added fail block for create user

89a24f01 · Weise, Martin · f6d260b7 · 89a24f01 · 89a24f01 · 89a24f01
Verified Commit 89a24f01 authored 3 years ago by Weise, Martin
--- a/create-user.yml
+++ b/create-user.yml
@@ -11,7 +11,7 @@
 ### ARGS:
 ###     username    The user common name, cannot contain spaces,
 ###                     is only lowercase alphanumeric (e.g. client1, foobar).
-###     role_type   The role type of the user, must be one of sysadmin, dbadmin, owner, analyst, provider
+###     role_type   The role type of the user, must be one of sysadmins, dbadmins, owners, analysts, providers
 ###
 ### SIDE EFFECTS:
 ###     - Creates new credentials on the identity node.
@@ -33,7 +33,7 @@
    - name: Check role
      fail: msg='Necessary variables are not entirely present'
-      when: role_type not in ['sysadmin', 'dbadmin', 'owner', 'analyst', 'provider']
+      when: role_type not in ['sysadmins', 'dbadmins', 'owners', 'analysts', 'providers']
      delegate_to: 127.0.0.1
 # IDENTITY
@@ -60,13 +60,9 @@
      private: no
    - name: pubkey
-      prompt: Absolute path to the public key of the user account?
+      prompt: Path to the ssh public key of the user account?
      private: no
  tasks:
-    - name: Check pubkey
-      debug:
-        msg: Sanity check for private key
    - name: Authenticate
      shell: "echo '{{ idm_adm_passwd }}' | kinit admin"
      no_log: true
@@ -74,7 +70,7 @@
    - name: Configure identities
      block:
        - name: Create account
-          command: ipa user-add {{ username }} --first="{{ first }}" --last="{{ last }}" --email="{{ email }}" --phone="{{ phone }}" --sshpubkey="{{ lookup('file', pubkey) }}" --random
+          command: ipa user-add {{ username }} --first="{{ first }}" --last="{{ last }}" --email="{{ email }}" --phone="{{ phone }}" --sshpubkey="{{ lookup('file', pubkey) }}" --shell=/bin/false --random
          register: ipa_result
          no_log: true
@@ -86,7 +82,17 @@
          no_log: true
          vars:
            regexp: '.*Random password: ([^\n]+)'
+      rescue:
+        - name: Remove account
+          command: ipa group-remove-member {{ role_type }} --users={{ username }}
+          ignore_errors: true
+        - name: Remove account
+          command: ipa user-del {{ username }}
+          ignore_errors: true
+        - fail:
+            msg: Configuration of identities failed
 # VPN PROFILE
@@ -107,8 +113,8 @@
            msg:
              - "Credentials:"
              - ""
-              - "  Username: {{ username }}"
+              - "  Username:         {{ username }}"
-              - "  Password: {{ random_passwd[0] }}"
+              - "  Initial Password: {{ random_passwd[0] }}"
              - ""
              - "The OpenVPN profile is located at /tmp/{{ username }}.ovpn on this computer"
              - "Provide it to the user through a secure channel."

--- a/roles/setup_node/templates/identity.cfg.j2
+++ b/roles/setup_node/templates/identity.cfg.j2
@@ -75,9 +75,11 @@ write_files:
      ipa group-add providers --desc='Data provider group'
      logger "Create default accounts"
      echo '{{ idm_sysadmin_passwd }}' | ipa user-add sysadmin --first="{{ idm_sysadmin_first }}" --last="{{ idm_sysadmin_last }}" --email="{{ idm_sysadmin_email }}" --phone="{{ idm_sysadmin_phone }}" --sshpubkey="{{ lookup('file', sysadmin_pubkey) }}" --password
-      echo '{{ idm_dbadmin_passwd }}' | ipa user-add dbadmin --first="{{ idm_dbadmin_first }}" --last="{{ idm_dbadmin_last }}" --email="{{ idm_dbadmin_email }}" --phone="{{ idm_dbadmin_phone }}" --sshpubkey="{{ lookup('file', dbadmin_pubkey) }}" --password
+      echo '{{ idm_dbadmin_passwd }}' | ipa user-add dbadmin --first="{{ idm_dbadmin_first }}" --last="{{ idm_dbadmin_last }}" --email="{{ idm_dbadmin_email }}" --phone="{{ idm_dbadmin_phone }}" --sshpubkey="{{ lookup('file', dbadmin_pubkey) }}" --shell=/bin/false --password
      logger "Assign accounts to groups"
      ipa group-add-member sysadmins --users=sysadmin
+      ipa group-add-member admins --users=sysadmin
+      ipa group-add-member "trust admins" --users=sysadmin
      ipa group-add-member dbadmins --users=dbadmin
  - path: /root/rng-init

--- a/roles/setup_node/templates/vpn.cfg.j2
+++ b/roles/setup_node/templates/vpn.cfg.j2
@@ -40,9 +40,16 @@ write_files:
    content: |
      #!/bin/bash
      logger "Configuring firewalld ..."
-      /bin/firewall-offline-cmd --add-port=1194/udp
+      /bin/firewall-offline-cmd --zone=public --add-port=1194/udp
-      /bin/firewall-offline-cmd --add-masquerade
+      /bin/firewall-offline-cmd --zone=public --add-masquerade
-      /bin/firewall-offline-cmd --list-all
+      /bin/firewall-offline-cmd --zone=public --remove-interface=eth3         # provider
+      /bin/firewall-offline-cmd --zone=public --list-all
+      #/bin/firewall-offline-cmd --new-zone=private
+      #/bin/firewall-offline-cmd --zone=private --add-service=ssh
+      #/bin/firewall-offline-cmd --zone=private --add-masquerade
+      #/bin/firewall-offline-cmd --zone=private --add-interface=eth3           # provider
+      #/bin/firewall-offline-cmd --zone=private --add-source=10.8.0.2
+      #/bin/firewall-offline-cmd --zone=private --list-all
      /bin/systemctl enable firewalld
      /bin/systemctl start firewalld

--- a/setup_users.yml
+++ b/setup_users.yml
---
-########################################################################################################################
-### NAME: setup_users.yml
-###
-### DESCRIPTION:
-###     Creates the user groups, default user accounts for sysadmin and dbadmin, vpn credentials for both
-###
-### PURPOSE:
-###     Setup script.
-###
-### ARGS:
-###     /
-###
-### SIDE EFFECTS:
-###     - Creates the default users.
-###
-########################################################################################################################
-### DO NOT CHANGE BELOW THIS LINE ######################################################################################
-########################################################################################################################
-# USERS
- hosts: proidentity
-  become: yes
-  vars_files:
-    - vars/vms.yml
-    - vars/secure.yml
-  tasks:
-    - name: Authenticate
-      shell: "echo '{{ idm_adm_passwd }}' | kinit admin"
-      no_log: true
-    - name: Create group
-      command: "ipa group-add {{ item.group }} --desc='{{ item.description }}'"
-      loop:
-        - group: sysadmins
-          description: System administrators group
-        - group: dbadmins
-          description: Database administrators group
-        - group: owners
-          description: Data owner group
-        - group: analysts
-          description: Analyst group
-        - group: providers
-          description: Data provider group
-# POST SET-UP
- hosts: controlnode
-  vars_files:
-    - vars/vms.yml
-  tasks:
-    - debug:
-        msg:
-          - "The set-up is now finished, next steps:"
-          - ""
-          - "  1. Copy the OpenVPN profile /home/sysadmin/sysadmin.ovpn from the VPN node ({{ vpn_ip }})"
-          - "  2. Copy the OpenVPN profile /root/dbadmin.ovpn from the VPN node ({{ vpn_ip }})"
-    - name: Clean up
-      meta: clear_facts
\ No newline at end of file