Using DebOps ansible roles to manage users
sdanbury opened this issue · 2 comments
Hello!
I am trying to use debops.users to manage users, but am struggling to piece together exactly how all of users__group_groups, users__group, etc. variables work together to offer finer granularity. Is there a full example of how I would define users in my group_vars/host_vars files to, for example, allow for adding groups of users to groups of machines or one-off users to machines individually please?
The examples seem to just specify the same group: debops_all_hosts. Are your roles doing anything fancy with inventory and groups, or do I still need to define my hosts into groups and then reference them from the playbooks? The docs seem to suggest that by using variables I can layout users for all of my machines without having to specify lots of playbooks for each group of machines.
Thanks in advance, any help would be greatly appreciated.
Hello!
I guess we can start from the top. Ansible uses roles to control what should be done on hosts, and inventory is used to specify on which hosts should Ansible perform its actions. Playbooks combine these two things - in a playbook you spacify what roles should be executed on which hosts.
In DebOps, roles and playbooks are supposed to be read only - user is not supposed to modify them so that he/she can get updates without conflicts. That leaves the Ansible inventory as the only place user is "allowed" to modify and have free reign with. But that also means that DebOps playbooks need to use a set of predefined Ansible inventory groups to function.
The [debops_all_hosts]
Ansible inventory group is one such predefined group. In the project it means that all hosts in that group are controlled by DebOps roles. It also means that when you execute the default set of playbooks provided with DebOps, the common.yml
playbook and roles within it will be executed on all hosts in the [debops_all_hosts]
group. Other DebOps roles that are not in this group might expect that a host was prepared by the common.yml
playbook.
The debops.users
Ansible role is a role included in the common.yml
playbook. This means that you don't need to add a host to any Ansible inventory group other than [debops_all_hosts]
for it to be executed. Alternatively, the example service/users.yml
playbook has its own separate [debops_service_users]
inventory group, so that if you want, you can use this role separately from other roles in the common.yml
playbook.
The Ansible inventory is like an ogre - it has layers. You can define variables in the ansible/group_vars/all/
directory, then override them using a group in ansible/inventory/group_vars/<group>/
and then override them again per host using ansible/inventory/host_vars/<hostname>/
directories. This lets you mix and match variables according to your environment needs, you can override some, or combine others together.
The debops.users
role has a set of default variables which you are supposed to use in the Ansible inventory to configure it. These variables are:
-
users__accounts
: define user accounts on all hosts in the Ansible inventory, usually in theansible/inventory/group_vars/all/users.yml
file; -
users__group_accounts
: define user accounts for a group of hosts in the Ansible inventory, usually in theansible/inventory/group_vars/<group_name>/users.yml
file. Only one group level can be used, for more levels you need to do some advanced tricks in the inventory, but we won't cover it here; -
users__host_accounts
: define user accounts on a specific host in the Ansible inventory, usually in theansible/inventory/host_vars/<hostname>/users.yml
file.
There are also additional variables in the role used for specific purposes but all of them work in a similar way. The variable naming is arbitrary, and you can use them on whichever inventory layer you want. However if you stick to the naming scheme, it will be easier to understand which data goes where in the future. Using these variables, you can define user accounts like this:
# Admin account on all hosts
# ansible/inventory/group_vars/all/users.yml
---
users__accounts:
- name: 'farquaad'
group: 'farquaad'
groups: [ 'admins', 'the-castle' ]
# User accounts in "rescue-party" host group
# ansible/inventory/group_vars/rescue-party/users.yml
---
users__group_accounts:
- name: 'shrek'
group: 'shrek'
groups: [ 'the-swamp', 'rescue-party' ]
- name: 'donkey'
group: 'donkey'
groups: [ 'rescue-party' ]
# User accounts on a specific host, 'dragon-keep'
# ansible/inventory/host_vars/dragon-keep/users.yml
---
users__host_accounts:
- name: 'dragon'
group: 'dragon'
groups: [ 'dragon-keep' ]
- name: 'fiona'
group: 'dragon'
groups: [ 'dragon-keep' ]
With this configuration, the farquaad
admin account as well as dragon
and fiona
user accounts will be created on the dragon-keep
host. But shrek
and donkey
accounts will be only present if the dragon-keep
host is added to the rescue-party
Ansible inventory group.
BTW, the all/group/host variable scheme is used in many DebOps roles so that you can mix and match configuration through inventory variables without the need to modify roles or playbooks. It's very handy when you learn how it works.
If you need to know more, let me know.
Thank you so much for typing that out for me, really helpful. I understand how it all fits together now and have got a simple working solution.
Thanks again.