refactor of gh_users and automated role

playbooks/roles/automated/defaults/main.yml

@@ -9,18 +9,17 @@
 #
 ##
 # Vars for role automated
-# 
+#
 
 #
 # vars are namespace with the module name.
 #
 automated_role_name: automated
-automated_user: "automator"
-automated_home: "/home/automator"
+automated_user: "changeme"
+automated_home: "/home/{{ automated_user }}"
 automated_rbash_links: !!null
 automated_sudoers_template: !!null
-automated_sudoers_file: !!null
-  
+
   #
 # OS packages
 #

playbooks/roles/automated/tasks/main.yml

@@ -8,7 +8,7 @@
 # license:    https://github.com/edx/configuration/blob/master/LICENSE.TXT
 #
 # Tasks for role automated
-# 
+#
 # Overview:
 #
 # This role is included as a dependency by other roles which provide
@@ -24,22 +24,10 @@
 # via the my_role/meta/main.yml file.  Includes take the following forms:
 #
 #  dependencies:
-#  - {
-#  role: automated,
-#  automated_rbash_links: $as_automated_rbash_links,
-#  automated_sudoers_dest: '99-my_role'
-#  automated_sudoers_file: 'roles/my_role/files/etc/sudoers.d/99-my_role'
-#  }
-#
-# or
-#
-#  dependencies:
-#  - {
-#  role: automated,
-#  automated_rbash_links: $as_automated_rbash_links,
-#  automated_sudoers_dest: '99-my_role'
-#  automated_sudoers_template: 'roles/my_role/templates/etc/sudoers.d/99-my_role.j2'
-#  }
+#   - role: automated
+#     automated_rbash_links: "{{ edxapp_automated_rbash_links }}"
+#     automated_sudoers_template: 'roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp-server.j2'
+#     automated_authorized_keys: "{{ EDXAPP_AUTOMATOR_AUTHORIZED_KEYS }}"
 #
 # The sudoers file is optional.  Note that for sudo to work it must be
 # included in the rbash links list.
@@ -54,24 +42,17 @@
 - fail: automated_rbash_links required for role
   when: automated_rbash_links is not defined
 
-- fail: automated_sudoers_dest required for role
-  when: automated_sudoers_dest is not defined
-  
+- fail: automated_authorized_keys required for role
+  when: automated_authorized_keys is not defined
+
 - name: create automated user
-  user: 
-    name={{ automated_user }} state=present shell=/bin/rbash 
+  user:
+    name={{ automated_user }} state=present shell=/bin/rbash
     home={{ automated_home }} createhome=yes
 
-- name: create sudoers file from file
-  copy:
-    dest=/etc/sudoers.d/{{ automated_sudoers_dest }}
-    src={{ automated_sudoers_file }} owner="root"
-    group="root" mode=0440 validate='visudo -cf %s'
-  when: automated_sudoers_file
-
 - name: create sudoers file from template
-  template:
-    dest=/etc/sudoers.d/{{ automated_sudoers_dest }}
+  copy:
+    dest=/etc/sudoers.d/{{ automated_sudoers_template|basename|replace('.j2','') }}
     src={{ automated_sudoers_template }} owner="root"
     group="root" mode=0440 validate='visudo -cf %s'
   when: automated_sudoers_template
@@ -88,56 +69,46 @@
     - .bashrc
     - .profile
     - .bash_logout
-  
+
 - name: change ~automated ownership
-  file: 
-    path={{ automated_home }} mode=0750 state=directory 
+  file:
+    path={{ automated_home }} mode=0750 state=directory
     owner="root" group={{ automated_user }}
 
-  #
-  # This ensures that the links are updated with each run
-  # and that links that were remove from the role are
-  # removed.
-  #
-- name: remove ~automated/bin directory
-  file: 
-    path={{ automated_home }}/bin state=absent
-  ignore_errors: yes
-  
 - name: create ~automated/bin directory
-  file: 
-    path={{ automated_home }}/bin state=directory mode=0750 
+  file:
+    path={{ automated_home }}/bin state=directory mode=0750
     owner="root" group={{ automated_user }}
-  
+
 - name: re-write .profile
   copy:
-    src=home/automator/.profile 
-    dest={{ automated_home }}/.profile 
-    owner="root" 
+    src=home/automator/.profile
+    dest={{ automated_home }}/.profile
+    owner="root"
     group={{ automated_user }}
     mode="0744"
-  
+
 - name: re-write .bashrc
   copy:
     src=home/automator/.bashrc
-    dest={{ automated_home }}/.bashrc 
-    owner="root" 
+    dest={{ automated_home }}/.bashrc
+    owner="root"
     group={{ automated_user }}
     mode="0744"
-  
+
 - name: create .ssh directory
-  file: 
-    path={{ automated_home }}/.ssh state=directory mode=0700 
+  file:
+    path={{ automated_home }}/.ssh state=directory mode=0700
     owner={{ automated_user }} group={{ automated_user }}
 
 - name: build authorized_keys file
   template:
     src=home/automator/.ssh/authorized_keys.j2
-    dest={{ automated_home }}/.ssh/authorized_keys mode=0600 
+    dest={{ automated_home }}/.ssh/authorized_keys mode=0600
     owner={{ automated_user }} group={{ automated_user }}
-  
+
 - name: create allowed command links
   file:
     src={{ item }} dest={{ automated_home }}/bin/{{ item.split('/').pop() }}
     state=link
-  with_items: automated_rbash_links
\ No newline at end of file
+  with_items: automated_rbash_links

playbooks/roles/common/meta/main.yml

 ---
 dependencies:
   - gh_users
+  - automated

playbooks/roles/edxapp/defaults/main.yml

@@ -516,10 +516,3 @@ edxapp_cms_variant: cms
 
 # Worker Settings
 worker_django_settings_module: 'aws'
-
-# This array is used by the automator role to provide
-# access to a limited set of commands via rbash.  The
-# commands listed here will be symlinked to ~/bin/ for
-# the automator user.
-edxapp_automated_rbash_links:
-  - /usr/bin/sudo

playbooks/roles/edxapp/meta/main.yml

@@ -7,8 +7,7 @@ dependencies:
     rbenv_ruby_version: "{{ edxapp_ruby_version }}"
   - devpi
   - role: automated
-    automated_rbash_links: "{{ edxapp_automated_rbash_links }}"
-    automated_sudoers_dest: '99-automator-edxapp-server'
-    automated_sudoers_template: 'roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp-server.j2'
-    automated_authorized_keys: "{{ EDXAPP_AUTOMATOR_AUTHORIZED_KEYS }}"
+    user_rbash_links: "{{ edxapp_automated_rbash_links }}"
+    user_sudoers_template: 'roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp-server.j2'
+    user_authorized_keys: "{{ EDXAPP_AUTOMATOR_AUTHORIZED_KEYS }}"
     when: EDXAPP_INCLUDE_AUTOMATOR_ROLE

playbooks/roles/gh_users/defaults/main.yml

-# override this var to add a prefix to the prompt
-# also need to set commont_update_bashrc for to
-# update the system bashrc default
-GH_USERS_PROMPT: ""
-gh_users: []
-gh_users_no_sudo: []

playbooks/roles/gh_users/tasks/main.yml

----
-
-# gh_users
-#
-# Creates OS accounts for users based on their github credential.
-# Takes a list gh_users as a parameter which is a list of users
-#
-# roles:
-#   - role: gh_users
-#     gh_users:
-#      - joe
-#      - mark
-#     gh_users_no_sudo:
-#      - tourist_dave
-
-
-- name: creating default .bashrc
-  template: >
-    src=default.bashrc.j2 dest=/etc/skel/.bashrc
-    mode=0644 owner=root group=root
-
-- name: create gh group
-  group: name=gh state=present
-
-# TODO: give limited sudo access to this group
-- name: grant full sudo access to gh group
-  copy: >
-    content="%gh ALL=(ALL) NOPASSWD:ALL"
-    dest=/etc/sudoers.d/gh owner=root group=root
-    mode=0440 validate='visudo -cf %s'
-
-- name: create sudo github users
-  user:
-    name={{ item }} groups=gh
-    shell=/bin/bash
-  with_items: gh_users
-
-- name: create non-sudo github users
-  user:
-    name={{ item }}
-    shell=/bin/bash
-  with_items: gh_users_no_sudo
-
-- name: create .ssh directory
-  file:
-    path=/home/{{ item }}/.ssh state=directory mode=0700
-    owner={{ item }}
-  with_items: gh_users + gh_users_no_sudo
-
-- name: copy github key[s] to .ssh/authorized_keys
-  get_url:
-    url=https://github.com/{{ item }}.keys
-    dest=/home/{{ item }}/.ssh/authorized_keys mode=0600
-    owner={{ item }}
-  with_items: gh_users + gh_users_no_sudo
-

playbooks/roles/user/defaults/main.yml

+---
+#
+# edX Configuration
+#
+# github:     https://github.com/edx/configuration
+# wiki:       https://github.com/edx/configuration/wiki
+# code style: https://github.com/edx/configuration/wiki/Ansible-Coding-Conventions
+# license:    https://github.com/edx/configuration/blob/master/LICENSE.TXT
+#
+##
+# Vars for role user
+#
+
+#
+# vars are namespace with the module name.
+#
+user_role_name: user
+
+# Role parameters
+# Override this list
+user_info: []
+
+# override this var to add a prefix to the prompt
+# also need to set commont_update_bashrc for to
+# update the system bashrc default
+USER_CMD_PROMPT: ""
+
+# these are the default links to create in the
+# restricted user's ~/bin directory
+# defaults to sudo, more can be added by overriding
+# this var
+user_rbash_links:
+  - /usr/bin/sudo

playbooks/roles/user/tasks/main.yml

+---
+
+# edX Configuration
+#
+# github:     https://github.com/edx/configuration
+# wiki:       https://github.com/edx/configuration/wiki
+# code style: https://github.com/edx/configuration/wiki/Ansible-Coding-Conventions
+# license:    https://github.com/edx/configuration/blob/master/LICENSE.TXT
+#
+# Tasks for role user
+#
+# Overview:
+#
+# This role is included as a dependency by other roles or as a standalone
+# paramaterized role to create users.
+#
+# There are generally three classes of users:
+# (1) normal login users without any special permissions
+# (2) admin users with full sudo permissions
+# (3) restricted users that use rbash and are locked down to specific sudo commands
+#
+# Dependencies:
+#
+# This role has no dependencies but requires parameters
+#
+# Example:
+#
+#   # Create a few users, one restricted
+#   # one admin with a github key and one with
+#   # a regular key.
+#   #
+#   # All user types can use a key from github
+#   # and also have additional authorized keys defined
+#   #
+#
+#   - role: user
+#     user_info:
+#       - name: joe
+#         restricted: true
+#         # The sudoers file is optional.
+#         sudoers_template: 'roles/edxapp/templates/etc/sudoers.d/99-automator-edxapp-server.j2'
+#         authorized_keys:
+#         - ssh-rsa abcdef...
+#         - ssh-rsa ghiklm...
+
+#       - name: frank
+#         github: true
+#         admin: true
+#
+#       - name: sally
+#         authorized_keys:
+#         - ssh-rsa abcdef...
+#         - ssh-rsa ghiklm...
+
+#
+# Set user_rbash_links for links to be set in the restricted
+# user's bin dir by default we only allow /usr/bin/sudo
+#
+
+- fail: you must pass in a user_info parameter to this role
+  when: user_info|length == 0
+
+- name: create the edxadmin group
+  group: name=edxadmin state=present
+
+# give full sudo admin access to the edxadmin group
+- name: grant full sudo access to the edxadmin group
+  copy: >
+    content="%edxadmin ALL=(ALL) NOPASSWD:ALL"
+    dest=/etc/sudoers.d/edxadmin owner=root group=root
+    mode=0440 validate='visudo -cf %s'
+
+- name: create the users
+  user:
+    name={{ item.name }}
+    shell=/bin/bash
+  with_items: user_info
+
+- name: create .ssh directory
+  file:
+    path=/home/{{ item.name }}/.ssh state=directory mode=0750
+    owner={{ item.name }}
+  with_items: user_info
+
+- name: assign admin role to admin users
+  user:
+    name={{ item.name }}
+    groups=edxadmin
+  when: item.admin is defined
+  with_items: user_info
+
+# authorized_keys2 used here so that personal
+# keys can be copied to authorized_keys
+- name: copy github key[s] to .ssh/authorized_keys2
+  get_url:
+    url=https://github.com/{{ item.name }}.keys
+    dest=/home/{{ item.name }}/.ssh/authorized_keys2 mode=0640
+    owner={{ item.name }}
+  when: item.github is defined
+  with_items: user_info
+
+- name: copy additional authorized keys
+  copy: >
+    content="{{ "\n".join(item.authorized_keys) }}"
+    dest=/home/{{ item.name }}/.ssh/authorized_keys mode=0640
+    owner={{ item.name }}
+    mode=0440 validate='visudo -cf %s'
+  when: item.authorized_keys is defined
+  with_item: user_info
+
+- name: create bashrc file for normal users
+  template: >
+    src=default.bashrc.j2
+    dest=/home/{{ item.name }}/.bashrc mode=0640
+    owner={{ item.name }}
+  when: item.restricted is not defined
+  with_items: user_info
+
+- name: create .profile for all users
+  template: >
+    src=default.profile.j2
+    dest=/home/{{ item.name }}/.profile mode=0640
+    owner={{ item.name }}
+
+########################################################
+# All tasks below this line are for restricted users
+
+- name: modify shell for restricted users
+  user:
+    name={{ item.name }}
+    shell=/bin/rbash
+  when: item.restricted is defined
+  with_items: user_info
+
+- name: create bashrc file for restricted users
+  template: >
+    src=restricted.bashrc.j2
+    dest=/home/{{ item.name }}/.bashrc mode=0640
+    owner={{ item.name }}
+  when: item.restricted is defined
+  with_items: user_info
+
+- name: create sudoers file from template
+  copy:
+    dest=/etc/sudoers.d/{{ item.sudoers_template|basename|replace('.j2','') }}
+    src={{ item.sudoers_template }} owner="root"
+    group="root" mode=0440 validate='visudo -cf %s'
+  when: item.restricted is defined and item.sudoers_template is defined
+  with_items: user_info
+
+  # Prevent restricted user from updating their PATH and
+  # environment by ensuring root ownership
+
+- name: change home directory ownership to root for restricted users
+  shell: "chown -R root:{{ item.name }} /home/{{ item.name }}"
+  when: item.restricted is defined
+  with_items: user_info
+
+- name: create ~/bin directory
+  file:
+    path=/home/{{ item.name }}/bin state=directory mode=0750
+    owner="root" group={{ item.name }}
+  when: item.restricted is defined
+  with_items: user_info
+
+- name: create allowed command links
+  file:
+    src={{ item[1] }} dest=/home/{{ item[0] }}/bin/{{ item.[1]|basename }}
+    state=link
+  when: when item[0].restricted is defined
+  with_nested:
+    - user_info
+    - user_rbash_links

playbooks/roles/user/templates/default.profile.j2

+# change default umask
+umask 077
+# if running bash
+if [ -n "$BASH_VERSION" ]; then
+    # include .bashrc if it exists
+    if [ -f "$HOME/.bashrc" ]; then
+        . "$HOME/.bashrc"
+    fi
+fi

util/jenkins/ansible-provision.sh

@@ -176,7 +176,7 @@ gh_users:
   - ${github_username}
 dns_zone: $dns_zone
 rabbitmq_refresh: True
-GH_USERS_PROMPT: '[$name_tag] '
+USER_CMD_PROMPT: '[$name_tag] '
 elb: $elb
 EOF