perf: 根据用户是否存在配置 改密参数

apps/accounts/automations/change_secret/host/aix/main.yml

@@ -1,10 +1,17 @@
 - hosts: demo
   gather_facts: no
   tasks:
-    - name: Test privileged account
+    - name: "Test privileged {{ jms_account.username }} account"
       ansible.builtin.ping:
 
-    - name: Check user
+    - name: "Check if {{ account.username }} user exists"
+      getent:
+        database: passwd
+        key: "{{ account.username }}"
+      register: user_info
+      ignore_errors: yes  # 忽略错误，如果用户不存在时不会导致playbook失败
+
+    - name: "Add {{ account.username }} user"
       ansible.builtin.user:
         name: "{{ account.username }}"
         shell: "{{ params.shell }}"
@@ -12,19 +19,23 @@
         groups: "{{ params.groups }}"
         expires: -1
         state: present
+      when: user_info.failed
 
     - name: "Add {{ account.username }} group"
       ansible.builtin.group:
         name: "{{ account.username }}"
         state: present
+      when: user_info.failed
 
-    - name: Add user groups
+    - name: "Add {{ account.username }} user to group"
       ansible.builtin.user:
         name: "{{ account.username }}"
         groups: "{{ params.groups }}"
-      when: params.groups
+      when:
+        - user_info.failed
+        - params.groups
 
-    - name: Change password
+    - name: "Change {{ account.username }} password"
       ansible.builtin.user:
         name: "{{ account.username }}"
         password: "{{ account.secret | password_hash('des') }}"
@@ -32,11 +43,6 @@
       ignore_errors: true
       when: account.secret_type == "password"
 
-    - name: create user If it already exists, no operation will be performed
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-      when: account.secret_type == "ssh_key"
-
     - name: remove jumpserver ssh key
       ansible.builtin.lineinfile:
         dest: "{{ ssh_params.dest }}"
@@ -46,17 +52,28 @@
         - account.secret_type == "ssh_key"
         - ssh_params.strategy == "set_jms"
 
-    - name: Change SSH key
+    - name: "Change {{ account.username }} SSH key"
       ansible.builtin.authorized_key:
         user: "{{ account.username }}"
         key: "{{ account.secret }}"
         exclusive: "{{ ssh_params.exclusive }}"
       when: account.secret_type == "ssh_key"
 
+    - name: "Set {{ account.username }} sudo setting"
+      ansible.builtin.lineinfile:
+        dest: /etc/sudoers
+        state: present
+        regexp: "^{{ account.username }} ALL="
+        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
+        validate: visudo -cf %s
+      when:
+        - user_info.failed
+        - params.sudo
+
     - name: Refresh connection
       ansible.builtin.meta: reset_connection
 
-    - name: Verify password
+    - name: "Verify {{ account.username }} password"
       ansible.builtin.ping:
       become: no
       vars:
@@ -65,7 +82,7 @@
         ansible_become: no
       when: account.secret_type == "password"
 
-    - name: Verify SSH key
+    - name: "Verify {{ account.username }} SSH key"
       ansible.builtin.ping:
       become: no
       vars:

apps/accounts/automations/change_secret/host/aix/manifest.yml

@@ -5,6 +5,12 @@ type:
   - AIX
 method: change_secret
 params:
+  - name: sudo
+    type: str
+    label: 'Sudo'
+    default: '/bin/whoami'
+    help_text: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
+
   - name: shell
     type: str
     label: 'Shell'

apps/accounts/automations/change_secret/host/posix/main.yml

@@ -1,10 +1,17 @@
 - hosts: demo
   gather_facts: no
   tasks:
-    - name: Test privileged account
+    - name: "Test privileged {{ jms_account.username }} account"
       ansible.builtin.ping:
 
-    - name: Check user
+    - name: "Check if {{ account.username }} user exists"
+      getent:
+        database: passwd
+        key: "{{ account.username }}"
+      register: user_info
+      ignore_errors: yes  # 忽略错误，如果用户不存在时不会导致playbook失败
+
+    - name: "Add {{ account.username }} user"
       ansible.builtin.user:
         name: "{{ account.username }}"
         shell: "{{ params.shell }}"
@@ -12,19 +19,23 @@
         groups: "{{ params.groups }}"
         expires: -1
         state: present
+      when: user_info.failed
 
     - name: "Add {{ account.username }} group"
       ansible.builtin.group:
         name: "{{ account.username }}"
         state: present
+      when: user_info.failed
 
-    - name: Add user groups
+    - name: "Add {{ account.username }} user to group"
       ansible.builtin.user:
         name: "{{ account.username }}"
         groups: "{{ params.groups }}"
-      when: params.groups
+      when:
+        - user_info.failed
+        - params.groups
 
-    - name: Change password
+    - name: "Change {{ account.username }} password"
       ansible.builtin.user:
         name: "{{ account.username }}"
         password: "{{ account.secret | password_hash('sha512') }}"
@@ -32,11 +43,6 @@
       ignore_errors: true
       when: account.secret_type == "password"
 
-    - name: create user If it already exists, no operation will be performed
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-      when: account.secret_type == "ssh_key"
-
     - name: remove jumpserver ssh key
       ansible.builtin.lineinfile:
         dest: "{{ ssh_params.dest }}"
@@ -46,17 +52,28 @@
         - account.secret_type == "ssh_key"
         - ssh_params.strategy == "set_jms"
 
-    - name: Change SSH key
+    - name: "Change {{ account.username }} SSH key"
       ansible.builtin.authorized_key:
         user: "{{ account.username }}"
         key: "{{ account.secret }}"
         exclusive: "{{ ssh_params.exclusive }}"
       when: account.secret_type == "ssh_key"
 
+    - name: "Set {{ account.username }} sudo setting"
+      ansible.builtin.lineinfile:
+        dest: /etc/sudoers
+        state: present
+        regexp: "^{{ account.username }} ALL="
+        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
+        validate: visudo -cf %s
+      when:
+        - user_info.failed
+        - params.sudo
+
     - name: Refresh connection
       ansible.builtin.meta: reset_connection
 
-    - name: Verify password
+    - name: "Verify {{ account.username }} password"
       ansible.builtin.ping:
       become: no
       vars:
@@ -65,7 +82,7 @@
         ansible_become: no
       when: account.secret_type == "password"
 
-    - name: Verify SSH key
+    - name: "Verify {{ account.username }} SSH key"
       ansible.builtin.ping:
       become: no
       vars:

apps/accounts/automations/change_secret/host/posix/manifest.yml

@@ -6,6 +6,12 @@ type:
   - linux
 method: change_secret
 params:
+  - name: sudo
+    type: str
+    label: 'Sudo'
+    default: '/bin/whoami'
+    help_text: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
+
   - name: shell
     type: str
     label: 'Shell'