summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLars Wirzenius <liw@liw.fi>2020-11-08 09:32:29 +0200
committerLars Wirzenius <liw@liw.fi>2020-11-08 09:44:36 +0200
commit0467496724b8875a5ba5fa95d07740aa51f6c780 (patch)
tree21a218b35165a3a6025cc56e5f4ee93d8c3706fd
parentedac7f326c8138d7377d595a3cf26f7f3d36b0fb (diff)
downloaddebian-ansible-master.tar.gz
feat(unix_users): allow a user to be added to extra groupsHEADmaster
-rw-r--r--roles/unix_users/subplot.md6
-rw-r--r--roles/unix_users/subplot.py13
-rw-r--r--roles/unix_users/subplot.yaml3
-rw-r--r--roles/unix_users/tasks/main.yml9
4 files changed, 28 insertions, 3 deletions
diff --git a/roles/unix_users/subplot.md b/roles/unix_users/subplot.md
index 2fde3e7..c7929e9 100644
--- a/roles/unix_users/subplot.md
+++ b/roles/unix_users/subplot.md
@@ -24,6 +24,8 @@ This role makes use of the following variables:
* `authorized_keys` &ndash; OPTIONAL: text of contents of
`~/.ssh/authorized_keys`
* `password` &ndash; OPTIONAL: encrypted password
+ * `groups` &ndash; OPTIONAL: list of additional groups to which user
+ should be added
Create the encrypted password with something like:
@@ -43,10 +45,11 @@ then the host has user foo
and the user foo on host has encrypted password foopass
and the user foo on host has shell /bin/true
and the user foo on host has authorized_keys containing "ssh-rsa"
+and the user foo on host is in group operator
~~~
~~~{#foo.yml .file .yaml}
-unix_users_version: 1
+unix_users_version: 2
unix_users:
- username: foo
@@ -55,4 +58,5 @@ unix_users:
password: foopass
authorized_keys: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKVaQfxzzwpwk763IcPBs308TpYYp6+NTOMvYaj3j3ewz8feYQg3lOlKo/5xaPug2ZywG6v6tpn/p0drovT5YAIPJitP7yJAfEzJe/gO7c9uwx0uIpe6cc8bwRG0XFdUVK0EneB6LpIec+3juj4zitGBm0ffIoLDhJ7J0daTzQN62rZaw/2SjSvgbfnu3a2BYRPz1NGiXdvOCbytVSLlUAR6SxNPrFdh/BJnS4umyDaBL/1j2yaw/WlkfZPn5Ni3USZLRcbHnBUUbo64iwBwJabhdpeh0xLGTqDkaeudUgZjlrRHFyCbwJTPtDzJsPLb5HKGGzdXPHP7Lk6PM2CIOz liw@exolobe1
+ groups: [operator]
~~~
diff --git a/roles/unix_users/subplot.py b/roles/unix_users/subplot.py
index 7bf921d..05330fd 100644
--- a/roles/unix_users/subplot.py
+++ b/roles/unix_users/subplot.py
@@ -14,7 +14,7 @@ def host_has_user(ctx, username=None):
output, exit = qemu.ssh(["getent", "passwd", username])
assert_eq(exit, 0)
output = output.decode("UTF8")
- assert f"\n{username}:" in output
+ assert f"{username}:" in output
def host_user_has_shell(ctx, username=None, shell=None):
@@ -46,3 +46,14 @@ def host_user_has_authorized_keys_containing(ctx, username=None, substring=None)
assert_eq(exit, 0)
output = output.decode("UTF8")
assert substring in output
+
+
+def host_user_is_in_group(ctx, username=None, group=None):
+ assert_eq = globals()["assert_eq"]
+ qemu = ctx["qemu"]
+ output, exit = qemu.ssh(["sudo", "-u", username, "groups"])
+ assert_eq(exit, 0)
+ output = output.decode("UTF8")
+ groups = output.split()
+ logging.debug(f"host_user_is_in_group: groups={groups}")
+ assert group in groups
diff --git a/roles/unix_users/subplot.yaml b/roles/unix_users/subplot.yaml
index 10ac86c..bf7c4b9 100644
--- a/roles/unix_users/subplot.yaml
+++ b/roles/unix_users/subplot.yaml
@@ -12,3 +12,6 @@
- then: the user {username} on host has authorized_keys containing "{substring}"
function: host_user_has_authorized_keys_containing
+
+- then: the user {username} on host is in group {group}
+ function: host_user_is_in_group
diff --git a/roles/unix_users/tasks/main.yml b/roles/unix_users/tasks/main.yml
index cd6fb66..e181054 100644
--- a/roles/unix_users/tasks/main.yml
+++ b/roles/unix_users/tasks/main.yml
@@ -1,6 +1,6 @@
- name: "check unix_users_version"
shell: |
- [ "{{ unix_users_version }}" = "1" ] || \
+ [ "{{ unix_users_version }}" = "2" ] || \
(echo "Unexpected version {{ unix_users_version }}" 1>&2; exit 1)
- name: create system users
@@ -10,6 +10,13 @@
comment: "{{ item.comment|default('unnamed user') }}"
shell: "{{ item.shell|default('/bin/bash') }}"
system: "{{ item.system|default('no') }}"
+
+- name: add users to additional groups
+ with_items: "{{ unix_users }}"
+ when: item.groups is defined
+ user:
+ name: "{{ item.username }}"
+ groups: "{{ item.groups }}"
- name: set password for users
with_items: "{{ unix_users }}"