Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure admin_user can connect before disabling root #345

Merged
merged 1 commit into from
Sep 17, 2015
Merged

Ensure admin_user can connect before disabling root #345

merged 1 commit into from
Sep 17, 2015

Conversation

fullyint
Copy link
Contributor

@fullyint fullyint commented Sep 9, 2015

Resolves #294

Only merge after #344 which converts sshd_permit_root_login to boolean.

swalkinshaw
swalkinshaw reviewed Sep 9, 2015
View reviewed changes
roles/users/tasks/main.yml
- name: Fail if root login will be disabled but admin_user cannot connect
fail:
msg: 'Halting playbook before disabling root login (`sshd_permit_root_login: false`) because the admin_user appears unable to connect. Ensure that the admin_user appears in your `users` hash with a valid entry for `keys`.'
when: not sshd_permit_root_login and admin_user_status.rc != 0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

when: not sshd_permit_root_login and admin_user_status|failed

Think that's the same

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice. Thanks. I'll use that instead.

@fullyint
Copy link
Contributor Author

I added a commit with adjustments to handle this scenario:

Imagine root login was disabled on a previous run of server.yml. Now someone removes sudo from their admin_user's groups and reprovisions. The "Setup users" task would remove the admin_user from the sudo group and now Ansible has no sudoers. To prevent that, we need to verify that sudo is in groups (and potentially fail) before running "Setup users".

However, the check for whether admin_user can connect to the server must be run later, after the "Add SSH keys" task.

So, our checks for sudo and general connectivity are necessarily separated within the users role.

Note that it might be more convenient to users if the sudo group check were performed sooner, perhaps in the common role, instead of unnecessarily waiting so far into the playbook to check and fail. Conceptually, however, the check fits in the users role, so that's where I left it.

@fullyint fullyint force-pushed the admin-check branch 2 times, most recently from 703a7b0 to dc38856 Compare September 10, 2015 04:52
@swalkinshaw
Copy link
Member

@fullyint squash + CHANGELOG update?

Looks good 👍

@fullyint
Copy link
Contributor Author

updated CHANGELOG and squashed

swalkinshaw added a commit that referenced this pull request Sep 17, 2015
@swalkinshaw
Merge pull request #345 from fullyint/admin-check
7f78498 
Ensure admin_user can connect before disabling root
@swalkinshaw swalkinshaw merged commit 7f78498 into roots:master Sep 17, 2015
@fullyint fullyint deleted the admin-check branch September 17, 2015 20:22
@fullyint fullyint mentioned this pull request May 6, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fullyint @swalkinshaw