Starting Notes
First, I ran across a missing Ansible collection [of modules] while working through this video. Specifically, the authorized_key module was missing. After a short search, I was able to drop the collection on the server with the following command:
ansible-galaxy collection install ansible.posix
Once done, I could deploy the keys.
Next, the author added a line in this video:
changed_when: false
to two of the commands in the bootstrap.yml file. I received errors from Ansible when adding this line, so I removed it. By watching the video, you can see the impact of removing this line, which is rather trivial.
Finally, I've rewritten the entire access and permissions parts. The method employed by the author is good for setting up a small lab, but in my case, I tend to work from a large enterprise perspective, and the manual work required to prepare an Ansible user account simply does not scale well to hundreds or thousands of servers.
User Management
User management is actually very straight forward, and the plays are rather easy to understand. We will start by creating an application user account. It is customary to run applications with service accounts that have restricted permissions. In this case, we are creating a user account to run the billing application. The application and user are part of the accounting group, so we will first be sure that the accounting group exists.
- name: Ensure Group "accounting" Exists
group:
name: accounting
state: present
gid: 5006
- name: Ensure User svc_billing Exists on Servers
tags: always
user:
name: svc_billing
groups: accounting
shell: /sbin/nologin
state: present
The accounting group in this case is called, well, accounting. We want it to be present, and we manage group ids also, so we'll want to specify that gid.
Next we create our service account, svc_billing. We use groups to force that account to be a member of the accounting group. Since this is a service account, we don't expect anyone to actually use it for a login, so we disable logins for that account.
Now we'll move on to an administrative user account. That account will need extra authority to execute commands. Since permissions are maintained in our fictitious company at the group level, we need to be sure the group is available first, and that is has the appropriate sudo permissions.
- name: Ensure Group "support" Exists
tags: always
group:
name: support
state: present
gid: 5007
- name: Ensure sudoers File is in Place
tags: always
copy:
src: /opt/ansible/files/sudoers/sudoer_support
dest: /etc/sudoers.d/support
owner: root
group: root
For this to work, we'll need to create the file to copy over with the actual sudo entry. The path and filename are above. The content consists of a single line:
%support ALL=(ALL) NOPASSWD: ALL
Now that we are confident our group will be available, we can create our user account:
- name: Ensure Admin User Account jdoe is Available
tags: always
user:
name: jdoe
groups: support
state: present
tags: always
authorized_key:
user: jdoe
key: "ssh-rsa AAAAC3dsfSDF9a79kll0[...]REsd9fdfkjRGLDSFGJ jdoe"
Here, we create the jdoe user, assign and tag the account as a system account. We also assign them to the support group. We also take their public key and add to the authorized_key files in any accounts that are created. We assume jdoe has just become part of the organization, and issued the ssh-keygen command to create their own public/private key pair, and pasted their public key in the play.
No comments:
Post a Comment