使用Ansible管理Linux上的用户和组
时间:2020-02-23 14:29:39 来源:igfitidea点击:
在Linux上,每个进程都作为特定用户运行,每个文件和文件夹都由某个用户拥有。
此外,用户限制对这些文件和文件夹的访问。
这表明了了解如何在Linux中作为普通用户或者管理员在Linux上完成用户管理的重要性。
有关本地用户的信息可以在etc/passwd中找到:
Hyman@theitroad:~$tail -9 /etc/passwd colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin geoclue:x:122:127::/var/lib/geoclue:/usr/sbin/nologin pulse:x:123:128:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin gnome-initial-setup:x:124:65534::/run/gnome-initial-setup/:/bin/false gdm:x:125:130:Gnome Display Manager:/var/lib/gdm3:/bin/false eugene:x:1000:1000:Eugene,,,:/home/eugene:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin mysql:x:126:133:MySQL Server,,,:/nonexistent:/bin/false redis:x:127:134::/var/lib/redis:/usr/sbin/nologin
格式被解释如下:
username:password:uid:gid:gecos:home/dir:shell
组还具有ID,每个用户属于默认组,用户私有组(UPG)。
用户还可以有补充组。
这些补充组帮助用户可以访问其他文件和进程的权限。
有关组的信息通常在etc/group中找到:
Hyman@theitroad:~$tail -9 /etc/group gdm:x:130: lxd:x:131:eugene eugene:x:1000: sambashare:x:132:eugene systemd-coredump:x:999: mysql:x:133: redis:x:134: vboxusers:x:135: docker:x:136:
格式被解释如下:
groupname:password:GID:<list of users>
你听说过root用户。
root用户是超级用户,它们在系统上都有所有权力。
根可以覆盖文件上的所有权力,用于管理系统。
通常,我们以未经特权的用户身份登录,然后使用sudo命令获得root权限。
作为Linux管理员,我们是任务的各种任务来管理用户帐户,如添加用户,删除它们等。
可以通过Ansible轻松管理这些任务。
我们将使用Ansible Playbook来完成他们。
在Ansible中,用户和组模块有助于我们完成用户管理任务。
此剧本突出显示各种任务。
ansible Group模块常用选项
名称 - GroupState的名称 - (缺席/呈现)确保存在一个组或者缺少组 - 指定组IDSystem - (是/否)如果创建的组是一个系统组
ansible用户模块常用选项
名称 - UserPassword的名称 - 用户的加密密码。
请注意,密码应该已加密或者使用ansible playbook加密,但隐藏ansible vaultupdate_password中的密码 - (always/on_create)是否更新密码或者仅在用户创建时添加一次 - 指定用户idgroup - 指定用户主组 - 将用户添加到补充GroupAppend - (否/是)添加用户到补充组不/或者覆盖主组表示 - Set Gecosshell - Set for UserRemove的默认shell - 删除用户关联的目录和文件
使用Ansible创建/添加用户和组
剧本, user.yml:
--
- hosts: localhost #change to your hosts
become: yes
vars:
# NOTICE!!!:
# DO NOT PUT PLAIN TEXT PASSWORDS HERE!
# use encrypted passwords or put them in Ansible vault
# but this is just a demo
vaulted_password: mySecret.
tasks:
- name: Add a simple user called janedoe
user:
name: janedoe
comment: Jane Doe
- name: Add user anita with a password
user:
name: anita
password: "{{ vaulted_password | password_hash('sha512') }}"
update_password: on_create
- name: Add a group called developer
group:
name: developer
state: present
- name: Add a user johndoe and add them to a group developer
user:
name: johndoe
groups: developer
append: yes
- name: Add user jSmith and generate for them an SSH key
user:
name: jSmith
generate_ssh_key: yes
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa
- name: Add user noHome with no home and set account to expire on certain date
user:
name: noHome
create_home: no
expires: 1590155615
运行剧本,不要担心警告,因为我将PlayBook作为节点运行到我的Ansible主人:
$ansible-playbook user.yml -K BECOME password: [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all' PLAY [localhost] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** *** TASK [Gathering Facts] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** ***** ok: [localhost] TASK [Add a simple user called janedoe] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** changed: [localhost] TASK [Add user anita with a password] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** ** changed: [localhost] TASK [Add a group called developer] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** changed: [localhost] TASK [Add a user johndoe and add them to a group developer] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** changed: [localhost] TASK [Add user jSmith and generate for them an SSH key] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** changed: [localhost] TASK [Add user noHome with no home and set account to expire on certain date] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** ** changed: [localhost] PLAY RECAP ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** ***** localhost : ok=7 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
检查用户和组:
Hyman@theitroad:~/Projects/Ansible/users$tail -9 /etc/passwd eugene:x:1000:1000:Eugene,,,:/home/eugene:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin mysql:x:126:133:MySQL Server,,,:/nonexistent:/bin/false redis:x:127:134::/var/lib/redis:/usr/sbin/nologin janedoe:x:1001:1001:Jane Doe:/home/janedoe:/bin/sh anita:x:1002:1002::/home/anita:/bin/sh johndoe:x:1003:1004::/home/johndoe:/bin/sh jSmith:x:1004:1005::/home/jSmith:/bin/sh noHome:x:1005:1006::/home/noHome:/bin/sh Hyman@theitroad:~/Projects/Ansible/users$tail -9 /etc/group redis:x:134: vboxusers:x:135: docker:x:136: janedoe:x:1001: anita:x:1002: developer:x:1003:johndoe johndoe:x:1004: jSmith:x:1005: noHome:x:1006:
删除/删除使用Ansible的用户
剧本, user_delete.yml:
--
- hosts: localhost
become: yes
tasks:
- name: Remove janedoe
user:
name: janedoe
state: absent
remove: yes
- name: Remove anita
user:
name: anita
state: absent
remove: yes
- name: Remove developer group
group:
name: developer
state: absent
- name: Remove johndoe
user:
name: johndoe
state: absent
remove: yes
- name: Remove jSmith
user:
name: jSmith
state: absent
remove: yes
- name: Remove noHome
user:
name: noHome
state: absent
remove: yes
PlayBook运行:
Hyman@theitroad:~/Projects/Ansible/users$ansible-playbook user_delete.yml -K BECOME password: [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all' PLAY [localhost] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** *** TASK [Gathering Facts] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** ***** ok: [localhost] TASK [Remove janedoe] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** changed: [localhost] TASK [Remove anita] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** ** changed: [localhost] TASK [Remove developer group] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** changed: [localhost] TASK [Remove johndoe] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** changed: [localhost] TASK [Remove jSmith] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** changed: [localhost] TASK [Remove noHome] ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** ** changed: [localhost] PLAY RECAP ** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** ***** localhost : ok=7 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
