我是Ansible的新手,我正在尝试控制用户访问权限。我从Galaxy找到了这本剧本:
https://github.com/singleplatform-eng/ansible-users
我也在阅读此来源以帮助管理不同的环境:
https://www.digitalocean.com/community/tutorials/how-to-manage-multistage-environments-with-ansible
所以我有以下设置:
vagrant@ansible:~/ansible$ tree
├── ansible.cfg
├── debug.yml
├── dev_site.yml
├── filter_plugins
├── group_vars
│ └── all
│ └── 000_cross_env_vars -> ../../inventories/000_cross_env_vars
├── hosts
├── inventories
│ ├── 000_cross_env_vars
│ ├── development
│ │ ├── group_vars
│ │ │ └── all
│ │ │ ├── 000_cross_env_vars -> ../../../000_cross_env_vars
│ │ │ └── env_specific.yml
│ │ ├── hosts
│ │ └── host_vars
│ │ └── hostname1
│ ├── production
│ │ ├── group_vars
│ │ │ └── all
│ │ │ ├── 000_cross_env_vars -> ../../../000_cross_env_vars
│ │ │ └── env_specific
│ │ ├── hosts
│ │ └── host_vars
│ │ └── hostname1
│ └── staging
│ ├── group_vars
│ │ └── all
│ │ ├── 000_cross_env_vars -> ../../../000_cross_env_vars
│ │ └── env_specific.yml
│ ├── hosts
│ └── host_vars
│ └── hostname1
├── library
├── mgmt-ssh-add-key.yml
├── module_utils
├── prod_site.yml
├── README.md
├── roles
│ └── users <--- FROM LINK ABOVE
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ ├── main.yml
│ └── tests
│ └── test.yml
├── stage_site.yml
├── user_accounts.retry
└── user_accounts.yml
剧本
vagrant@ansible:~/ansible$ cat user_accounts.yml
---
- hosts: all
become: true
remote_user: vagrant
vars_files:
- "{{ inventory_dir }}/group_vars/all/env_specific.yml"
roles:
- users
环境之间的共享变量
vagrant@ansible:~/ansible$ more inventories/000_cross_env_vars
---
# System Users
users:
- username: sbody
name: Some Body
uid: 3001
groups: "{{ users_groups.['username'].groups }}"
home: /home/sbody
profile: |
alias ll='ls -lah'
ssh_key:
- "ssh-rsa ... "
# Users to delete
users_deleted:
- username: bar
uid: 9002
remove: yes
force: yes
特定环境变量
vagrant@ansible:~/ansible$ cat inventories/development/group_vars/all/env_specific.yml
# here we assign variables to particular groups
env: dev
users_groups:
- username: sbody
groups: ['users','developers'] # feeds groups in user creation
# Groups to create
groups_to_create:
- name: developers
gid: 10000
我认为有一种方法可以为000_cross_env_vars中的每个用户提供env_specific.yml的群组成员资格,但我不知道如果没有env_specific.yml,就会超越000_cross_env_vars。非常感激任何的帮助。提前谢谢。
编辑:
我做了以下更改,现在似乎越来越近了:
vagrant@ansible:~/ansible$ cat
inventories/development/group_vars/all/env_specific.yml
# here we assign variables to particular groups
stage: dev
group_membership:
sbody_groups: ['users','developers']
用户声明:
vagrant@ansible:~/ansible$ more inventories/000_cross_env_vars
---
# System Users
users:
- username: sbody
name: Some Body
uid: 3001
groups: "{{ group_membership['sbody_groups'] }}"
home: /home/sbody
profile: |
alias ll='ls -lah'
ssh_key:
- "ssh-rsa ... "
所以现在我需要弄清楚如果没有定义user_group,如何设置默认值。
答案 0 :(得分:0)
根据我的经验:我更喜欢使用inventory vars而非使用vars directory,而不是使用 - name: Read all variables
block:
- name: Get stats on all variable files
stat:
path: "{{item}}"
with_fileglob:
- "vars/global/common.yml"
- "vars/{{ env|default('dev') }}/default.yml"
- "vars/{{ env|default('dev') }}/secrets.vault"
register: _variables_stat
- name: Include all variable files (only when found)
include_vars : "{{item.stat.path}}"
when : item.stat.exists
with_items : "{{_variables_stat.results}}"
no_log : true
delegate_to: localhost
become: false
:
env您可以从清单或命令行中选择asyncio。
您的全局变量将首先被读取,并由您的环境替换(如果存在)。如果没有,您将始终拥有默认选项。
答案 1 :(得分:0)
从个人经验来看,我已经将库存用于分离环境,并且当它试图在不同库存中保持某些变量同步时,它会产生不必要的开销。
我们选择的是按库存组分隔环境。这样我们就可以根据组名加载变量,将这些变量传递给我们的角色,并利用Ansible的库存自动加载机制。
- name: Manage Users
hosts: some-host
tasks:
- name: Include Common Users & Groups
set_fact:
users: "{{ common_users }}"
usergroups: "{{ common_usergroups }}"
- name: Include Users Based on Groups
set_fact:
users "{{ users + q('vars', item + '_users') }}"
usergroups: "{{ usergroups + q('vars', item + '_usergroups') }}"
loop: "{{ lookup('items', group_names) }}"
roles:
role: users
但是,query过滤器和vars查找是新功能,随附Ansible 2.5。