Add "sys_protected" argument to LDAP playbook
This commit adds "sys_protected" optional argument to LDAP playbook "manage_local_ldap_account.yml". The new argument automates adding an ldap user to the "sys_protected" group at creation time. Supported values for the "sys_protected" argument are "yes" and "no", "no" being the default value. Test Plan: PASS: Debian image gets successfully installed in AIO-SX system. PASS: Configure "secure-inventory" configuration for a standalone system. PASS: Successful ldap user creation with membership in "sys_protected" group, using argument "sys_protected=yes". PASS: Execute LDAP playbook to create a user with no membership in "sys_protected" group, using argument "sys_protected=no" PASS: Execute LDAP playbook to create a user with no membership in "sys_protected" group without setting argument "sys_protected" to verify the default value. PASS: Configure "secure-inventory" configuration for a DC system. PASS: Test "sys_protected" argument usage for LDAP playbook in a DC system by creating an ldap user in a "sys_protected" group, both on the system controller and on a subcloud. Story: 2010589 Task: 47908 Signed-off-by: Carmen Rata <carmen.rata@windriver.com> Change-Id: I4d487e70b4b1ace3c5b08a7ae10595b4accc2b51
This commit is contained in:
parent
708a1d5c43
commit
1bda288e96
@ -15,14 +15,14 @@
|
||||
# file. Then run the ansible-playbook command with --ask-vault-pass parameter:
|
||||
#
|
||||
# ansible-playbook --inventory inventory-secure --ask-vault-pass \
|
||||
# --extra-vars='user_id=JohnDoo' \
|
||||
# --extra-vars='user_id=JohnDoe' \
|
||||
# /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
|
||||
#
|
||||
# If you wish to use different values for password_change_period and
|
||||
# password_warning_period parameters follow the sample below:
|
||||
#
|
||||
# ansible-playbook --inventory inventory-secure --ask-vault-pass \
|
||||
# --extra-vars='user_id=JohnDoo password_change_period=120 \
|
||||
# --extra-vars='user_id=JohnDoe password_change_period=120 \
|
||||
# password_warning_period=1' \
|
||||
# /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
|
||||
#
|
||||
@ -30,7 +30,14 @@
|
||||
# variable to yes:
|
||||
#
|
||||
# ansible-playbook --inventory inventory-secure --ask-vault-pass \
|
||||
# --extra-vars='user_id=JohnDoo sudo_permission=yes' \
|
||||
# --extra-vars='user_id=JohnDoe sudo_permission=yes' \
|
||||
# /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
|
||||
#
|
||||
# If you wish to add users to sys_protected group, set sys_protected
|
||||
# variable to yes:
|
||||
#
|
||||
# ansible-playbook --inventory inventory-secure --ask-vault-pass \
|
||||
# --extra-vars='user_id=JohnDoe sys_protected=yes' \
|
||||
# /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
|
||||
#
|
||||
# If you wish to delete an existing user account (e.g. na-admin):
|
||||
@ -45,4 +52,4 @@ ansible_password=<my-common-sysadmin-password>
|
||||
ansible_become_pass=<my-common-sysadmin-password>
|
||||
|
||||
[systemcontroller]
|
||||
systemcontroller-0 ansible_host=127.0.0.1
|
||||
systemcontroller-0 ansible_host=127.0.0.1
|
||||
|
@ -114,6 +114,10 @@
|
||||
set_fact:
|
||||
in_sudo_permission: "{{ true if sudo_permission is defined and sudo_permission | bool else false }}"
|
||||
|
||||
- name: Set sys_protected flag fact upfront
|
||||
set_fact:
|
||||
in_sys_protected: "{{ true if sys_protected is defined and sys_protected | bool else false }}"
|
||||
|
||||
- hosts: systemcontroller
|
||||
gather_facts: no
|
||||
|
||||
|
@ -14,6 +14,7 @@
|
||||
ansible_ssh_common_args:
|
||||
'-o ProxyCommand="sshpass -p {{ ansible_password }} ssh -W [%h]:%p -q {{ ansible_user }}@{{ ansible_host }}"'
|
||||
in_sudo_permission: "{{ in_sudo_permission }}"
|
||||
in_sys_protected: "{{ in_sys_protected }}"
|
||||
in_mode: "{{ in_mode }}"
|
||||
in_user_password: "{{ in_user_password if in_mode == 'create' else '' }}"
|
||||
in_user_role: "{{ in_user_role if in_mode == 'create' else '' }}"
|
||||
|
@ -18,9 +18,13 @@
|
||||
set_fact:
|
||||
sudo_param: "{{ '--sudo' if in_sudo_permission else '' }}"
|
||||
|
||||
- name: Set sys_protected_param if external variable sys_protected is true
|
||||
set_fact:
|
||||
sys_protected_param: "{{ '--secondgroup sys_protected' if in_sys_protected else '' }}"
|
||||
|
||||
- name: Create LDAP user {{ in_user_id }}
|
||||
shell: >-
|
||||
ldapusersetup -u {{ in_user_id }} {{ sudo_param }} --secondgroup sys_protected --passmax
|
||||
ldapusersetup -u {{ in_user_id }} {{ sudo_param }} {{ sys_protected_param }} --passmax
|
||||
{{ password_change_period }} --passwarning {{ password_warning_period }}
|
||||
become: yes
|
||||
|
||||
|
@ -69,6 +69,11 @@
|
||||
become: yes
|
||||
when: in_sudo_permission
|
||||
|
||||
- name: Add LDAP user to 'sys_protected' group
|
||||
command: usermod -a -G sys_protected {{ in_user_id }}
|
||||
become: yes
|
||||
when: in_sys_protected
|
||||
|
||||
- name: Retrieve LDAP user groups
|
||||
command: groups {{ in_user_id }}
|
||||
register: user_groups
|
||||
|
Loading…
Reference in New Issue
Block a user