You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
ansible/user

412 lines
14 KiB
Plaintext

#!/usr/bin/python
# -*- coding: utf-8 -*-
# (c) 2012, Stephen Fromm <sfromm@gmail.com>
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
DOCUMENTATION = '''
---
module: user
author: Stephen Fromm
version_added: 0.0.2
short_description: Manage user accounts
requirements: [ useradd, userdel, usermod ]
description:
- Manage user accounts and user attributes.
options:
name:
required: true
description:
- Name of the user to create, remove or modify.
comment:
required: false
description:
- Optionally sets the description (aka I(GECOS)) of user account.
uid:
required: false
description:
- Optionally sets the I(UID) of the user.
group:
required: false
description:
- Optionally sets the user's primary group (takes a group name).
groups:
required: false
description:
- Puts the user in this comma-delimited list of groups.
append:
required: false
description:
- If I(yes), will only add groups, not set them to just the list
in I(groups).
shell:
required: false
description:
- Optionally set the user's shell.
home:
required: false
description:
- Optionally set the user's home directory.
password:
required: false
description:
- Optionally set the user's password to this crypted value. See
the user example in the github examples directory for what this looks
like in a playbook.
state:
required: false
default: "present"
choices: [ present, absent ]
description:
- Whether the account should exist. When I(absent), removes
the user account.
createhome:
required: false
default: "yes"
choices: [ yes, no ]
description:
- Unless set to I(no), a home directory will be made for the user
when the account is created.
system:
required: false
default: "no"
choices: [ yes, no ]
description:
- When creating an account, setting this to I(yes) makes the user a
system account. This setting cannot be changed on existing users.
force:
required: false
default: "no"
choices: [ yes, no ]
description:
- When used with I(state=absent), behavior is as with
I(userdel --force).
remove:
required: false
default: "no"
choices: [ yes, no ]
description:
- When used with I(state=absent), behavior is as with
I(userdel --remove).
'''
import os
import pwd
import grp
try:
import spwd
HAVE_SPWD=True
except:
HAVE_SPWD=False
SHADOWFILE = '/etc/shadow'
if os.path.exists('/etc/master.passwd'):
SHADOWFILE = '/etc/master.passwd' # FreeBSD passwd
# Note: while the above has the correct location for where
# encrypted passwords are stored on FreeBSD, the code below doesn't
# invoke adduser in lieu of useradd, nor pw in lieu of usermod.
# That is, this won't work on FreeBSD.
def user_del(module, user, **kwargs):
cmd = [module.get_bin_path('userdel', True)]
for key in kwargs:
if key == 'force' and kwargs[key] == 'yes':
cmd.append('-f')
elif key == 'remove' and kwargs[key] == 'yes':
cmd.append('-r')
cmd.append(user)
p = subprocess.Popen(cmd, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
(out, err) = p.communicate()
rc = p.returncode
return (rc, out, err)
def user_add(module, user, **kwargs):
cmd = [module.get_bin_path('useradd', True)]
for key in kwargs:
if key == 'uid' and kwargs[key] is not None:
cmd.append('-u')
cmd.append(kwargs[key])
elif key == 'group' and kwargs[key] is not None:
if not group_exists(kwargs[key]):
module.fail_json(msg="Group %s does not exist" % (kwargs[key]))
cmd.append('-g')
cmd.append(kwargs[key])
elif key == 'groups' and kwargs[key] is not None:
for g in kwargs[key].split(','):
if not group_exists(g):
module.fail_json(msg="Group %s does not exist" % (g))
cmd.append('-G')
cmd.append(kwargs[key])
elif key == 'comment' and kwargs[key] is not None:
cmd.append('-c')
cmd.append(kwargs[key])
elif key == 'home' and kwargs[key] is not None:
cmd.append('-d')
cmd.append(kwargs[key])
elif key == 'shell' and kwargs[key] is not None:
cmd.append('-s')
cmd.append(kwargs[key])
elif key == 'password' and kwargs[key] is not None:
cmd.append('-p')
cmd.append(kwargs[key])
elif key == 'createhome':
if kwargs[key] is not None:
if kwargs[key] == 'yes':
cmd.append('-m')
else:
cmd.append('-M')
elif key == 'system' and kwargs[key] == 'yes':
cmd.append('-r')
cmd.append(user)
p = subprocess.Popen(cmd, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
(out, err) = p.communicate()
rc = p.returncode
return (rc, out, err)
"""
Without spwd, we would have to resort to reading /etc/shadow
to get the encrypted string. For now, punt on idempotent password changes.
"""
def user_mod(module, user, **kwargs):
cmd = [module.get_bin_path('usermod', True)]
info = user_info(user)
for key in kwargs:
if key == 'uid':
if kwargs[key] is not None and info[2] != int(kwargs[key]):
cmd.append('-u')
cmd.append(kwargs[key])
elif key == 'group' and kwargs[key] is not None:
if not group_exists(kwargs[key]):
module.fail_json(msg="Group %s does not exist" % (kwargs[key]))
ginfo = group_info(kwargs[key])
if info[3] != ginfo[2]:
cmd.append('-g')
cmd.append(kwargs[key])
elif key == 'groups' and kwargs[key] is not None:
current_groups = user_group_membership(user)
groups = kwargs[key].split(',')
for g in groups:
if not group_exists(g):
module.fail_json(msg="Group %s does not exist" % (g))
group_diff = set(sorted(current_groups)).symmetric_difference(set(sorted(groups)))
groups_need_mod = False
if group_diff:
if kwargs['append'] is not None and kwargs['append'] == 'yes':
for g in groups:
if g in group_diff:
cmd.append('-a')
groups_need_mod = True
else:
groups_need_mod = True
if groups_need_mod:
cmd.append('-G')
cmd.append(','.join(groups))
elif key == 'comment':
if kwargs[key] is not None and info[4] != kwargs[key]:
cmd.append('-c')
cmd.append(kwargs[key])
elif key == 'home':
if kwargs[key] is not None and info[5] != kwargs[key]:
cmd.append('-d')
cmd.append(kwargs[key])
elif key == 'shell':
if kwargs[key] is not None and info[6] != kwargs[key]:
cmd.append('-s')
cmd.append(kwargs[key])
elif key == 'password':
if kwargs[key] is not None and info[1] != kwargs[key]:
cmd.append('-p')
cmd.append(kwargs[key])
# skip if no changes to be made
if len(cmd) == 1:
return (None, '', '')
cmd.append(user)
p = subprocess.Popen(cmd, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
(out, err) = p.communicate()
rc = p.returncode
return (rc, out, err)
def group_exists(group):
try:
if group.isdigit():
if grp.getgrgid(group):
return True
else:
if grp.getgrnam(group):
return True
except KeyError:
return False
def group_info(group):
if not group_exists(group):
return False
if group.isdigit():
return list(grp.getgrgid(group))
else:
return list(grp.getgrnam(group))
def user_group_membership(user):
groups = []
info = get_pwd_info(user)
for group in grp.getgrall():
if user in group[3] and info[3] != group[2]:
groups.append(group[0])
return groups
def user_exists(user):
try:
if pwd.getpwnam(user):
return True
except KeyError:
return False
def get_pwd_info(user):
if not user_exists(user):
return False
return list(pwd.getpwnam(user))
def user_info(user):
if not user_exists(user):
return False
info = get_pwd_info(user)
if len(info[1]) == 1 or len(info[1]) == 0:
info[1] = user_password(user)
return info
def user_password(user):
passwd = ''
if not user_exists(user):
return passwd
if HAVE_SPWD:
try:
passwd = spwd.getspnam(user)[1]
except KeyError:
return passwd
else:
# Read shadow file for user's encrypted password string
if os.path.exists(SHADOWFILE) and os.access(SHADOWFILE, os.R_OK):
for line in open(SHADOWFILE).readlines():
if line.startswith('%s:' % user):
passwd = line.split(':')[1]
return passwd
# ===========================================
def main():
module = AnsibleModule(
argument_spec = dict(
state=dict(default='present', choices=['present', 'absent']),
name=dict(required=True),
uid=dict(default=None),
group=dict(default=None),
groups=dict(default=None),
comment=dict(default=None),
home=dict(default=None),
shell=dict(default=None),
password=dict(default=None),
# following options are specific to userdel
force=dict(default='no', choices=['yes', 'no']),
remove=dict(default='no', choices=['yes', 'no']),
# following options are specific to useradd
createhome=dict(default='yes', choices=['yes', 'no']),
system=dict(default='no', choices=['yes', 'no']),
# following options are specific to usermod
append=dict(default='no', choices=['yes', 'no']),
)
)
state = module.params['state']
name = module.params['name']
uid = module.params['uid']
group = module.params['group']
groups = module.params['groups']
comment = module.params['comment']
home = module.params['home']
shell = module.params['shell']
password = module.params['password']
force = module.params['force']
remove = module.params['remove']
createhome = module.params['createhome']
system = module.params['system']
append = module.params['append']
rc = None
out = ''
err = ''
result = {}
result['name'] = name
result['state'] = state
if state == 'absent':
if user_exists(name):
(rc, out, err) = user_del(module, name, force=force, remove=remove)
if rc != 0:
module.fail_json(name=name, msg=err, rc=rc)
result['force'] = force
result['remove'] = remove
elif state == 'present':
if not user_exists(name):
(rc, out, err) = user_add(module,
name, uid=uid, group=group, groups=groups,
comment=comment, home=home, shell=shell,
password=password, createhome=createhome,
system=system)
result['system'] = system
result['createhome'] = createhome
else:
(rc, out, err) = user_mod(module,
name, uid=uid, group=group, groups=groups,
comment=comment, home=home, shell=shell,
password=password, append=append)
result['append'] = append
if rc is not None and rc != 0:
module.fail_json(name=name, msg=err, rc=rc)
if password is not None:
result['password'] = 'NOT_LOGGING_PASSWORD'
if rc is None:
result['changed'] = False
else:
result['changed'] = True
if out:
result['stdout'] = out
if err:
result['stderr'] = err
if user_exists(name):
info = user_info(name)
if info == False:
result['msg'] = "failed to look up user name: %s" % name
result['failed'] = True
result['uid'] = info[2]
result['group'] = info[3]
result['comment'] = info[4]
result['home'] = info[5]
result['shell'] = info[6]
groups = user_group_membership(name)
result['uid'] = info[2]
if len(groups) > 0:
result['groups'] = groups
module.exit_json(**result)
# include magic from lib/ansible/module_common.py
#<<INCLUDE_ANSIBLE_MODULE_COMMON>>
main()