diff --git a/apps/accounts/automations/change_secret/host/aix/main.yml b/apps/accounts/automations/change_secret/host/aix/main.yml index b51ddf69e..8593c7534 100644 --- a/apps/accounts/automations/change_secret/host/aix/main.yml +++ b/apps/accounts/automations/change_secret/host/aix/main.yml @@ -1,10 +1,41 @@ - hosts: demo gather_facts: no tasks: - - name: Test privileged account + - name: "Test privileged {{ jms_account.username }} account" ansible.builtin.ping: - - name: Change password + - name: "Check if {{ account.username }} user exists" + getent: + database: passwd + key: "{{ account.username }}" + register: user_info + ignore_errors: yes # 忽略错误,如果用户不存在时不会导致playbook失败 + + - name: "Add {{ account.username }} user" + ansible.builtin.user: + name: "{{ account.username }}" + shell: "{{ params.shell }}" + home: "{{ params.home | default('/home/' + account.username, true) }}" + groups: "{{ params.groups }}" + expires: -1 + state: present + when: user_info.failed + + - name: "Add {{ account.username }} group" + ansible.builtin.group: + name: "{{ account.username }}" + state: present + when: user_info.failed + + - name: "Add {{ account.username }} user to group" + ansible.builtin.user: + name: "{{ account.username }}" + groups: "{{ params.groups }}" + when: + - user_info.failed + - params.groups + + - name: "Change {{ account.username }} password" ansible.builtin.user: name: "{{ account.username }}" password: "{{ account.secret | password_hash('des') }}" @@ -12,31 +43,37 @@ ignore_errors: true when: account.secret_type == "password" - - name: create user If it already exists, no operation will be performed - ansible.builtin.user: - name: "{{ account.username }}" - when: account.secret_type == "ssh_key" - - name: remove jumpserver ssh key ansible.builtin.lineinfile: dest: "{{ ssh_params.dest }}" regexp: "{{ ssh_params.regexp }}" state: absent when: - - account.secret_type == "ssh_key" - - ssh_params.strategy == "set_jms" + - account.secret_type == "ssh_key" + - ssh_params.strategy == "set_jms" - - name: Change SSH key + - name: "Change {{ account.username }} SSH key" ansible.builtin.authorized_key: user: "{{ account.username }}" key: "{{ account.secret }}" exclusive: "{{ ssh_params.exclusive }}" when: account.secret_type == "ssh_key" + - name: "Set {{ account.username }} sudo setting" + ansible.builtin.lineinfile: + dest: /etc/sudoers + state: present + regexp: "^{{ account.username }} ALL=" + line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}" + validate: visudo -cf %s + when: + - user_info.failed + - params.sudo + - name: Refresh connection ansible.builtin.meta: reset_connection - - name: Verify password + - name: "Verify {{ account.username }} password" ansible.builtin.ping: become: no vars: @@ -45,7 +82,7 @@ ansible_become: no when: account.secret_type == "password" - - name: Verify SSH key + - name: "Verify {{ account.username }} SSH key" ansible.builtin.ping: become: no vars: diff --git a/apps/accounts/automations/change_secret/host/posix/main.yml b/apps/accounts/automations/change_secret/host/posix/main.yml index 325ad644d..5ed6a10b4 100644 --- a/apps/accounts/automations/change_secret/host/posix/main.yml +++ b/apps/accounts/automations/change_secret/host/posix/main.yml @@ -1,10 +1,17 @@ - hosts: demo gather_facts: no tasks: - - name: Test privileged account + - name: "Test privileged {{ jms_account.username }} account" ansible.builtin.ping: - - name: Check user + - name: "Check if {{ account.username }} user exists" + getent: + database: passwd + key: "{{ account.username }}" + register: user_info + ignore_errors: yes # 忽略错误,如果用户不存在时不会导致playbook失败 + + - name: "Add {{ account.username }} user" ansible.builtin.user: name: "{{ account.username }}" shell: "{{ params.shell }}" @@ -12,19 +19,23 @@ groups: "{{ params.groups }}" expires: -1 state: present + when: user_info.failed - name: "Add {{ account.username }} group" ansible.builtin.group: name: "{{ account.username }}" state: present + when: user_info.failed - - name: Add user groups + - name: "Add {{ account.username }} user to group" ansible.builtin.user: name: "{{ account.username }}" groups: "{{ params.groups }}" - when: params.groups + when: + - user_info.failed + - params.groups - - name: Change password + - name: "Change {{ account.username }} password" ansible.builtin.user: name: "{{ account.username }}" password: "{{ account.secret | password_hash('sha512') }}" @@ -32,11 +43,6 @@ ignore_errors: true when: account.secret_type == "password" - - name: create user If it already exists, no operation will be performed - ansible.builtin.user: - name: "{{ account.username }}" - when: account.secret_type == "ssh_key" - - name: remove jumpserver ssh key ansible.builtin.lineinfile: dest: "{{ ssh_params.dest }}" @@ -46,14 +52,14 @@ - account.secret_type == "ssh_key" - ssh_params.strategy == "set_jms" - - name: Change SSH key + - name: "Change {{ account.username }} SSH key" ansible.builtin.authorized_key: user: "{{ account.username }}" key: "{{ account.secret }}" exclusive: "{{ ssh_params.exclusive }}" when: account.secret_type == "ssh_key" - - name: Set sudo setting + - name: "Set {{ account.username }} sudo setting" ansible.builtin.lineinfile: dest: /etc/sudoers state: present @@ -61,12 +67,13 @@ line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}" validate: visudo -cf %s when: + - user_info.failed - params.sudo - name: Refresh connection ansible.builtin.meta: reset_connection - - name: Verify password + - name: "Verify {{ account.username }} password" ansible.builtin.ping: become: no vars: @@ -75,7 +82,7 @@ ansible_become: no when: account.secret_type == "password" - - name: Verify SSH key + - name: "Verify {{ account.username }} SSH key" ansible.builtin.ping: become: no vars: diff --git a/apps/accounts/automations/push_account/host/aix/main.yml b/apps/accounts/automations/push_account/host/aix/main.yml index 2dc10fdc2..8593c7534 100644 --- a/apps/accounts/automations/push_account/host/aix/main.yml +++ b/apps/accounts/automations/push_account/host/aix/main.yml @@ -1,10 +1,17 @@ - hosts: demo gather_facts: no tasks: - - name: Test privileged account + - name: "Test privileged {{ jms_account.username }} account" ansible.builtin.ping: - - name: Push user + - name: "Check if {{ account.username }} user exists" + getent: + database: passwd + key: "{{ account.username }}" + register: user_info + ignore_errors: yes # 忽略错误,如果用户不存在时不会导致playbook失败 + + - name: "Add {{ account.username }} user" ansible.builtin.user: name: "{{ account.username }}" shell: "{{ params.shell }}" @@ -12,22 +19,26 @@ groups: "{{ params.groups }}" expires: -1 state: present + when: user_info.failed - name: "Add {{ account.username }} group" ansible.builtin.group: name: "{{ account.username }}" state: present + when: user_info.failed - - name: Add user groups + - name: "Add {{ account.username }} user to group" ansible.builtin.user: name: "{{ account.username }}" groups: "{{ params.groups }}" - when: params.groups + when: + - user_info.failed + - params.groups - - name: Push user password + - name: "Change {{ account.username }} password" ansible.builtin.user: name: "{{ account.username }}" - password: "{{ account.secret | password_hash('sha512') }}" + password: "{{ account.secret | password_hash('des') }}" update_password: always ignore_errors: true when: account.secret_type == "password" @@ -41,14 +52,14 @@ - account.secret_type == "ssh_key" - ssh_params.strategy == "set_jms" - - name: Push SSH key + - name: "Change {{ account.username }} SSH key" ansible.builtin.authorized_key: user: "{{ account.username }}" key: "{{ account.secret }}" exclusive: "{{ ssh_params.exclusive }}" when: account.secret_type == "ssh_key" - - name: Set sudo setting + - name: "Set {{ account.username }} sudo setting" ansible.builtin.lineinfile: dest: /etc/sudoers state: present @@ -56,12 +67,13 @@ line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}" validate: visudo -cf %s when: + - user_info.failed - params.sudo - name: Refresh connection ansible.builtin.meta: reset_connection - - name: Verify password + - name: "Verify {{ account.username }} password" ansible.builtin.ping: become: no vars: @@ -70,7 +82,7 @@ ansible_become: no when: account.secret_type == "password" - - name: Verify SSH key + - name: "Verify {{ account.username }} SSH key" ansible.builtin.ping: become: no vars: diff --git a/apps/accounts/automations/push_account/host/posix/main.yml b/apps/accounts/automations/push_account/host/posix/main.yml index 2dc10fdc2..5ed6a10b4 100644 --- a/apps/accounts/automations/push_account/host/posix/main.yml +++ b/apps/accounts/automations/push_account/host/posix/main.yml @@ -1,10 +1,17 @@ - hosts: demo gather_facts: no tasks: - - name: Test privileged account + - name: "Test privileged {{ jms_account.username }} account" ansible.builtin.ping: - - name: Push user + - name: "Check if {{ account.username }} user exists" + getent: + database: passwd + key: "{{ account.username }}" + register: user_info + ignore_errors: yes # 忽略错误,如果用户不存在时不会导致playbook失败 + + - name: "Add {{ account.username }} user" ansible.builtin.user: name: "{{ account.username }}" shell: "{{ params.shell }}" @@ -12,19 +19,23 @@ groups: "{{ params.groups }}" expires: -1 state: present + when: user_info.failed - name: "Add {{ account.username }} group" ansible.builtin.group: name: "{{ account.username }}" state: present + when: user_info.failed - - name: Add user groups + - name: "Add {{ account.username }} user to group" ansible.builtin.user: name: "{{ account.username }}" groups: "{{ params.groups }}" - when: params.groups + when: + - user_info.failed + - params.groups - - name: Push user password + - name: "Change {{ account.username }} password" ansible.builtin.user: name: "{{ account.username }}" password: "{{ account.secret | password_hash('sha512') }}" @@ -41,14 +52,14 @@ - account.secret_type == "ssh_key" - ssh_params.strategy == "set_jms" - - name: Push SSH key + - name: "Change {{ account.username }} SSH key" ansible.builtin.authorized_key: user: "{{ account.username }}" key: "{{ account.secret }}" exclusive: "{{ ssh_params.exclusive }}" when: account.secret_type == "ssh_key" - - name: Set sudo setting + - name: "Set {{ account.username }} sudo setting" ansible.builtin.lineinfile: dest: /etc/sudoers state: present @@ -56,12 +67,13 @@ line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}" validate: visudo -cf %s when: + - user_info.failed - params.sudo - name: Refresh connection ansible.builtin.meta: reset_connection - - name: Verify password + - name: "Verify {{ account.username }} password" ansible.builtin.ping: become: no vars: @@ -70,7 +82,7 @@ ansible_become: no when: account.secret_type == "password" - - name: Verify SSH key + - name: "Verify {{ account.username }} SSH key" ansible.builtin.ping: become: no vars: