From: Zack Cerza Date: Wed, 23 Dec 2015 19:24:57 +0000 (-0700) Subject: users: Allow extending managed_admin_users X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=c8aef903cbed28100d02ad0584cb433dd56a5886;p=ceph-cm-ansible.git users: Allow extending managed_admin_users Using a new variable called extra_admin_users, it is now possible to grant sudo access to a set of users on a subset of hosts. Signed-off-by: Zack Cerza --- diff --git a/roles/users/README.rst b/roles/users/README.rst index 33fccbd..2529baf 100644 --- a/roles/users/README.rst +++ b/roles/users/README.rst @@ -10,6 +10,13 @@ granted by adding the ``managed_admin_users`` to the group ``sudo`` which should be created beforehand. It is not required to add both of these vars to your inventory, only use what makes sense for the node being managed. +Additionally, if you have defined ``managed_users`` and ``managed_admin_users`` +for a set of hosts and want to grant sudo access to users on a subset of those +hosts, you may define ``extra_admin_users`` for that group. The format of that +variable is similar to the other two, except the ``key`` field is optional for +each user which is already present in ``managed_users``. This is to allow +flexibility without as much repetition. + When adding a user, these steps are performed for each user: - Ensures that the user exists (tags: users) diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index 5e7e4a9..b9c4a5b 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -19,6 +19,33 @@ tags: - always +- name: Merge extra_admin_users into managed_admin_users + set_fact: + # The following adds items from extra_admin_users to managed_admin_users, while + # fetching keys from the latter if they are not present in the former. It's as pretty + # as it can get without whitespace breaking the parser. + managed_admin_users: + "{% for new_admin in extra_admin_users -%} + {% for lab_user in managed_users -%} + {% if new_admin.name == lab_user.name %}{{ new_admin.update(lab_user) }}{% endif %} + {%- endfor %} + {%- endfor %}{{ managed_admin_users|list + extra_admin_users|list }}" + when: extra_admin_users is defined and extra_admin_users|length > 0 + tags: + - always + +- name: Remove managed_admin_users from managed_users + set_fact: + # The following rebuilds the managed_users list while omitting users already present + # in managed_admin_users + managed_users: + "[{% for lab_user in managed_users -%} + {% if not managed_admin_users|selectattr('name', 'equalto', lab_user.name)|list|length %}{{ lab_user}},{% endif %} + {%- endfor %}]" + when: extra_admin_users is defined and extra_admin_users|length > 0 + tags: + - always + - name: Create all admin users with sudo access. user: name: "{{ item.name }}"