starlingx/ansible-playbooks
Code Issues Proposed changes
Files
1bda288e96238f91bd84fa2a9ad85bcd2cae10bb
ansible-playbooks/playbookconfig/src/playbooks/manage_local_ldap_account.yml
Carmen Rata 1bda288e96 Add "sys_protected" argument to LDAP playbook 
This commit adds "sys_protected" optional argument to LDAP playbook
"manage_local_ldap_account.yml". The new argument automates adding
an ldap user to the "sys_protected" group at creation time.
Supported values for the "sys_protected" argument are "yes" and "no",
"no" being the default value.

Test Plan:
PASS: Debian image gets successfully installed in AIO-SX system.
PASS: Configure "secure-inventory" configuration for a standalone
system.
PASS: Successful ldap user creation with membership in "sys_protected"
group, using argument "sys_protected=yes".
PASS: Execute LDAP playbook to create a user with no membership in
"sys_protected" group, using argument "sys_protected=no"
PASS: Execute LDAP playbook to create a user with no membership in
"sys_protected" group without setting argument "sys_protected" to
verify the default value.
PASS: Configure "secure-inventory" configuration for a DC system.
PASS: Test "sys_protected" argument usage for LDAP playbook in a DC
system by creating an ldap user in a "sys_protected" group, both on
the system controller and on a subcloud.

Story: 2010589
Task: 47908

Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: I4d487e70b4b1ace3c5b08a7ae10595b4accc2b51
2023-05-02 14:41:00 +00:00

184 lines
6.2 KiB
YAML
Raw Blame History

---
# Copyright (c) 2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# Create a new LDAP user with keystone account and sudo access. The playbook
# uses the openrc-template.j2 file as a template for the keystone account
# openrc file.
#
# Users will be prompted for the following parameters:
# - user_id : id for the new account
# - user_password : password for the new account.
# The parameters below use a default value if they are not defined:
# - password_change_period : number of days before needing to change password
# (default: 90)
# - password_warning_period : number of days to warn about changing the password
# (default: 2)
# - user_role : role for the new user as 'admin'/'member'/'reader'
# (default: 'admin')
#
# The inventory file contains the password of system controller
# Do not add any subclouds to the inventory file. The list of subclouds
# will be dynamically added to the inventory by the playbook itself. To access,
# the subclouds, the system controller for that subcloud will be used as a jump
# host and the subcloud's ansible_ssh_common_args variable is set to allow
# this. This ansible_ssh_common_args variable requires access to the
# variables (for connecting to the system controller), which requires these
# parameters to be explicitly supplied through the inventory or passed down
# through the --extra-vars parameter. Specifying --ask-pass and --user will
# NOT work in these instances.
#
# A special caveat of using the system controller as a jump host is that the
# /etc/ssh/sshd_config file must have AllowTcpForwarding set to yes. This
# playbook enables this option while the user account creation is progressing
# and disables it when complete.
#
# Example to add user 'na-admin' (mode=create is default):
# ansible-playbook --inventory inventory --extra-vars='user_id=na-admin' \
# /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
#
# Example to add user 'na-admin' with the use of variable mode=create:
# ansible-playbook --inventory inventory --extra-vars='user_id=na-admin mode=create' \
# /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
#
# Example to delete user 'na-admin':
# ansible-playbook --inventory inventory --extra-vars='user_id=na-admin \
# mode=delete' /usr/share/ansible/stx-ansible/playbooks/manage_local_ldap_account.yml
#
- hosts: systemcontroller
gather_facts: no
vars_prompt:
- name: user_id
prompt: "What is the name of the user account?"
private: no
pre_tasks:
- set_fact:
in_mode: "{{ mode }}"
when: mode is defined
- name: Validate in_mode
fail:
msg: "The mode must be 'create' or 'delete'."
when: "in_mode not in ['create', 'delete']"
- name: Validate user_id
fail:
msg: "The user account cannot be empty. Please provide a valid user account."
when: user_id == ''
- name: Validate user_role
fail:
msg: "The user role must be 'admin', 'member' or 'reader'."
when: "user_role is defined and user_role not in ['admin', 'member', 'reader']"
- name: Default to create if mode is not specified
set_fact:
in_mode: "create"
when: "in_mode is not defined"
- block:
- pause:
prompt: "What is the password for the user account?"
echo: no
register: prompt
no_log: no
- set_fact:
in_user_password: "{{ prompt.user_input }}"
no_log: no
- name: Validate user_password
fail:
msg: "The password cannot be empty. Please provide a valid password for the user account."
when: "in_mode == 'create' and ( in_user_password is not defined and in_user_password == '' )"
when: in_mode == 'create'
- set_fact:
password_change_period: 90
password_warning_period: 2
# The user id and password variables need to be explicitly set here.
# Otherwise, there would be undefined variable errors in subsequent
# plays.
- name: Set the user id and password facts for subsequent plays
set_fact:
in_user_id: "{{ user_id }}"
- name: Set the user role fact for subsequent plays
set_fact:
in_user_role: "{{ user_role if user_role is defined else 'admin' }}"
- name: Set sudo_permission flag fact upfront
set_fact:
in_sudo_permission: "{{ true if sudo_permission is defined and sudo_permission | bool else false }}"
- name: Set sys_protected flag fact upfront
set_fact:
in_sys_protected: "{{ true if sys_protected is defined and sys_protected | bool else false }}"
- hosts: systemcontroller
gather_facts: no
vars:
ssh_internal_args: -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
tasks:
- include_role:
name: manage-local-ldap-account/create-account
when: in_mode == 'create'
- include_role:
name: manage-local-ldap-account/delete-account
when: in_mode == 'delete'
- hosts: all
gather_facts: no
vars:
ssh_internal_args: -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
tasks:
- name: Enable AllowTcpForwarding setting in ssh config
lineinfile:
regexp: ^[ \t]*AllowTcpForwarding([ \t]+.*)$
line: AllowTcpForwarding yes
dest: /etc/ssh/sshd_config
validate: sshd -t -f %s
notify:
- reload sshd
become: yes
when: ('systemcontroller' in group_names)
- meta: flush_handlers
- name: Manage keystone user {{ in_user_id }}
block:
- include_role:
name: manage-local-ldap-account/create-keystone-account
when: in_mode == 'create'
- include_role:
name: manage-local-ldap-account/delete-keystone-account
when: in_mode == 'delete'
always:
- name: Disable AllowTcpForwarding setting in ssh config
lineinfile:
regexp: ^[ \t]*AllowTcpForwarding([ \t]+.*)$
line: AllowTcpForwarding no
dest: /etc/ssh/sshd_config
validate: sshd -t -f %s
notify:
- reload sshd
when: ('systemcontroller' in group_names)
become: yes
handlers:
- name: reload sshd
service:
name: sshd
state: reloaded
become: true
View Git Blame Copy Permalink