics/defaults/main.yml'
+  pre_tasks:
+    - fail: msg="You must pass a user into this play"
+      when: user is not defined
+    - name: give access with no sudo
+      set_fact:
+        user_info:
+          - name: "{{ user }}"
+            github: true
+          - name: test-admin-user
+            type: admin
+          - name: test-normal-user
+          - name: test-restricted-user-edxapp
+            type: restricted
+            sudoers_template: 99-edxapp-manage-cmds.j2
+          - name: test-restricted-user-anayltics
+            type: restricted
+            sudoers_template: 99-analytics-manage-cmds.j2
+  roles:
+    - user
--- a/playbooks/edx-east/create_user.yml
+++ b/playbooks/edx-east/create_user.yml
@@ -20,7 +20,7 @@
      set_fact:
        user_info:
          - name: "{{ user }}"
-            admin: true
+            type: admin
            github: true
      when: give_sudo is defined
  roles:

--- a/playbooks/edx-west/prod-jumpbox.yml
+++ b/playbooks/edx-west/prod-jumpbox.yml
@@ -12,25 +12,25 @@
      user_data:
        - name: sefk
          github: true
-          admin: true
+          type: admin
        - name: jbau
          github: true
-          admin: true
+          type: admin
        - name: jrbl
          github: true
-          admin: true
+          type: admin
        - name: ali123
          github: true
-          admin: true
+          type: admin
        - name: caesar2164
          github: true
-          admin: true
+          type: admin
        - name: dcadams
          github: true
-          admin: true
+          type: admin
        - name: nparlante
          github: true
-          admin: true
+          type: admin
        - name: jinpa
          github: true
        - name: gbruhns

--- a/playbooks/roles/analytics-server/meta/main.yml
+++ b/playbooks/roles/analytics-server/meta/main.yml
@@ -3,6 +3,7 @@ dependencies:
  - role: user
    user_info:
    - name: automator
+      type: restricted
      sudoers_template: '99-automator-analytics.j2'
      user_authorized_keys: "{{ AS_AUTOMATOR_AUTHORIZED_KEYS }}"
    user_rbash_links:

--- a/playbooks/roles/edxapp/meta/main.yml
+++ b/playbooks/roles/edxapp/meta/main.yml
@@ -9,6 +9,7 @@ dependencies:
  - role: user
    user_info:
      name: automator
+      type: restricted
      sudoers_template: '99-edxapp-manage-cmds.j2'
      user_authorized_keys: "{{ EDXAPP_AUTOMATOR_AUTHORIZED_KEYS }}"
    when: EDXAPP_AUTOMATOR_AUTHORIZED_KEYS|length != 0
--- a/playbooks/roles/user/tasks/main.yml
+++ b/playbooks/roles/user/tasks/main.yml
@@ -19,6 +19,11 @@
 # (2) admin users with full sudo permissions
 # (3) restricted users that use rbash and are locked down to specific sudo commands
 #
+# The parameter "type" sets the user in one of these three categories:
+#   (1) type not set
+#   (2) type=admin
+#   (3) type=restricted
+#
 # Dependencies:
 #
 # This role has no dependencies but requires parameters
@@ -39,7 +44,7 @@
 #       # for edxapp, it creates a user that can only
 #       # run manage.py commands
 #       - name: automator
-#         restricted: true
+#         type: restricted
 #         # The sudoers file is optional.
 #         sudoers_template: '99-edxapp-manage-cmds.j2'
 #         authorized_keys:
@@ -50,7 +55,7 @@
 #       # with full sudo, key fetched from github
 #       - name: frank
 #         github: true
-#         admin: true
+#         type: admin
 #
 #       # This user is a normal login user without sudo, with
 #       # a couple keys passed in as parameters
@@ -92,7 +97,7 @@
  user:
    name={{ item.name }}
    groups=edxadmin
-  when: item.admin is defined
+  when: item.type is defined and item.type == 'admin'
  with_items: user_info
 # authorized_keys2 used here so that personal
@@ -119,7 +124,7 @@
    src=default.bashrc.j2
    dest=/home/{{ item.name }}/.bashrc mode=0640
    owner={{ item.name }}
-  when: item.restricted is not defined
+  when: not (item.type is defined and item.type == 'restricted')
  with_items: user_info
 - name: create .profile for all users
@@ -136,7 +141,7 @@
  user:
    name={{ item.name }}
    shell=/bin/rbash
-  when: item.restricted is defined
+  when: item.type is defined and item.type == 'restricted'
  with_items: user_info
 - name: create bashrc file for restricted users
@@ -144,7 +149,7 @@
    src=restricted.bashrc.j2
    dest=/home/{{ item.name }}/.bashrc mode=0640
    owner={{ item.name }}
-  when: item.restricted is defined
+  when: item.type is defined and item.type == 'restricted'
  with_items: user_info
 - name: create sudoers file from template
@@ -152,7 +157,7 @@
    dest=/etc/sudoers.d/{{ item.sudoers_template|basename|replace('.j2','') }}
    src=etc/sudoers.d/{{ item.sudoers_template }} owner="root"
    group="root" mode=0440 validate='visudo -cf %s'
-  when: item.restricted is defined and item.sudoers_template is defined
+  when: item.type is defined and item.type == 'restricted' and item.sudoers_template is defined
  with_items: user_info
  # Prevent restricted user from updating their PATH and
@@ -160,14 +165,14 @@
 - name: change home directory ownership to root for restricted users
  shell: "chown -R root:{{ item.name }} /home/{{ item.name }}"
-  when: item.restricted is defined
+  when: item.type is defined and item.type == 'restricted'
  with_items: user_info
 - name: create ~/bin directory
  file:
    path=/home/{{ item.name }}/bin state=directory mode=0750
    owner="root" group={{ item.name }}
-  when: item.restricted is defined
+  when: item.type is defined and item.type == 'restricted'
  with_items: user_info
 - name: create allowed command links
@@ -175,7 +180,7 @@
    src: "{{ item[1] }}"
    dest: "/home/{{ item[0].name }}/bin/{{ item[1]|basename }}"
    state: link
-  when: item[0].restricted is defined
+  when: item[0].type is defined and item[0].type == 'restricted'
  with_nested:
    - user_info
    - user_rbash_links
--- a/playbooks/roles/user/templates/etc/sudoers.d/99-analytics-manage-cmds.j2
+++ b/playbooks/roles/user/templates/etc/sudoers.d/99-analytics-manage-cmds.j2
-{{ item.user }} ALL=({{ analytics_web_user }}) NOPASSWD:SETENV:{{ analytics_venv_dir }}/bin/django-admin.py	run_all_queries	*
+{{ item.name }} ALL=({{ analytics_web_user }}) NOPASSWD:SETENV:{{ analytics_venv_dir }}/bin/django-admin.py	run_all_queries	*
--- a/util/jenkins/ansible-provision.sh
+++ b/util/jenkins/ansible-provision.sh
@@ -175,7 +175,7 @@ name_tag: $name_tag
 user_data:
  - name: ${github_username}
    github: true
-    admin: true
+    type: admin
 dns_zone: $dns_zone
 rabbitmq_refresh: True
 USER_CMD_PROMPT: '[$name_tag] '