Use Ansible to manage users and groups on Linux

The
You can download this article in PDF format to support us through the following link.

Download the guide in PDF format

turn off
The

The
The

On Linux, each process runs as a specific user, and each file and folder is owned by a specific user. In addition, user access to these files and folders is restricted. This shows that learning how to complete user management on Linux as an ordinary user or administrator is very important. Information about local users can be found in etc / passwd:

[email protected]:~$ tail -9 /etc/passwd
colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:122:127::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:123:128:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:124:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:125:130:Gnome Display Manager:/var/lib/gdm3:/bin/false
eugene:x:1000:1000:Eugene,,,:/home/eugene:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:126:133:MySQL Server,,,:/nonexistent:/bin/false
redis:x:127:134::/var/lib/redis:/usr/sbin/nologin

The format is explained as follows:

username:password:uid:gid:gecos:home/dir:shell

Groups also have IDs, and each user belongs to a default group, the user-specific group (UPG). The user may also have supplementary groups. These supplementary groups can help users to access other files and processes. Information about groups can usually be found in etc / group:

[email protected]:~$ tail -9 /etc/group
gdm:x:130:
lxd:x:131:eugene
eugene:x:1000:
sambashare:x:132:eugene
systemd-coredump:x:999:
mysql:x:133:
redis:x:134:
vboxusers:x:135:
docker:x:136:

The format is explained as follows:

groupname:password:GID:

You have heard of the root user. Super users are super users, they have all the permissions of the system. The root directory can override all file permissions and is used to manage the system. Usually, we log in as a non-privileged user and then use the sudo command to gain root privileges.

As a Linux administrator, our task is to manage user accounts, such as adding users, deleting users, and so on. These tasks can be easily managed by Ansible. We will use Ansible Playbook to study them. In Ansible, user and group modules can help us complete user management tasks. The script focuses on various tasks.

Ansible group module common options

  • name -group name
  • State – (Absent / exist) ensure that a group exists or does not exist
  • id –Specify group ID
  • system – (Yes / No) Whether the created group is a system group

Ansible user module common options

  • name -username
  • password – The user’s encrypted password. Please note that the password should be encrypted or encrypted using Ansible playbook, but the password is hidden in the Ansible vault
  • update_password – (Always / on_create) Is the password updated when the user is created or only added once
  • uid – Specify user ID
  • group – Designated user main group
  • group – Add users to supplementary groups
  • Attach – When adding users to supplementary groups (No / Yes) (not / or overwrite the main group)
  • comment – Set up GECOS
  • Seashell – Set the default shell for the user
  • Remove – Delete user-related directories and files

Use Ansible to create / add users and groups

script user.yml:

---
- hosts: localhost #change to your hosts
  become: yes

  vars:
    # NOTICE!!!:
    # DO NOT PUT PLAIN TEXT PASSWORDS HERE!
    # use encrypted passwords or put them in Ansible vault
    # but this is just a demo
    vaulted_password: mySecret.

  tasks:
    - name: Add a simple user called janedoe
      user:
        name: janedoe
        comment: Jane Doe

    - name: Add user anita with a password
      user:
        name: anita
        password: "{{ vaulted_password | password_hash('sha512') }}"
        update_password: on_create

    - name: Add a group called developer
      group:
        name: developer
        state: present

    - name: Add a user johndoe and add them to a group developer
      user:
        name: johndoe
        groups: developer
        append: yes

    - name: Add user jSmith and generate for them an SSH key
      user:
        name: jSmith
        generate_ssh_key: yes
        ssh_key_bits: 2048
        ssh_key_file: .ssh/id_rsa

    - name: Add user noHome with no home and set account to expire on certain date
      user:
        name: noHome
        create_home: no
        expires: 1590155615

Run the playbook. When I run the playbook as a node to the Ansible master node, I don’t have to worry about the warning:

$ ansible-playbook user.yml -K
BECOME password: 
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [localhost] *************************************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************************************
ok: [localhost]

TASK [Add a simple user called janedoe] **************************************************************************************************************
changed: [localhost]

TASK [Add user anita with a password] ****************************************************************************************************************
changed: [localhost]

TASK [Add a group called developer] ******************************************************************************************************************
changed: [localhost]

TASK [Add a user johndoe and add them to a group developer] ******************************************************************************************
changed: [localhost]

TASK [Add user jSmith and generate for them an SSH key] **********************************************************************************************
changed: [localhost]

TASK [Add user noHome with no home and set account to expire on certain date] ************************************************************************
changed: [localhost]

PLAY RECAP *******************************************************************************************************************************************
localhost                  : ok=7    changed=6    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

Check users and groups:

[email protected]:~/Projects/Ansible/users$ tail -9 /etc/passwd
eugene:x:1000:1000:Eugene,,,:/home/eugene:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:126:133:MySQL Server,,,:/nonexistent:/bin/false
redis:x:127:134::/var/lib/redis:/usr/sbin/nologin
janedoe:x:1001:1001:Jane Doe:/home/janedoe:/bin/sh
anita:x:1002:1002::/home/anita:/bin/sh
johndoe:x:1003:1004::/home/johndoe:/bin/sh
jSmith:x:1004:1005::/home/jSmith:/bin/sh
noHome:x:1005:1006::/home/noHome:/bin/sh

[email protected]:~/Projects/Ansible/users$ tail -9 /etc/group
redis:x:134:
vboxusers:x:135:
docker:x:136:
janedoe:x:1001:
anita:x:1002:
developer:x:1003:johndoe
johndoe:x:1004:
jSmith:x:1005:
noHome:x:1006:

Use Ansible to delete / delete users

Script user_delete.yml:

---
- hosts: localhost
  become: yes
  tasks:
    - name: Remove janedoe
      user:
        name: janedoe
        state: absent
        remove: yes

    - name: Remove anita
      user:
        name: anita
        state: absent
        remove: yes

    - name: Remove developer group
      group:
        name: developer
        state: absent

    - name: Remove johndoe
      user:
        name: johndoe
        state: absent
        remove: yes

    - name: Remove jSmith
      user:
        name: jSmith
        state: absent
        remove: yes

    - name: Remove noHome
      user:
        name: noHome
        state: absent
        remove: yes

The script runs:

[email protected]:~/Projects/Ansible/users$ ansible-playbook user_delete.yml -K
BECOME password: 
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [localhost] *************************************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************************************
ok: [localhost]

TASK [Remove janedoe] **************************************************************************************************************
changed: [localhost]

TASK [Remove anita] ****************************************************************************************************************
changed: [localhost]

TASK [Remove developer group] ******************************************************************************************************************
changed: [localhost]

TASK [Remove johndoe] ******************************************************************************************
changed: [localhost]

TASK [Remove jSmith] **********************************************************************************************
changed: [localhost]

TASK [Remove noHome] ************************************************************************
changed: [localhost]

PLAY RECAP *******************************************************************************************************************************************
localhost                  : ok=7    changed=6    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

There are more options for managing users on Ansible. I did not cover everything, but it is available in the Ansible documentation. You can check it out.

That’s all for today, please support us by buying our coffee!

More information about Ansible:

How to generate Linux user encrypted password for Ansible

Set up Elasticsearch Cluster on CentOS / Ubuntu using Ansible

How to use Ansible playbook idly

The
You can download this article in PDF format to support us through the following link.

Download the guide in PDF format

turn off
The

The
The

Sidebar