Skip to content

C
configuration
Commit e0a9c0e6 by John Jarvis
Options

adding type param to user role

parent f2e9307e
Showing with 60 additions and 20 deletions
playbooks/edx-east/create_all_user_types.yml 0 → 100644
# Creates a single user on a server
# By default no super-user privileges
# Example: ansible-playbook -i "jarv.m.sandbox.edx.org," ./create_user.yml -e "user=jarv"
# Create a user with sudo privileges
# Example: ansible-playbook -i "jarv.m.sandbox.edx.org," ./create_user.yml -e "user=jarv" -e "give_sudo=true"
- name: Create all user types (test play)
hosts: all
sudo: True
gather_facts: False
vars_files:
- 'roles/edxapp/defaults/main.yml'
- 'roles/common/defaults/main.yml'
- 'roles/analytics-server/defaults/main.yml'
- 'roles/analytics/defaults/main.yml'
pre_tasks:
- fail: msg="You must pass a user into this play"
when: user is not defined
- name: give access with no sudo
set_fact:
user_info:
- name: "{{ user }}"
github: true
- name: test-admin-user
type: admin
- name: test-normal-user
- name: test-restricted-user-edxapp
type: restricted
sudoers_template: 99-edxapp-manage-cmds.j2
- name: test-restricted-user-anayltics
type: restricted
sudoers_template: 99-analytics-manage-cmds.j2
roles:
- user
playbooks/edx-east/create_user.yml
......@@ -20,7 +20,7 @@
set_fact:
user_info:
- name: "{{ user }}"
admin: true
type: admin
github: true
when: give_sudo is defined
roles:
......
playbooks/edx-west/prod-jumpbox.yml
......@@ -12,25 +12,25 @@
user_data:
- name: sefk
github: true
admin: true
type: admin
- name: jbau
github: true
admin: true
type: admin
- name: jrbl
github: true
admin: true
type: admin
- name: ali123
github: true
admin: true
type: admin
- name: caesar2164
github: true
admin: true
type: admin
- name: dcadams
github: true
admin: true
type: admin
- name: nparlante
github: true
admin: true
type: admin
- name: jinpa
github: true
- name: gbruhns
......
playbooks/roles/analytics-server/meta/main.yml
......@@ -3,6 +3,7 @@ dependencies:
- role: user
user_info:
- name: automator
type: restricted
sudoers_template: '99-automator-analytics.j2'
user_authorized_keys: "{{ AS_AUTOMATOR_AUTHORIZED_KEYS }}"
user_rbash_links:
......
playbooks/roles/edxapp/meta/main.yml
......@@ -9,6 +9,7 @@ dependencies:
- role: user
user_info:
name: automator
type: restricted
sudoers_template: '99-edxapp-manage-cmds.j2'
user_authorized_keys: "{{ EDXAPP_AUTOMATOR_AUTHORIZED_KEYS }}"
when: EDXAPP_AUTOMATOR_AUTHORIZED_KEYS|length != 0
playbooks/roles/user/tasks/main.yml
......@@ -19,6 +19,11 @@
# (2) admin users with full sudo permissions
# (3) restricted users that use rbash and are locked down to specific sudo commands
#
# The parameter "type" sets the user in one of these three categories:
# (1) type not set
# (2) type=admin
# (3) type=restricted
#
# Dependencies:
#
# This role has no dependencies but requires parameters
......@@ -39,7 +44,7 @@
# # for edxapp, it creates a user that can only
# # run manage.py commands
# - name: automator
# restricted: true
# type: restricted
# # The sudoers file is optional.
# sudoers_template: '99-edxapp-manage-cmds.j2'
# authorized_keys:
......@@ -50,7 +55,7 @@
# # with full sudo, key fetched from github
# - name: frank
# github: true
# admin: true
# type: admin
#
# # This user is a normal login user without sudo, with
# # a couple keys passed in as parameters
......@@ -92,7 +97,7 @@
user:
name={{ item.name }}
groups=edxadmin
when: item.admin is defined
when: item.type is defined and item.type == 'admin'
with_items: user_info
# authorized_keys2 used here so that personal
......@@ -119,7 +124,7 @@
src=default.bashrc.j2
dest=/home/{{ item.name }}/.bashrc mode=0640
owner={{ item.name }}
when: item.restricted is not defined
when: not (item.type is defined and item.type == 'restricted')
with_items: user_info
- name: create .profile for all users
......@@ -136,7 +141,7 @@
user:
name={{ item.name }}
shell=/bin/rbash
when: item.restricted is defined
when: item.type is defined and item.type == 'restricted'
with_items: user_info
- name: create bashrc file for restricted users
......@@ -144,7 +149,7 @@
src=restricted.bashrc.j2
dest=/home/{{ item.name }}/.bashrc mode=0640
owner={{ item.name }}
when: item.restricted is defined
when: item.type is defined and item.type == 'restricted'
with_items: user_info
- name: create sudoers file from template
......@@ -152,7 +157,7 @@
dest=/etc/sudoers.d/{{ item.sudoers_template|basename|replace('.j2','') }}
src=etc/sudoers.d/{{ item.sudoers_template }} owner="root"
group="root" mode=0440 validate='visudo -cf %s'
when: item.restricted is defined and item.sudoers_template is defined
when: item.type is defined and item.type == 'restricted' and item.sudoers_template is defined
with_items: user_info
# Prevent restricted user from updating their PATH and
......@@ -160,14 +165,14 @@
- name: change home directory ownership to root for restricted users
shell: "chown -R root:{{ item.name }} /home/{{ item.name }}"
when: item.restricted is defined
when: item.type is defined and item.type == 'restricted'
with_items: user_info
- name: create ~/bin directory
file:
path=/home/{{ item.name }}/bin state=directory mode=0750
owner="root" group={{ item.name }}
when: item.restricted is defined
when: item.type is defined and item.type == 'restricted'
with_items: user_info
- name: create allowed command links
......@@ -175,7 +180,7 @@
src: "{{ item[1] }}"
dest: "/home/{{ item[0].name }}/bin/{{ item[1]|basename }}"
state: link
when: item[0].restricted is defined
when: item[0].type is defined and item[0].type == 'restricted'
with_nested:
- user_info
- user_rbash_links
playbooks/roles/user/templates/etc/sudoers.d/99-analytics-manage-cmds.j2
{{ item.user }} ALL=({{ analytics_web_user }}) NOPASSWD:SETENV:{{ analytics_venv_dir }}/bin/django-admin.py run_all_queries *
{{ item.name }} ALL=({{ analytics_web_user }}) NOPASSWD:SETENV:{{ analytics_venv_dir }}/bin/django-admin.py run_all_queries *
util/jenkins/ansible-provision.sh
......@@ -175,7 +175,7 @@ name_tag: $name_tag
user_data:
- name: ${github_username}
github: true
admin: true
type: admin
dns_zone: $dns_zone
rabbitmq_refresh: True
USER_CMD_PROMPT: '[$name_tag] '
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment