Skip to content

Commit

Permalink
Usermod multiple groups (#66)
Browse files Browse the repository at this point in the history
* Remove unused register

* Document & Test adding a user to multiple groups

https://github.com/CSCfi/ansible-role-users/blob/fc7d13287660ed1f07965ba331850966c62c99ac/tasks/main.yml

usermod supports multiple groups, but they should be comma separated.

Skip the usermod commands if groups is not a string.

Another option would be to early in the role assert that groups is a
string or not a list and then fail.

This part is not so well tested. I think one could with some backwards
breaking? changes make the role work with `groups` being a real yaml list also.

`|join(',')` jinja2 filter could be one option

The ansible users module supports `groups` being a list after ansible 2.3.

Around this point you should really start considering using
a central user directory like LDAP...

Bonus change:
- Add the remaining `] }` to the multi SSH user definition example.

* test: Test a user with a list of groups
  • Loading branch information
matteopozza authored Aug 19, 2021
1 parent bd6eb88 commit 3db3e07
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 2 deletions.
5 changes: 4 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,14 +37,16 @@ adminremove_passwords: false

<pre>

- { name: multisshkeyuser, uid: 5004, group: "{{admingroup}}", groups: "agroup,bgroup", state: "present", shell: "{{adminshell}}", pubkeys: [ { pubkey: "ssh-rsa KEY1" }, { pubkey: "ssh-rsa KEY2" }, { pubkey: "ssh-rsa KEY3", key_state: 'absent' }
- { name: multisshkeyuser, uid: 5004, group: "{{admingroup}}", groups: "agroup,bgroup", state: "present", shell: "{{adminshell}}", pubkeys: [ { pubkey: "ssh-rsa KEY1" }, { pubkey: "ssh-rsa KEY2" }, { pubkey: "ssh-rsa KEY3", key_state: 'absent' } ] }

</pre>

# Caveats

Modifying a logged in user's UID does not work. Don't do it. The role anticipates this and only modifies group and groups for those users.

groups key of a user: This can be several groups, but it currently needs to be a string or the usermod command becomes unhappy.

# License

MIT
Expand All @@ -54,3 +56,4 @@ MIT
- https://github.com/martbhell
- https://github.com/peterjenkins1
- https://github.com/khappone
- https://github.com/oscarkraemer
3 changes: 2 additions & 1 deletion tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,6 @@
group:
name: "{{ group.name }}"
gid: "{{ group.gid | default(omit) }}"
register: reg_add_group
when: admin_list_of_groups is defined and admin_list_of_groups.0 is defined
with_items: "{{ admin_list_of_groups }}"
loop_control:
Expand Down Expand Up @@ -118,6 +117,7 @@
- user.name in admin_logged_in_users
- user.group is defined
- user.groups is defined
- user.groups == "AnsibleUnsafeText"
- user.uid is defined # We only need this usermod command to set group and groups for any logged in users

# An extra exception if the group key is not defined for the logged in user
Expand All @@ -131,6 +131,7 @@
- user.name in admin_logged_in_users
- user.group is undefined
- user.groups is defined
- user.groups == "AnsibleUnsafeText"

- name: Remove wheel group in sudoers if admin group was added and the sudoers.d file for the admin group was added
lineinfile:
Expand Down
1 change: 1 addition & 0 deletions tests/test_idempotency.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
- {name: user8, state: 'absent', uid: 6008, comment: "comment1", remove: "yes" }
- {name: user9, state: 'present', uid: 6009 }
- {name: user10, state: 'present', uid: 6010, group: "{{admingroup}}", groups: "agroup" }
- {name: user11, state: 'present', uid: 6011, group: "{{admingroup}}", groups: ["agroup","bgroup"] }
- anotheruserlisthere:
- {name: training1, state: 'present', uid: 7001, shell: "{{adminshell}}" }
- {name: training2, state: 'present', uid: 7002 }
Expand Down

0 comments on commit 3db3e07

Please sign in to comment.