From: Zack Cerza <zack@redhat.com>
Date: Thu, 6 Aug 2015 17:38:36 +0000 (-0600)
Subject: Users: Add the ability to revoke user accounts
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=66c72bc30424515aef0df57695c19416afda2f98;p=ceph-cm-ansible.git

Users: Add the ability to revoke user accounts

Signed-off-by: Zack Cerza <zack@redhat.com>
---

diff --git a/roles/users/README.rst b/roles/users/README.rst
index c91e9e22..092c1b3c 100644
--- a/roles/users/README.rst
+++ b/roles/users/README.rst
@@ -23,6 +23,10 @@ When adding a user, these steps are performed for each user:
 - Adds the user's public key to ~/.ssh/authorized_keys (tags: pubkeys)
 
 
+This role also supports revoking user access by removing all users in the
+``revoked_users`` variable.
+
+
 Usage
 +++++
 
@@ -73,13 +77,20 @@ A list of usernames to filter ``managed_users`` and ``managed_admin_users`` by::
 
     users: []
 
+A list of usernames whose access is to be revoked::
+
+    revoked_users: []
+
 Tags
 ++++
 
 Available tags are listed below:
 
 users
-    Perform only user creation tasks, ssh keys will not be updated.
+    Perform only user creation/removal tasks; ssh keys will not be updated.
+
+revoke
+    Perform only user removal tasks.
 
 pubkeys
     Perform only authorized keys tasks, users will not be created but all
@@ -91,8 +102,6 @@ TODO
 - Allow management of the UID for each user
 
 - Allow management of the shell for each user
- 
-- Add the ability to remove or revoke user access
 
 - Ensure that the sudo group exists with the correct permissions. We currently depend on it
   being created already by other playbooks (ansible_managed.yml) or created by cobbler
diff --git a/roles/users/defaults/main.yml b/roles/users/defaults/main.yml
index f73a2a04..522dc174 100644
--- a/roles/users/defaults/main.yml
+++ b/roles/users/defaults/main.yml
@@ -18,3 +18,6 @@ managed_admin_users: []
 # both managed_users and managed_admin_users would be filtered
 # to only contain the information for 'user1'.
 users: []
+
+# A list of users whose access is to be revoked. These accounts will be deleted.
+revoked_users: []
diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
index 714cd1db..12f266c8 100644
--- a/roles/users/tasks/main.yml
+++ b/roles/users/tasks/main.yml
@@ -50,3 +50,22 @@
   delay: 5
   tags:
     - pubkeys
+
+- name: Filter the revoked_users list
+  set_fact:
+    revoked_users:
+        "[{% for user in revoked_users %}
+            {% if user in users %}'{{ user }}',{%endif%}
+        {%endfor%}]"
+  when: users|length > 0
+  tags:
+    - always
+
+- name: Remove revoked users
+  user:
+    name: "{{ item }}"
+    state: absent
+  with_items: revoked_users
+  tags:
+    - user
+    - revoke