Commit dc95fb63 authored by Maciej Delmanowski's avatar Maciej Delmanowski

[debops.users] Drop the support for prefixes

The support for prefixing the UNIX groups and accounts with '_'
character when in the LDAP environment has been removed from the role,
to make it easier to manage application accounts via the Ansible
inventory. The feature will be implemented in a separate Ansible role
meant to be used to manage local administrator and user accounts.
parent a71c5de0
......@@ -264,11 +264,6 @@ Changed
and creating local dotfile mirrors. The :ref:`users__ref_accounts` variable
documentation contains examples of new dotfile definitions.
- [debops.users] The role will add an ``_`` prefix to UNIX groups, accounts and
their home directories when LDAP support is enabled on a host. The base home
directory will also change depending on the LDAP support status. Check the
role documentation and :ref:`upgrade_notes` for more details.
Removed
~~~~~~~
......
......@@ -32,46 +32,6 @@ users__no_log: True
# Enable or disable support for filesystem ACL management.
users__acl_enabled: '{{ True if ("acl" in users__base_packages) else False }}'
# ]]]
# .. envvar:: users__prefix [[[
#
# Add a prefix to the UNIX group and account names managed by DebOps.
# By default, no prefix is added.
#
# If the role detects that the LDAP support has been enabled on a host by the
# :ref:`debops.ldap` Ansible role, custom UNIX account names created locally on
# the host will have the ``_`` prefix to indicate that they are local to
# a given host and to not create conflicts with any UNIX accounts defined in
# LDAP. The ``item.prefix`` parameter can be used to override this behaviour.
#
# If the LDAP support was enabled after the system accounts have been created,
# the role will keep the current prefix value to not duplicate the UNIX
# accounts.
users__prefix: '{{ ansible_local.users.prefix
if (ansible_local|d() and ansible_local.users|d() and
ansible_local.users.prefix is defined)
else ("_"
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.enabled|d())|bool)
else "") }}'
# ]]]
# .. envvar:: users__home_root [[[
#
# The base path of the home directories for the UNIX accounts managed by
# DebOps. In the LDAP environment, :file:`/home` directory might be shared
# between multiple hosts and mounted from a remote location (for example NFS),
# therefore :file:`/var/local` is used to avoid issues with the remote
# filesystem. The ``item.home`` parameter can be used to specify the home
# directory path and override the autogenerated one.
users__home_root: '{{ ansible_local.users.home_root
if (ansible_local|d() and ansible_local.users|d() and
ansible_local.users.home_root is defined)
else ("/var/local"
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.enabled|d())|bool)
else "/home") }}'
# ]]]
# .. envvar:: users__default_system [[[
#
......
This diff is collapsed.
......@@ -6,9 +6,7 @@ from __future__ import print_function
from json import loads, dumps
from sys import exit
output = loads("""{{ {'configured': True,
'prefix': users__prefix,
'home_root': users__home_root
output = loads("""{{ {'configured': True
} | to_nice_json }}""")
print(dumps(output, sort_keys=True, indent=4))
......@@ -46,15 +46,6 @@ General account parameters
merged in order of appearance, this can be used to modify existing
configuration entries conditionally.
``prefix``
Optional. An additional string prepended to the UNIX group name, UNIX account
name, and the home directory name. If not specified, the
:envvar:`users__prefix` value is used instead. This functionality is used to
separate the local users (with the ``_``) prefix from the LDAP users, when
the host is configured with the :ref:`debops.ldap` role. To override the
prefix when LDAP support is enabled, set the parameter to an empty string
(``''``).
``user``
Optional, boolean. If not specified or ``True``, a configuration entry will
manage both an UNIX account and its primary UNIX group. If ``False``, only
......@@ -158,9 +149,7 @@ Parameters related to home directories
``home``
Optional. Path to the home directory of a given user account. If not
specified, the role will check the home directory path of an existing account
defined on the host, and if the account is new, generate the home path based
on the :envvar:`users__home_root` variable and the :envvar:`users__prefix`
variable.
defined on the host.
``home_owner``
Optional. Specify the owner of the home directory of a given UNIX account.
......
......@@ -5,21 +5,6 @@ Getting started
:local:
LDAP integration
----------------
The role checks if the LDAP support has been configured on a host, via the
:ref:`debops.ldap`. If LDAP support is enabled, local UNIX groups, local UNIX
accounts and their home directory names will have the ``_`` prefix prepended to
them, to avoid clashes with the LDAP-based groups and accounts. This is
controlled by the :envvar:`users__prefix` variable.
LDAP support also affects the default home directory paths. By default home
directories will be put in :file:`/home`; with LDAP support enabled that will
change to :file:`/var/local`, to avoid clashes with remote filesystems that
might be mounted at the :file:`/home` path, for example via NFS.
Example inventory
-----------------
......
......@@ -36,21 +36,6 @@ Changes to the UNIX group and account management
management of the UNIX group for a given configuration entry. See the role
documentation for more details.
- The :ref:`debops.users` role checks if the LDAP support is configured on the
host via the :ref:`debops.ldap` role. If it's detected, UNIX groups, accounts
and their home directories will have the ``_`` prefix prepended to them, to
differentiate them from their LDAP-based equivalents. This is controlled by
the :envvar:`users__prefix` variable. This change might affect the existing
environments, run the role with the ``--diff --check`` parameters to see any
changes.
LDAP support status will also affect the home directory paths. Without LDAP
enabled, home directories will be put in the :file:`/home` by default; with
LDAP enabled local accounts will have their home directories in the
:file:`/var/local` directory to avoid clashes with remote filesystems that
might be mounted at :file:`/home`, for example via NFS. Specifying the
``item.home`` parameter overrides this behaviour.
Inventory variable changes
~~~~~~~~~~~~~~~~~~~~~~~~~~
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment