forked from openedx-unsupported/configuration
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmanage_edxapp_users_and_groups.yml
109 lines (108 loc) · 3.76 KB
/
manage_edxapp_users_and_groups.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
#
# edX Configuration
#
# github: https://github.com/edx/configuration
# wiki: https://openedx.atlassian.net/wiki/display/OpenOPS
# code style: https://openedx.atlassian.net/wiki/display/OpenOPS/Ansible+Code+Conventions
# license: https://github.com/edx/configuration/blob/master/LICENSE.TXT
#
# Usage: ansible-playbook -i lms-host-1, -e@/path/to/group/configfile -e@/path/to/user/configfile
#
# Overview:
# This playbook ensures that the specified users and groups exist in the targeted
# edxapp cluster.
#
# Users have the following properties:
# - username (required, str)
# - email (required, str)
# - groups (optional, list[str])
# - superuser (optional, bool)
# - staff (optional, bool)
# - remove (optional, bool): ensures the user does not exist
# - unusable_password (optional, bool): ensures the password is unusable
#
# Groups can have the following properties:
# - name (required, str)
# - permissions (optional, list[str])
# - remove (optional, bool): ensures the group does not exist
#
# Example:
#
# users:
# - username: bobby
# email: [email protected]
# groups: [group1, group2]
# superuser: true
# staff: true
#
# - username: fred
# email: fred@smith
# remove: true
#
# - username: smitty
# email: [email protected]
# groups: [group1]
#
# - username: frank
# email: [email protected]
# staff: false
# superuser: false
# unusable_password: true
# groups: []
#
# - username: zoe
# email: [email protected]
# initial_password_hash: 'pbkdf2_sha256$20000$levJ6jdVYCsu$gdBLGf2DNPqfaKdcETXtFocRU8Kk+sMsIvKkmw1dKbY='
#
# groups:
# - name: group3
# remove: true
#
# - name: group1
# permissions:
# - permission1
# - permission2
#
# - name: group2
# permissions: [permission3]
#
# NB: to get a list of all available permissions, run the following code:
#
# from django.contrib.auth.models import Permission
# for perm in Permission.objects.all():
# print '{}:{}:{}'.format(perm.content_type.app_label, perm.content_type.model, perm.codename)
#
- hosts: all
vars:
env_path: /edx/app/edxapp/edxapp_env
python_path: /edx/bin/python.edxapp
manage_path: /edx/bin/manage.edxapp
ignore_user_creation_errors: no
deployment_settings: "{{ EDXAPP_SETTINGS | default('production') }}"
vars_files:
- roles/common_vars/defaults/main.yml
tasks:
- name: Manage groups
shell: >
. {{env_path}} && {{ python_path }} {{ manage_path }} lms --settings={{ deployment_settings }}
manage_group {{ item.name | quote }}
{% if item.get('permissions', []) | length %}--permissions {{ item.permissions | default([]) | map('quote') | join(' ') }}{% endif %}
{% if item.get('remove') %}--remove{% endif %}
with_items: "{{ django_groups }}"
become: true
become_user: "{{ common_web_user }}"
- name: Manage users
shell: >
. {{env_path}} && {{ python_path }} {{ manage_path }} lms --settings={{ deployment_settings }}
manage_user {{ item.username | quote }} {{ item.email | quote }}
{% if item.get('groups', []) | length %}--groups {{ item.groups | default([]) | map('quote') | join(' ') }}{% endif %}
{% if item.get('remove') %}--remove{% endif %}
{% if item.get('superuser') %}--superuser{% endif %}
{% if item.get('staff') %}--staff{% endif %}
{% if item.get('unusable_password') %}--unusable-password{% endif %}
{% if item.get('initial_password_hash') %}--initial-password-hash {{ item.initial_password_hash | quote }}{% endif %}
with_items: "{{ django_users }}"
register: manage_users_result
failed_when: (manage_users_result | failed) and not (ignore_user_creation_errors | bool)
become: true
become_user: "{{ common_web_user }}"