云网牛站
所在位置:首页 > Linux教程 > 使用Ansible在Linux上管理用户和组

使用Ansible在Linux上管理用户和组

2020-05-27 17:16:52作者:戴均益稿源:云网牛站

在Linux上,每个进程都以特定用户身份运行,并且每个文件和文件夹均由特定用户拥有。此外,用户对这些文件和文件夹的访问受到限制,这表明学习以普通用户或管理员身份在Linux上如何完成用户管理非常重要。

 

本地用户和有关组的信息

1、本地用户的信息

有关本地用户的信息可以在etc/passwd中找到:

eugene@jCheredi:~$ tail -9 /etc/passwd

colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin

geoclue:x:122:127::/var/lib/geoclue:/usr/sbin/nologin

pulse:x:123:128:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin

gnome-initial-setup:x:124:65534::/run/gnome-initial-setup/:/bin/false

gdm:x:125:130:Gnome Display Manager:/var/lib/gdm3:/bin/false

eugene:x:1000:1000:Eugene,,,:/home/eugene:/bin/bash

systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin

mysql:x:126:133:MySQL Server,,,:/nonexistent:/bin/false

redis:x:127:134::/var/lib/redis:/usr/sbin/nologin

格式解释如下:

username:password:uid:gid:gecos:home/dir:shell

2、有关组的信息

组也具有ID,每个用户都属于一个默认组,即用户专用组(UPG),用户还可以具有补充组,这些补充组可帮助用户访问其他文件和进程的权限,有关组的信息通常可以在etc/group中找到:

eugene@jCheredi:~$ tail -9 /etc/group

gdm:x:130:

lxd:x:131:eugene

eugene:x:1000:

sambashare:x:132:eugene

systemd-coredump:x:999:

mysql:x:133:

redis:x:134:

vboxusers:x:135:

docker:x:136:

格式解释如下:

groupname:password:GID:<list of users>

您听说过root用户,root用户是超级用户,他们具有系统的所有权限,根目录可以覆盖文件的所有权限,并用于管理系统。通常,我们以非特权用户身份登录,然后使用sudo命令获得root特权。

作为Linux管理员,我们的任务是管理用户帐户,例如添加用户、删除用户等。这些任务可由Ansible轻松管理(安装参考:在RHEL 8/CentOS 8系统上安装和配置Ansible),我们将使用Ansible Playbook来研究它们,在Ansible中,用户和组模块可帮助我们完成用户管理任务。

 

Ansible组模块常用选项和Ansible用户模块常用选项

1、Ansible组模块常用选项

name–群组名称。

state–(absent/present)确保组存在或不存在。

gid–指定群组ID。

system–(yes/no)是否创建的组是系统组。

2、Ansible用户模块常用选项

name–用户名称。

password–用户的加密密码,请注意,该密码应该已经加密或使用Ansible playbook加密,但是将密码隐藏在Ansible保管库中。

update_password–(always/on_create)是创建用户时更新密码还是仅添加一次。

uid–指定用户标识。

group–指定用户主要组。

groups–将用户添加到补充组。

append–(no/yes)将用户添加到补充组时不覆盖主要组或覆盖。

comment–设置GECOS。

shell–为用户设置默认shell。

remove–删除用户关联的目录和文件。

 

使用Ansible创建/添加用户和组

Playbook,user.yml::

---

- hosts: localhost #change to your hosts

 become: yes

 vars:

  # NOTICE!!!:

  # DO NOT PUT PLAIN TEXT PASSWORDS HERE!

  # use encrypted passwords or put them in Ansible vault

  # but this is just a demo

  vaulted_password: mySecret.

 tasks:

  - name: Add a simple user called janedoe

   user:

    name: janedoe

    comment: Jane Doe

  - name: Add user anita with a password

   user:

    name: anita

    password: "{{ vaulted_password | password_hash('sha512') }}"

    update_password: on_create

  - name: Add a group called developer

   group:

    name: developer

    state: present

  - name: Add a user johndoe and add them to a group developer

   user:

    name: johndoe

    groups: developer

    append: yes

  - name: Add user jSmith and generate for them an SSH key

   user:

    name: jSmith

    generate_ssh_key: yes

    ssh_key_bits: 2048

    ssh_key_file: .ssh/id_rsa

  - name: Add user noHome with no home and set account to expire on certain date

   user:

    name: noHome

    create_home: no

    expires: 1590155615

运行playbook,当我将playbook作为节点运行到Ansible主节点时,不必担心警告:

$ ansible-playbook user.yml -K

BECOME password:

[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [localhost] *******************************************

TASK [Gathering Facts] *******************************************

ok: [localhost]

TASK [Add a simple user called janedoe] *******************************************

changed: [localhost]

TASK [Add user anita with a password] *******************************************

changed: [localhost]

TASK [Add a group called developer] *******************************************

changed: [localhost]

TASK [Add a user johndoe and add them to a group developer] *******************************************

changed: [localhost]

TASK [Add user jSmith and generate for them an SSH key] *******************************************

changed: [localhost]

TASK [Add user noHome with no home and set account to expire on certain date] *******************************************

changed: [localhost]

PLAY RECAP *******************************************

localhost                  : ok=7    changed=6    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

检查用户和组:

eugene@jCheredi:~/Projects/Ansible/users$ tail -9 /etc/passwd

eugene:x:1000:1000:Eugene,,,:/home/eugene:/bin/bash

systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin

mysql:x:126:133:MySQL Server,,,:/nonexistent:/bin/false

redis:x:127:134::/var/lib/redis:/usr/sbin/nologin

janedoe:x:1001:1001:Jane Doe:/home/janedoe:/bin/sh

anita:x:1002:1002::/home/anita:/bin/sh

johndoe:x:1003:1004::/home/johndoe:/bin/sh

jSmith:x:1004:1005::/home/jSmith:/bin/sh

noHome:x:1005:1006::/home/noHome:/bin/sh

eugene@jCheredi:~/Projects/Ansible/users$ tail -9 /etc/group

redis:x:134:

vboxusers:x:135:

docker:x:136:

janedoe:x:1001:

anita:x:1002:

developer:x:1003:johndoe

johndoe:x:1004:

jSmith:x:1005:

noHome:x:1006:

 

使用Ansible删除用户

Playbook,user_delete.yml:

---

- hosts: localhost

 become: yes

 tasks:

  - name: Remove janedoe

   user:

    name: janedoe

    state: absent

    remove: yes

  - name: Remove anita

   user:

    name: anita

    state: absent

    remove: yes

  - name: Remove developer group

   group:

    name: developer

    state: absent

  - name: Remove johndoe

   user:

    name: johndoe

    state: absent

    remove: yes

  - name: Remove jSmith

   user:

    name: jSmith

    state: absent

    remove: yes

  - name: Remove noHome

   user:

    name: noHome

    state: absent

    remove: yes

Playbook运行:

eugene@jCheredi:~/Projects/Ansible/users$ ansible-playbook user_delete.yml -K

BECOME password:

[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [localhost] *******************************************

TASK [Gathering Facts] *******************************************

ok: [localhost]

TASK [Remove janedoe] *******************************************

changed: [localhost]

TASK [Remove anita] *******************************************

changed: [localhost]

TASK [Remove developer group] *******************************************

changed: [localhost]

TASK [Remove johndoe] *******************************************

changed: [localhost]

TASK [Remove jSmith] *******************************************

changed: [localhost]

TASK [Remove noHome] *******************************************

changed: [localhost]

PLAY RECAP *******************************************

localhost                  : ok=7    changed=6    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

 

结语

上面所讲的是使用Ansible在Linux上管理用户和组的基本内容,同时在Ansible上还有更多用于管理用户的选项,有兴趣的可以去探索一下。

 

相关主题

使用Python3/2、mkpasswd为Ansible生成Linux用户加密密码

精选文章
热门文章