Managing System Users Using Ansible

Setting Up Ansible User

Ansible User Setup in Controller Node

[root@controller-node] adduser ansible
[root@controller-node] su - ansible
[ansible@controller-node]ssh-keygen -t rsa -b 4096 -C "ansible"
[ansible@controller-node]cd /home/ansible/.ssh/
[ansible@controller-node .ssh]$ ls
id_rsa id_rsa.pub
[ansible@controller-node .ssh]$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEApeDUYGwaMfHd7/Zo0nzHA69uF/f99BYktwp82qA8+osph1LdJ/NpDIxcx3yMzWJHK0eg2yapHyeMpKuRlzxHHnmc99lO4tHrgpoSoyFF0ZGzDqgtj8IHS8/6bz4t5qcs0aphyBJK5qUYPhUqAL2Sojn+jLnLlLvLFwnv5CwSYeHYzLPHU7VWJgkoahyAlkdQm2XsFpa+ZpWEWTiSL5nrJh5aA3bgGHGJU2iVDxj2vfgPHQWQTiNrxbaSfZxdfYQx/VxIERZvc5vkfycBHVwanFD4vMn728ht8cE4VjVrGyTVznzrM7XC2iMsQkvmeYTIO2q2u/8x4dS/hBkBdVG/fjgqb78EpEUP11eKYM4JFCK7B0/zNaS56KFUPksZaSofokonFeGilr8wxLmpT2X1Ub9VwbZV/ppb2LoCkgG6RnDZCf7pUA+CjOYYV4RWXO6SaV12lSxrg7kvVYXHOMHQuAp8ZHjejh2/4Q4jNnweciuG3EkLOTiECBB0HgMSeKO4RMzFioMwavlyn5q7z4S82d/yRzsOS39qwkaEPRHTCg9F6pbZAAVCvGXP4nlyrqk26KG7S3Eoz3LZjcyt9xqGLzt2frvd+jLMpgvnlXTFgGA1ITExOHRb+FirmQZgnoiFbvpeIFj65d0vRIuY6VneIJ6EFcLGPpzeus0yLoDN1v8= ansible
[ansible@controller-node $ exit
[root@controller-node $ exit
[root@controller-node $ visudo 
#includedir /etc/sudoers.d
ansible ALL=(ALL) NOPASSWD: ALL

Ansible User Setup on Target Node

[root@nod1]sudo adduser ansible
[root@node1]sudo su - ansible
[ansible ~]$ cd /home/ansible
[ansible ~]$ mkdir .ssh
[ansible ~]$ touch authorized_keys
[ansible ~]$ chmod 600 authorized_keys
[ansible ~]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEApeDUYGwaMfHd7/Zo0nzHA69uF/f99BYktwp82qA8+osph1LdJ/NpDIxcx3yMzWJHK0eg2yapHyeMpKuRlzxHHnmc99lO4tHrgpoSoyFF0ZGzDqgtj8IHS8/6bz4t5qcs0aphyBJK5qUYPhUqAL2Sojn+jLnLlLvLFwnv5CwSYeHYzLPHU7VWJgkoahyAlkdQm2XsFpa+ZpWEWTiSL5nrJh5aA3bgGHGJU2iVDxj2vfgPHQWQTiNrxbaSfZxdfYQx/VxIERZvc5vkfycBHVwanFD4vMn728ht8cE4VjVrGyTVznzrM7XC2iMsQkvmeYTIO2q2u/8x4dS/hBkBdVG/fjgqb78EpEUP11eKYM4JFCK7B0/zNaS56KFUPksZaSofokonFeGilr8wxLmpT2X1Ub9VwbZV/ppb2LoCkgG6RnDZCf7pUA+CjOYYV4RWXO6SaV12lSxrg7kvVYXHOMHQuAp8ZHjejh2/4Q4jNnweciuG3EkLOTiECBB0HgMSeKO4RMzFioMwavlyn5q7z4S82d/yRzsOS39qwkaEPRHTCg9F6pbZAAVCvGXP4nlyrqk26KG7S3Eoz3LZjcyt9xqGLzt2frvd+jLMpgvnlXTFgGA1ITExOHRb+FirmQZgnoiFbvpeIFj65d0vRIuY6VneIJ6EFcLGPpzeus0yLoDN1v8= ansible
[ansible@localhost ~]$ ssh-copy-id ansible@node3
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.[ansible@localhost ~]$ ssh-copy-id ansible@node2
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.[ansible@localhost ~]$ ssh-copy-id ansible@node1
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
ansible@node1's password:
Number of key(s) added: 1Now try logging into the machine, with: "ssh 'ansible@node1'"
and check to make sure that only the key(s) you wanted were added.
[root@controller-node $ visudo 
#includedir /etc/sudoers.d
ansible ALL=(ALL) NOPASSWD: ALL

Operations Perspective

  1. sudo users
  2. non-sudoers users
  3. nologin users (system users)

Managing System User Using Ansible

Adding System Users Using Ansible

  1. Create the directory structure in the controller which should looks like this
  • [ansible@controller]$ tree . └── ssh ├── files ├── tasks │ └── main.yml └── vars
  1. Here are some definitions of the items used in the code above:
  2. ssh: is the Role for ansible-playbook
  3. files: In this directory place all the user public key
  4. tasks: The main.yaml file will get executed when this role is run
  5. vars: The user definition will be stored in this directory
  6. Create the file users.yml.
  • [ansible@controller]$ tree . └── ssh ├── files ├── tasks │ └── main.yml └── vars └── users.yml
  1. In users.yml, add the users that require sudo access and those that don’t need sudo access onto the list.
  • [ansible@controller]$ cat ssh/vars/users.yml --- users: - username: user2 use_sudo: yes - username: user4 use_sudo: no - username: user6 use_sudo: no
  1. Now submit the public key of users 2, 4, and 6 in the files directory. The files directory should looks like this:
  • [ansible@controller]$ tree . └── ssh ├── files │ ├── user2.pub │ ├── user4.pub │ └── user6.pub ├── tasks │ └── main.yml └── vars └── users.yml 4 directories, 5 files
  1. Next, define the playbook run under the tasks directory. Edit the file main.yml add the following definition.
  • [ansible@ ~]$ cat ssh/tasks/main.yml --- - include_vars: users.yml - name: Create users with home directory user: name={{ item.username }} shell=/bin/bash createhome=yes comment='Created by Ansible' with_items: '{{users}}' - name: Setup | authorized key upload authorized_key: user={{ item.username }} key="{{ lookup('file', 'files/{{ item.username }}.pub') }}" when: '{{ item.use_sudo }} == True' with_items: '{{users}}' - name: Sudoers | update sudoers file and validate lineinfile: "dest=/etc/sudoers insertafter=EOF line='{{ item.username }} ALL=(ALL) NOPASSWD: ALL' regexp='^{{ item.username }} .*' state=present" when: '{{ item.use_sudo }} == True' with_items: '{{users}}'
  1. First, all Ansible variables are included.
  2. Using the Ansible user module, create users from the user list (users.yml).
  3. Using the Ansible authorized_key, add the ssh public key to the created user home directory
  4. Finally, upload the sudoers entry file to determine which users should be granted sudoers access.
  5. Run the Playbook.
[ansible@ ~]$ tree
.
├── hosts
└── ssh
├── files
│ ├── user2.pub
│ ├── user4.pub
│ └── user6.pub
├── tasks
│ └── main.yml
└── vars
└── users.yml
4 directories, 6 files
[ansible@~]$ cat hosts
[all]
node1
node2
node3
[ansible@localhost ansible]$
[ansible@~]$ cat ssh.yml 
# To Run this Playbook Issue the command
#Author Anish Nath
# ansible-playbook ssh.yml
---
- hosts: all
become: yes
gather_facts: yes
roles:
- { role: ssh }
[ansible@controller]$ ansible-playbook ssh.yml -i hosts
PLAY [all] *************************************************************************************************************************************TASK [Gathering Facts] *************************************************************************************************************************
ok: [node1]
ok: [node3]
ok: [node2]
TASK [ssh : include_vars] **********************************************************************************************************************
ok: [node1]
ok: [node2]
ok: [node3]
TASK [ssh : Create users with home directory] **************************************************************************************************
changed: [node2] => (item={u'username': u'user2', u'use_sudo': True})
changed: [node1] => (item={u'username': u'user2', u'use_sudo': True})
changed: [node3] => (item={u'username': u'user2', u'use_sudo': True})
changed: [node2] => (item={u'username': u'user4', u'use_sudo': False})
changed: [node1] => (item={u'username': u'user4', u'use_sudo': False})
changed: [node3] => (item={u'username': u'user4', u'use_sudo': False})
changed: [node2] => (item={u'username': u'user6', u'use_sudo': False})
changed: [node1] => (item={u'username': u'user6', u'use_sudo': False})
changed: [node3] => (item={u'username': u'user6', u'use_sudo': False})
TASK [ssh : Setup | authorized key upload] *****************************************************************************************************
[WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: {{ item.use_sudo }} == True
[WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: {{ item.use_sudo }} == True [WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: {{ item.use_sudo }} == Trueok: [node1] => (item={u'username': u'user2', u'use_sudo': True})
skipping: [node1] => (item={u'username': u'user4', u'use_sudo': False})
skipping: [node1] => (item={u'username': u'user6', u'use_sudo': False})
ok: [node3] => (item={u'username': u'user2', u'use_sudo': True})
skipping: [node3] => (item={u'username': u'user4', u'use_sudo': False})
ok: [node2] => (item={u'username': u'user2', u'use_sudo': True})
skipping: [node2] => (item={u'username': u'user4', u'use_sudo': False})
skipping: [node3] => (item={u'username': u'user6', u'use_sudo': False})
skipping: [node2] => (item={u'username': u'user6', u'use_sudo': False})
TASK [ssh : Sudoers | update sudoers file and validate] ****************************************************************************************
[WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: {{ item.use_sudo }} == True
[WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: {{ item.use_sudo }} == True [WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: {{ item.use_sudo }} == Trueok: [node3] => (item={u'username': u'user2', u'use_sudo': True})
skipping: [node3] => (item={u'username': u'user4', u'use_sudo': False})
skipping: [node3] => (item={u'username': u'user6', u'use_sudo': False})
ok: [node1] => (item={u'username': u'user2', u'use_sudo': True})
skipping: [node1] => (item={u'username': u'user4', u'use_sudo': False})
skipping: [node1] => (item={u'username': u'user6', u'use_sudo': False})
ok: [node2] => (item={u'username': u'user2', u'use_sudo': True})
skipping: [node2] => (item={u'username': u'user4', u'use_sudo': False})
skipping: [node2] => (item={u'username': u'user6', u'use_sudo': False})
PLAY RECAP *************************************************************************************************************************************
node1 : ok=5 changed=1 unreachable=0 failed=0
node2 : ok=5 changed=1 unreachable=0 failed=0
node3 : ok=5 changed=1 unreachable=0 failed=0

Removing System Users Using Ansible

[ansible@controller]$ cat ssh/vars/users.yml 
---
users:
- username: user2
use_sudo: yes
- username: user4
use_sudo: no
- username: user6
use_sudo: no
[ansible@controller]$ cat ssh/vars/users.yml 
---
users:
- username: user4
use_sudo: no
- username: user6
use_sudo: no
[ansible@controller ~]$ cat ssh/vars/deleteusers.yml 
---
users:
- username: user2
- username: user3
- username: user5
- include_vars: deleteusers.yml  - name: Deleting The users
user: name={{ item.username }} state=absent remove=yes
with_items: '{{users}}'
[ansible@controller ~]$ ansible-playbook ssh.yml -i hosts
TASK [ssh : Deleting The users] ****************************************************************************************************************
changed: [node2] => (item={u'username': u'user2'})
changed: [node1] => (item={u'username': u'user2'})
changed: [node3] => (item={u'username': u'user2'})

Conclusion

--

--

--

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

2 simple techniques to get killer redis cache performance

My Development Toolset 2021 for iOS 🛠

How to backup your Github & Gitlab projects

Compassion Through Language Learning

How infrastructure as code helps us deploy to production quicker, a beginners’ primer

How To Set Up SFTP Authentication Using Go

Getting Web Development Right: WebRTC Tutorial — Golang and React.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

More from Medium

SONARQUBE TOOL INTEGRATION WITH THE GITLAB CI/CD PIPELINE

How to install and configure fluent-bit on macOS

How to monitor Jenkins metrics using Prometheus & Grafana?

Monitor Windows Server Resources Using Prometheus & Analyze Using Grafana