Say goodbye to manual operations! Use Ansible user module to efficiently manage Linux accounts

Say goodbye to manual operations! Use Ansible user module to efficiently manage Linux accounts

In an enterprise operation and maintenance environment, server user management is a basic but very important task. For example, when new employees join, we need to create accounts for them on multiple servers and assign appropriate permissions. When employees leave or their positions change, we also need to quickly disable or delete their accounts to avoid potential security risks.

If we use manual methods to complete these tasks, we need to execute a series of commands on each server one by one, such as useradd, passwd, and chage, which is not only time-consuming and labor-intensive, but also prone to errors. Fortunately, Ansible provides a very convenient user module that can help us efficiently manage batch users, thereby ensuring the security and consistency of operations.

The core functions of the user module

To learn more about the user module, we can use the ansible-doc command. Simply run the following command to view relevant information:

 ansible-doc -s user

After successfully executing the above command, the following result will be displayed:

The user module provides many practical functions, including the following:

  • Create or delete a user
  • Set password
  • Specify the user's UID and GID
  • Specify the group to which the user belongs
  • Create a home directory
  • Setting Shell
  • Setting up SSH public key authentication

Description of common parameters:

parameter

effect

name

Specify Username

state

present (create user) or absent (delete user)


password

User password (encryption required)

uid

Specifying User UID

group

Specify the group to which the user belongs

groups

Specify the groups to which the user is attached

home

Specify the home directory path

shell

Specify the default shell, such as /bin/bash

create_home

Whether to create a home directory (default yes)

remove

Whether to delete the home directory when absent

expires

Specify password expiration time (timestamp format)

Practical case analysis

Case 1: Create development team accounts in batches

Requirement: Create accounts for 3 new developers, requiring:

  • Create the home directory /home/dev_username
  • Join the docker and git additional groups
  • Disable SSH password login
  • Set initial password
 - name:Createdeveloperaccounts hosts:dev_servers become:yes vars: developers: -{name:'alice',uid:2001} -{name:'bob', uid:2002} -{name:'charlie',uid:2003} tasks: -name:Createdeveloperusers ansible.builtin.user: name:"{{ item.name }}" uid:"{{ item.uid }}" groups:docker,git append:yes shell:/bin/bash password:"$6$rounds=656000$SAlt1234$XH6X8L8Dz4tdj.7WZ2TvWUDO2w/lk5sABC1234ABCDefgHIJKLmnopqrSTUVWXYZ" generate_ssh_key:yes ssh_key_bits:4096 create_home:yes loop:"{{ developers }}"

Key points:

  • Using loop to create batches
  • The password parameter uses the hash ciphertext generated by crypt in Python
  • Automatically generate a 4096-bit RSA key pair
  • Keep the default primary group and attach to both the docker and git groups

You can create users in batches by executing the following command:

 ansible-playbook Create_developer_accounts.yml

After successful creation, you can see the results as shown below:

Case 2: Configuring Sudo Permissions for Operation and Maintenance Accounts

Create an opsadmin account and grant it password-free sudo permissions

 - name:Configureopsadmin hosts:dev_servers become:yes tasks: -name:Createopsuser ansible.builtin.user: name:opsadmin groups:wheel shell:/bin/bash comment:"Operations Administrator" -name:Configurepasswordlesssudo ansible.builtin.lineinfile: path:/etc/sudoers line:'opsadmin ALL=(ALL) NOPASSWD:ALL' validate:'visudo -cf %s'

validate: 'visudo -cf %s':

  • Run visudo -cf /etc/sudoers to check syntax before modifying.
  • Prevent errors in writing the sudoers file and prevent the system from being unable to use sudo.
 ansible-playbook Configure_ops_admin.yml

After successfully executing the above command, you will see the result as shown below:

Case 3: Safely delete former users

Requirement: Safely remove accounts of former employees, delete users but retain home directories.

 - name:Removedeprecatedusers hosts:dev_servers become:yes vars: departed_users:['alice','bob'] tasks: -name:Removeuseraccounts ansible.builtin.user: name:"{{ item }}" state:absent remove:no# 不删除主目录loop:"{{ departed_users }}"

After successfully executing the following command, the defined user will be deleted, but the deleted user's home directory will be retained, as shown in the following figure:

 ansible-playbook Remove_deprecated_users.yml

Case 4: Disable User

Requirement: Disable the charlie account but do not delete it, making sure its home directory is still retained.

 - name:禁用用户hosts:dev_servers become:yes tasks: -name:锁定charlie账户ansible.builtin.user: name:charlie password_lock:yes

Successfully executing the following command will produce the following result:

 ansible-playbook lock_charlie.yml

Summarize

Ansible's user module provides powerful automation capabilities for Linux server user management, which can greatly improve operation and maintenance efficiency and reduce human errors. This article demonstrates the following key functions through typical scenarios:

  • Create batches of users and assign permissions
  • Configure Sudo permissions for the operation and maintenance account
  • Disable User
  • Delete the user and keep the home directory

Through these cases, I believe you have mastered the basic usage of the user module and can apply it flexibly in actual work. I hope this tutorial can help you manage server users more easily and improve your operation and maintenance automation capabilities!

<<: 

>>: 

Recommend

Wenku: We need to further explore 5G applications

[[351795]] On November 6, the State Council Infor...

What kind of ERP system do we need in the post-epidemic era?

In recent years, as the Internet has gradually pe...

All in ONE! Borei Data launches an integrated intelligent observability platform

On May 20, Borei Data officially launched the int...

5G+ marks the next big shift for Asia’s industry

COVID-19 has been one of the biggest disruptors i...

5 Fast-Developing Technology Trends in the Network Industry in 2017

At the start of every new year, experts and forec...

Say hello politely - TCP protocol three-way handshake

The Art of Communication What is the most basic a...

Cisco ushers in a new era of networking

The recent WannaCry ransomware cyberattack target...

How Next-Generation Data Centers and 5G Can Transform Healthcare

Data centers are breaking free from physical limi...

5G is coming, do I need to change my SIM card?

2019 is the first year of 5G. With the issuance o...

"Disruption" or "Pie in the sky", what is the charm of OpenRAN?

OpenRAN (Open Radio Access Network) seems to be v...

What are the main measures and methods to deal with data center downtime?

While data centers are designed to not fail in th...