[ansible-project] users and multiple domains

Mon, 30 Nov 2015 09:31:13 -0800 

Hi everyone.

There are 3 data centers In an organization where I'm  working   - i'll 
call it "domain" further in the text.
I write small playbook for creating developer's accounts on machines in the 
single domain:

---
- hosts: all
  vars:
    accounts:
      user1:
        uid: 1345
        pub_key: 'ssh-rsa AAAAB3Nza....'
      user2:
        uid: 1341
        pub_key: 'ssh-rsa AAAAB3NzaC1yc'
      user3:
        uid: 1443
        pub_key: 'ssh-rsa'

  remote_user: ansible
  sudo: yes
  gather_facts: no

  tasks:
  - name: create account
    user: name={{item.key}}
          uid={{item.value.uid}}
          password="rZqhKLcR0PBsqMxbYr9eYd"
          update_password=always
          shell="/bin/bash"
    with_dict: accounts

  - name: create authorized_key
    authorized_key: key="{{item.value.pub_key}}" user={{item.key}}
    with_dict: accounts



For each domain i have different inventory file, so it's just work.

But a few days ago i talked with team lead, and he  says that it isn't good 
idea and
not all developers must have access to machines in all domains - another 
words - we must have "access matrix" like this:

        domain1 domain2 domain3
user1   x            x
user2                                 x
user3                x
    .. .. .. .. .. .. ..
userN               x                x

and so on.


How I can implement  it ?

I've tried use jinja2 search filter, but it doesn't work - seems like 
ansible can't use variable inside regexp:
.. .. ..
   user3:
      uid: 1443
      pub_key: 'ssh-rsa'
      my_domains: domain1,domain2
.. .. .. ..

tasks:
  - name: create account
    user: name={{item.key}}
          uid={{item.value.uid}}
          password="rZqhKLcR0PBsqMxbYr9eYd"
          update_password=always
          shell="/bin/bash"
          when: ansible_domain|search("{{item.value.my_domains}}")
    with_dict: accounts

Thank you for any comments and ideas
With regards - Aleksey.





-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/5fc076b9-02f0-4e99-9ff9-762016789c22%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to