Add "sys_protected" argument to LDAP playbook

This commit adds "sys_protected" optional argument to LDAP playbook
"manage_local_ldap_account.yml". The new argument automates adding
an ldap user to the "sys_protected" group at creation time.
Supported values for the "sys_protected" argument are "yes" and "no",
"no" being the default value.

Test Plan:
PASS: Debian image gets successfully installed in AIO-SX system.
PASS: Configure "secure-inventory" configuration for a standalone
system.
PASS: Successful ldap user creation with membership in "sys_protected"
group, using argument "sys_protected=yes".
PASS: Execute LDAP playbook to create a user with no membership in
"sys_protected" group, using argument "sys_protected=no"
PASS: Execute LDAP playbook to create a user with no membership in
"sys_protected" group without setting argument "sys_protected" to
verify the default value.
PASS: Configure "secure-inventory" configuration for a DC system.
PASS: Test "sys_protected" argument usage for LDAP playbook in a DC
system by creating an ldap user in a "sys_protected" group, both on
the system controller and on a subcloud.

Story: 2010589
Task: 47908

Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: I4d487e70b4b1ace3c5b08a7ae10595b4accc2b51
This commit is contained in:
Carmen Rata 2023-04-28 14:47:17 +00:00
parent 708a1d5c43
commit 1bda288e96
5 changed files with 26 additions and 5 deletions

View File

@ -15,14 +15,14 @@
# file. Then run the ansible-playbook command with --ask-vault-pass parameter:
#
# ansible-playbook --inventory inventory-secure --ask-vault-pass \
# --extra-vars='user_id=JohnDoo' \
# --extra-vars='user_id=JohnDoe' \
# /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
#
# If you wish to use different values for password_change_period and
# password_warning_period parameters follow the sample below:
#
# ansible-playbook --inventory inventory-secure --ask-vault-pass \
# --extra-vars='user_id=JohnDoo password_change_period=120 \
# --extra-vars='user_id=JohnDoe password_change_period=120 \
# password_warning_period=1' \
# /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
#
@ -30,7 +30,14 @@
# variable to yes:
#
# ansible-playbook --inventory inventory-secure --ask-vault-pass \
# --extra-vars='user_id=JohnDoo sudo_permission=yes' \
# --extra-vars='user_id=JohnDoe sudo_permission=yes' \
# /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
#
# If you wish to add users to sys_protected group, set sys_protected
# variable to yes:
#
# ansible-playbook --inventory inventory-secure --ask-vault-pass \
# --extra-vars='user_id=JohnDoe sys_protected=yes' \
# /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
#
# If you wish to delete an existing user account (e.g. na-admin):
@ -45,4 +52,4 @@ ansible_password=<my-common-sysadmin-password>
ansible_become_pass=<my-common-sysadmin-password>
[systemcontroller]
systemcontroller-0 ansible_host=127.0.0.1
systemcontroller-0 ansible_host=127.0.0.1

View File

@ -114,6 +114,10 @@
set_fact:
in_sudo_permission: "{{ true if sudo_permission is defined and sudo_permission | bool else false }}"
- name: Set sys_protected flag fact upfront
set_fact:
in_sys_protected: "{{ true if sys_protected is defined and sys_protected | bool else false }}"
- hosts: systemcontroller
gather_facts: no

View File

@ -14,6 +14,7 @@
ansible_ssh_common_args:
'-o ProxyCommand="sshpass -p {{ ansible_password }} ssh -W [%h]:%p -q {{ ansible_user }}@{{ ansible_host }}"'
in_sudo_permission: "{{ in_sudo_permission }}"
in_sys_protected: "{{ in_sys_protected }}"
in_mode: "{{ in_mode }}"
in_user_password: "{{ in_user_password if in_mode == 'create' else '' }}"
in_user_role: "{{ in_user_role if in_mode == 'create' else '' }}"

View File

@ -18,9 +18,13 @@
set_fact:
sudo_param: "{{ '--sudo' if in_sudo_permission else '' }}"
- name: Set sys_protected_param if external variable sys_protected is true
set_fact:
sys_protected_param: "{{ '--secondgroup sys_protected' if in_sys_protected else '' }}"
- name: Create LDAP user {{ in_user_id }}
shell: >-
ldapusersetup -u {{ in_user_id }} {{ sudo_param }} --secondgroup sys_protected --passmax
ldapusersetup -u {{ in_user_id }} {{ sudo_param }} {{ sys_protected_param }} --passmax
{{ password_change_period }} --passwarning {{ password_warning_period }}
become: yes

View File

@ -69,6 +69,11 @@
become: yes
when: in_sudo_permission
- name: Add LDAP user to 'sys_protected' group
command: usermod -a -G sys_protected {{ in_user_id }}
become: yes
when: in_sys_protected
- name: Retrieve LDAP user groups
command: groups {{ in_user_id }}
register: user_groups