manage_edxapp_users_and_groups.yml 3.68 KB
Newer Older
1 2 3 4 5 6 7 8
#
# edX Configuration
#
# github:     https://github.com/edx/configuration
# wiki:       https://openedx.atlassian.net/wiki/display/OpenOPS
# code style: https://openedx.atlassian.net/wiki/display/OpenOPS/Ansible+Code+Conventions
# license:    https://github.com/edx/configuration/blob/master/LICENSE.TXT
#
9
# Usage: ansible-playbook -i lms-host-1, -e@/path/to/group/configfile -e@/path/to/user/configfile
10 11 12
#
# Overview:
# This playbook ensures that the specified users and groups exist in the targeted
13
# edxapp cluster.
14 15 16 17 18 19 20 21
#
# Users have the following properties:
#   - username (required, str)
#   - email (required, str)
#   - groups (optional, list[str])
#   - superuser (optional, bool)
#   - staff (optional, bool)
#   - remove (optional, bool): ensures the user does not exist
22
#   - unusable_password (optional, bool): ensures the password is unusable
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
#
# Groups can have the following properties:
#   - name (required, str)
#   - permissions (optional, list[str])
#   - remove (optional, bool): ensures the group does not exist
#
# Example:
#
# users:
#   - username: bobby
#     email: bobby@droptabl.es
#     groups: [group1, group2]
#     superuser: true
#     staff: true
#
#   - username: fred
#     email: fred@smith
#     remove: true
#
#   - username: smitty
#     email: smitty@werbenmanjens.en
#     groups: [group1]
#
46 47 48 49 50 51 52
#   - username: frank
#     email: frank@bigcorp.com
#     staff: false
#     superuser: false
#     unusable_password: true
#     groups: []
#
53 54 55 56
#   - username: zoe
#     email: zoe@example.com
#     initial_password_hash: 'pbkdf2_sha256$20000$levJ6jdVYCsu$gdBLGf2DNPqfaKdcETXtFocRU8Kk+sMsIvKkmw1dKbY='
#
57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78
# groups:
#   - name: group3
#     remove: true
#
#   - name: group1
#     permissions:
#       - permission1
#       - permission2
#
#   - name: group2
#     permissions: [permission3]
#
# NB: to get a list of all available permissions, run the following code:
#
#   from django.contrib.auth.models import Permission
#   for perm in Permission.objects.all():
#     print '{}:{}:{}'.format(perm.content_type.app_label, perm.content_type.model, perm.codename)
#
- hosts: all
  vars:
    python_path: /edx/bin/python.edxapp
    manage_path: /edx/bin/manage.edxapp
79 80
    ignore_user_creation_errors: no
    deployment_settings: "{{ EDXAPP_SETTINGS | default('aws') }}"
81 82
  vars_files:
    - roles/common_vars/defaults/main.yml
83 84 85
  tasks:
    - name: Manage groups
      shell: >
86
        {{ python_path }} {{ manage_path }} lms --settings={{ deployment_settings }}
87 88 89
        manage_group {{ item.name | quote }}
        {% if item.get('permissions', []) | length %}--permissions {{ item.permissions | default([]) | map('quote') | join(' ') }}{% endif %}
        {% if item.get('remove') %}--remove{% endif %}
90
      with_items: "{{ django_groups }}"
91 92
      become: true
      become_user: "{{ common_web_user }}"
93 94 95

    - name: Manage users
      shell: >
96
        {{ python_path }} {{ manage_path }} lms --settings={{ deployment_settings }}
97 98 99 100 101
        manage_user {{ item.username | quote }} {{ item.email | quote }}
        {% if item.get('groups', []) | length %}--groups {{ item.groups | default([]) | map('quote') | join(' ') }}{% endif %}
        {% if item.get('remove') %}--remove{% endif %}
        {% if item.get('superuser') %}--superuser{% endif %}
        {% if item.get('staff') %}--staff{% endif %}
102
        {% if item.get('unusable_password') %}--unusable-password{% endif %}
103
        {% if item.get('initial_password_hash') %}--initial-password-hash {{ item.initial_password_hash | quote }}{% endif %}
104
      with_items: "{{ django_users }}"
105 106
      register: manage_users_result
      failed_when: (manage_users_result | failed) and not (ignore_user_creation_errors | bool)
107 108
      become: true
      become_user: "{{ common_web_user }}"