Ansible批量创建用户和密码

648次阅读
没有评论

共计 6552 个字符,预计需要花费 17 分钟才能阅读完成。

Ansible批量创建用户和密码

新人换旧人,密码得更换一波。又或是密码策略到期得更换,比如一季度一更啥的

lookup password插件

使用lookup和passwd来完成设置创建用户密码

[root@manager project]# ansible -i hosts all -m user -a "name=testuser1 password={{ lookup('password','testuser1-pwd.txt  length=12 encrypt=sha512_crypt') }}"
10.100.235.221 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "append": false,
    "changed": true,
    "comment": "",
    "group": 1003,
    "home": "/home/testuser1",
    "move_home": false,
    "name": "testuser1",
    "password": "NOT_LOGGING_PASSWORD",
    "shell": "/bin/bash",
    "state": "present",
    "uid": 1003
}
10.100.235.196 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "append": false,
    "changed": true,
    "comment": "",
    "group": 1003,
    "home": "/home/testuser1",
    "move_home": false,
    "name": "testuser1",
    "password": "NOT_LOGGING_PASSWORD",
    "shell": "/bin/bash",
    "state": "present",
    "uid": 1003
}
10.100.235.222 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "append": false,
    "changed": true,
    "comment": "",
    "group": 1003,
    "home": "/home/testuser1",
    "move_home": false,
    "name": "testuser1",
    "password": "NOT_LOGGING_PASSWORD",
    "shell": "/bin/bash",
    "state": "present",
    "uid": 1003
}

此时密码会保存在testuser1-pwd.txt文件内

[root@manager project]# cat testuser1-pwd.txt
0c4eTRzjHVan salt=dmqWMjp3

password插件常用参数

  • chars:定义密码由哪些字符类型组成
    • ascii_lowercase
    • ascii_uppercase
    • digits
    • hexdigits
    • octdigits
    • printable
    • punctuation
  • encrypt:加密算法
    • passlib.hash
    • md5_crypt
    • bcrypt
    • sha256_crypt
    • sha512_crypt
  • length:密码长度,默认值为20

创建自定义字符密码

[root@manager project]# ansible -i hosts all -m user -a "name=testuser1 password={{ lookup('password','testuser1-pwd.txt chars="#abcd$^" length=12 encrypt=sha512_crypt') }}"

[root@manager project]# cat testuser1-pwd.txt
c$b$acb$#$d^ salt=8oTGvrm9

# 需要删除密码文件,否则不会进行更换密码
[root@k8s-master project]# rm -rf  testuser1-pwd.txt
[root@k8s-master project]# ansible -i hosts all -m user -a "name=testuser1 password={{ lookup('password','testuser1-pwd.txt chars=ascii_lowercase,"#$^." length=12 encrypt=sha512_crypt') }}"
[root@k8s-master project]# cat testuser1-pwd.txt
lqkpaecv.xd. salt=zU8Ks5Mg

使用playbook设置用户和密码

每个节点中的用户名相同,密码也相同,用户名不同则密码不同

[root@manager project]# cat test-set-user-password.yaml
---
- hosts: all
  tasks:
    - name: Create remote user and set pwd
      user:
        name: "{{ item }}"
        password: "{{ lookup('password','userpwd/' + item + ' chars=ascii_lowercase,\"#$^.\" length=12 encrypt=sha512_crypt') }}"
        state: present
      with_items:
        - xadocker1
        - xadocker2
        - xadocker3

运行任务

[root@manager project]# ansible-playbook -i hosts test-set-user-password.yaml

PLAY [query] *******************************************************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************************************
ok: [10.100.235.222]
ok: [10.100.235.196]
ok: [10.100.235.221]

TASK [Create remote user and set pwd] ******************************************************************************************************************************
changed: [10.100.235.196] => (item=xadocker1)
changed: [10.100.235.221] => (item=xadocker1)
changed: [10.100.235.222] => (item=xadocker1)
changed: [10.100.235.196] => (item=xadocker2)
changed: [10.100.235.221] => (item=xadocker2)
changed: [10.100.235.222] => (item=xadocker2)
changed: [10.100.235.196] => (item=xadocker3)
changed: [10.100.235.221] => (item=xadocker3)
changed: [10.100.235.222] => (item=xadocker3)

PLAY RECAP *********************************************************************************************************************************************************
10.100.235.196             : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
10.100.235.221             : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
10.100.235.222             : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

# 查看密码
[root@manager project]# grep .* userpwd/*
grep: ..: Is a directory
userpwd/xadocker1:t#xltgicfjvj salt=AfxQqA2r
userpwd/xadocker2:ohmq^qgudlaw salt=ExJYg3r4
userpwd/xadocker3:#z$baecwuei^ salt=P698Xz49

每个节点间用户名虽然相同,但是密码不同

如果想要每台节点的用户相同,但是密码不同,则password插件需要增加seed参数,设置为:

seed=inventory_hostname
[root@manager project]# cat test-set-user-password.yaml
- 
hosts: all
  tasks:
    - name: Create remote user and set pwd
      user:
        name: "{{ item }}"
        password: "{{ lookup('password','userpwd/' + item + inventory_hostname + ' chars=ascii_lowercase,\"#$^.\" length=12 encrypt=sha512_crypt', seed=inventory_hostname )}}"
        state: present
      with_items:
        - xadocker1
        - xadocker2
        - xadocker3

运行结果

[root@manager project]# ansible-playbook -i hosts test-set-user-password.yaml

PLAY [query] *********************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************
ok: [10.100.235.221]
ok: [10.100.235.222]
ok: [10.100.235.196]

TASK [Create remote user and set pwd] ********************************************************************************************************************************************************************************
changed: [10.100.235.221] => (item=xadocker1)
changed: [10.100.235.222] => (item=xadocker1)
changed: [10.100.235.196] => (item=xadocker1)
changed: [10.100.235.221] => (item=xadocker2)
changed: [10.100.235.196] => (item=xadocker2)
changed: [10.100.235.222] => (item=xadocker2)
changed: [10.100.235.221] => (item=xadocker3)
changed: [10.100.235.196] => (item=xadocker3)
changed: [10.100.235.222] => (item=xadocker3)

PLAY RECAP ***********************************************************************************************************************************************************************************************************
10.100.235.196             : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
10.100.235.221             : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
10.100.235.222             : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

密码为

[root@manager project]# grep .* userpwd/*
grep: ..: Is a directory
userpwd/xadocker110.100.235.196:rbrv.^omwpux salt=pMSFiJqm
userpwd/xadocker110.100.235.221:s#mxgyvktvbg salt=USghNgZY
userpwd/xadocker110.100.235.222:#scpmqmhcsdm salt=50ic14Wh
userpwd/xadocker210.100.235.196:.^absd#.nb$c salt=DACOqVY2
userpwd/xadocker210.100.235.221:t$kthnzxutvf salt=LYDlACfz
userpwd/xadocker210.100.235.222:mdqwuitnpstc salt=BpfQNuxM
userpwd/xadocker310.100.235.196:fabfxvcouhgw salt=BozTS/XE
userpwd/xadocker310.100.235.221:.kz$nrq#asie salt=ujexkpAi
userpwd/xadocker310.100.235.222:ukla.cabamuh salt=i5BwqOsE

参考官方文档:https://docs.ansible.com/ansible/latest/collections/ansible/builtin/password_lookup.html#ansible-collections-ansible-builtin-password-lookup

正文完
ansible devops
发表至: Ansible DevOps
2019-03-29
 
xadocker
版权声明:本站原创文章,由 xadocker 2019-03-29发表,共计6552字。
转载说明:除特殊说明外本站文章皆由CC-4.0协议发布,转载请注明出处。
Ansible委派任务给一个组
Jenkins关于显示时间
Gitea轻量级仓库的选择
远程管理Terraform的state
评论(没有评论)