From 0467496724b8875a5ba5fa95d07740aa51f6c780 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sun, 8 Nov 2020 09:32:29 +0200 Subject: feat(unix_users): allow a user to be added to extra groups --- roles/unix_users/subplot.md | 6 +++++- roles/unix_users/subplot.py | 13 ++++++++++++- roles/unix_users/subplot.yaml | 3 +++ roles/unix_users/tasks/main.yml | 9 ++++++++- 4 files changed, 28 insertions(+), 3 deletions(-) (limited to 'roles') diff --git a/roles/unix_users/subplot.md b/roles/unix_users/subplot.md index 2fde3e7..c7929e9 100644 --- a/roles/unix_users/subplot.md +++ b/roles/unix_users/subplot.md @@ -24,6 +24,8 @@ This role makes use of the following variables: * `authorized_keys` – OPTIONAL: text of contents of `~/.ssh/authorized_keys` * `password` – OPTIONAL: encrypted password + * `groups` – OPTIONAL: list of additional groups to which user + should be added Create the encrypted password with something like: @@ -43,10 +45,11 @@ then the host has user foo and the user foo on host has encrypted password foopass and the user foo on host has shell /bin/true and the user foo on host has authorized_keys containing "ssh-rsa" +and the user foo on host is in group operator ~~~ ~~~{#foo.yml .file .yaml} -unix_users_version: 1 +unix_users_version: 2 unix_users: - username: foo @@ -55,4 +58,5 @@ unix_users: password: foopass authorized_keys: | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKVaQfxzzwpwk763IcPBs308TpYYp6+NTOMvYaj3j3ewz8feYQg3lOlKo/5xaPug2ZywG6v6tpn/p0drovT5YAIPJitP7yJAfEzJe/gO7c9uwx0uIpe6cc8bwRG0XFdUVK0EneB6LpIec+3juj4zitGBm0ffIoLDhJ7J0daTzQN62rZaw/2SjSvgbfnu3a2BYRPz1NGiXdvOCbytVSLlUAR6SxNPrFdh/BJnS4umyDaBL/1j2yaw/WlkfZPn5Ni3USZLRcbHnBUUbo64iwBwJabhdpeh0xLGTqDkaeudUgZjlrRHFyCbwJTPtDzJsPLb5HKGGzdXPHP7Lk6PM2CIOz liw@exolobe1 + groups: [operator] ~~~ diff --git a/roles/unix_users/subplot.py b/roles/unix_users/subplot.py index 7bf921d..05330fd 100644 --- a/roles/unix_users/subplot.py +++ b/roles/unix_users/subplot.py @@ -14,7 +14,7 @@ def host_has_user(ctx, username=None): output, exit = qemu.ssh(["getent", "passwd", username]) assert_eq(exit, 0) output = output.decode("UTF8") - assert f"\n{username}:" in output + assert f"{username}:" in output def host_user_has_shell(ctx, username=None, shell=None): @@ -46,3 +46,14 @@ def host_user_has_authorized_keys_containing(ctx, username=None, substring=None) assert_eq(exit, 0) output = output.decode("UTF8") assert substring in output + + +def host_user_is_in_group(ctx, username=None, group=None): + assert_eq = globals()["assert_eq"] + qemu = ctx["qemu"] + output, exit = qemu.ssh(["sudo", "-u", username, "groups"]) + assert_eq(exit, 0) + output = output.decode("UTF8") + groups = output.split() + logging.debug(f"host_user_is_in_group: groups={groups}") + assert group in groups diff --git a/roles/unix_users/subplot.yaml b/roles/unix_users/subplot.yaml index 10ac86c..bf7c4b9 100644 --- a/roles/unix_users/subplot.yaml +++ b/roles/unix_users/subplot.yaml @@ -12,3 +12,6 @@ - then: the user {username} on host has authorized_keys containing "{substring}" function: host_user_has_authorized_keys_containing + +- then: the user {username} on host is in group {group} + function: host_user_is_in_group diff --git a/roles/unix_users/tasks/main.yml b/roles/unix_users/tasks/main.yml index cd6fb66..e181054 100644 --- a/roles/unix_users/tasks/main.yml +++ b/roles/unix_users/tasks/main.yml @@ -1,6 +1,6 @@ - name: "check unix_users_version" shell: | - [ "{{ unix_users_version }}" = "1" ] || \ + [ "{{ unix_users_version }}" = "2" ] || \ (echo "Unexpected version {{ unix_users_version }}" 1>&2; exit 1) - name: create system users @@ -10,6 +10,13 @@ comment: "{{ item.comment|default('unnamed user') }}" shell: "{{ item.shell|default('/bin/bash') }}" system: "{{ item.system|default('no') }}" + +- name: add users to additional groups + with_items: "{{ unix_users }}" + when: item.groups is defined + user: + name: "{{ item.username }}" + groups: "{{ item.groups }}" - name: set password for users with_items: "{{ unix_users }}" -- cgit v1.2.1