users: Allow extending managed_admin_users

Using a new variable called extra_admin_users, it is now possible to
grant sudo access to a set of users on a subset of hosts.

Signed-off-by: Zack Cerza <zack@redhat.com>

diff --git a/roles/users/README.rst b/roles/users/README.rst
index 33fccbd449922306bb407978ce4261b9bff95312..2529baf81ccc6d60869a884a033f308435e88f85 100644 (file)
--- a/roles/users/README.rst
+++ b/roles/users/README.rst
@@ -10,6 +10,13 @@ granted by adding the ``managed_admin_users`` to the group ``sudo`` which
 should be created beforehand. It is not required to add both of these vars to
 your inventory, only use what makes sense for the node being managed.
 
+Additionally, if you have defined ``managed_users`` and ``managed_admin_users``
+for a set of hosts and want to grant sudo access to users on a subset of those
+hosts, you may define ``extra_admin_users`` for that group. The format of that
+variable is similar to the other two, except the ``key`` field is optional for
+each user which is already present in ``managed_users``. This is to allow
+flexibility without as much repetition.
+
 When adding a user, these steps are performed for each user:
 
 - Ensures that the user exists (tags: users)

diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
index 5e7e4a96cf04b2b1ad4f57b3a1f62f33b4526c4b..b9c4a5bc7e3e8420436ecfc0ddbb9ef72c7e4c1c 100644 (file)
--- a/roles/users/tasks/main.yml
+++ b/roles/users/tasks/main.yml
@@ -19,6 +19,33 @@
   tags:
     - always
 
+- name: Merge extra_admin_users into managed_admin_users
+  set_fact:
+    # The following adds items from extra_admin_users to managed_admin_users, while
+    # fetching keys from the latter if they are not present in the former. It's as pretty
+    # as it can get without whitespace breaking the parser.
+    managed_admin_users:
+      "{% for new_admin in extra_admin_users -%}
+         {% for lab_user in managed_users -%}
+           {% if new_admin.name == lab_user.name %}{{ new_admin.update(lab_user) }}{% endif %}
+         {%- endfor %}
+      {%- endfor %}{{ managed_admin_users|list + extra_admin_users|list }}"
+  when: extra_admin_users is defined and extra_admin_users|length > 0
+  tags:
+    - always
+
+- name: Remove managed_admin_users from managed_users
+  set_fact:
+    # The following rebuilds the managed_users list while omitting users already present
+    # in managed_admin_users
+    managed_users:
+      "[{% for lab_user in managed_users -%}
+      {% if not managed_admin_users|selectattr('name', 'equalto', lab_user.name)|list|length %}{{ lab_user}},{% endif %}
+      {%- endfor %}]"
+  when: extra_admin_users is defined and extra_admin_users|length > 0
+  tags:
+    - always
+
 - name: Create all admin users with sudo access.
   user:
     name: "{{ item.name }}"