Say goodbye to manual operations! Use Ansible user module to efficiently manage Linux accounts

In an enterprise operation and maintenance environment, server user management is a basic but very important task. For example, when new employees join, we need to create accounts for them on multiple servers and assign appropriate permissions. When employees leave or their positions change, we also need to quickly disable or delete their accounts to avoid potential security risks.

If we use manual methods to complete these tasks, we need to execute a series of commands on each server one by one, such as useradd, passwd, and chage, which is not only time-consuming and labor-intensive, but also prone to errors. Fortunately, Ansible provides a very convenient user module that can help us efficiently manage batch users, thereby ensuring the security and consistency of operations.

The core functions of the user module

To learn more about the user module, we can use the ansible-doc command. Simply run the following command to view relevant information:

 ansible-doc -s user

After successfully executing the above command, the following result will be displayed:

The user module provides many practical functions, including the following:

• Create or delete a user
• Set password
• Specify the user's UID and GID
• Specify the group to which the user belongs
• Create a home directory
• Setting Shell
• Setting up SSH public key authentication

Description of common parameters:

Practical case analysis

Case 1: Create development team accounts in batches

Requirement: Create accounts for 3 new developers, requiring:

• Create the home directory /home/dev_username
• Join the docker and git additional groups
• Disable SSH password login
• Set initial password

 - name:Createdeveloperaccounts hosts:dev_servers become:yes vars: developers: -{name:'alice',uid:2001} -{name:'bob', uid:2002} -{name:'charlie',uid:2003} tasks: -name:Createdeveloperusers ansible.builtin.user: name:"{{ item.name }}" uid:"{{ item.uid }}" groups:docker,git append:yes shell:/bin/bash password:"$6$rounds=656000$SAlt1234$XH6X8L8Dz4tdj.7WZ2TvWUDO2w/lk5sABC1234ABCDefgHIJKLmnopqrSTUVWXYZ" generate_ssh_key:yes ssh_key_bits:4096 create_home:yes loop:"{{ developers }}"

Key points:

• Using loop to create batches
• The password parameter uses the hash ciphertext generated by crypt in Python
• Automatically generate a 4096-bit RSA key pair
• Keep the default primary group and attach to both the docker and git groups

You can create users in batches by executing the following command:

 ansible-playbook Create_developer_accounts.yml

After successful creation, you can see the results as shown below:

Case 2: Configuring Sudo Permissions for Operation and Maintenance Accounts

Create an opsadmin account and grant it password-free sudo permissions

 - name:Configureopsadmin hosts:dev_servers become:yes tasks: -name:Createopsuser ansible.builtin.user: name:opsadmin groups:wheel shell:/bin/bash comment:"Operations Administrator" -name:Configurepasswordlesssudo ansible.builtin.lineinfile: path:/etc/sudoers line:'opsadmin ALL=(ALL) NOPASSWD:ALL' validate:'visudo -cf %s'

validate: 'visudo -cf %s':

• Run visudo -cf /etc/sudoers to check syntax before modifying.
• Prevent errors in writing the sudoers file and prevent the system from being unable to use sudo.

 ansible-playbook Configure_ops_admin.yml

After successfully executing the above command, you will see the result as shown below:

Case 3: Safely delete former users

Requirement: Safely remove accounts of former employees, delete users but retain home directories.

 - name:Removedeprecatedusers hosts:dev_servers become:yes vars: departed_users:['alice','bob'] tasks: -name:Removeuseraccounts ansible.builtin.user: name:"{{ item }}" state:absent remove:no# 不删除主目录loop:"{{ departed_users }}"

After successfully executing the following command, the defined user will be deleted, but the deleted user's home directory will be retained, as shown in the following figure:

 ansible-playbook Remove_deprecated_users.yml

Case 4: Disable User

Requirement: Disable the charlie account but do not delete it, making sure its home directory is still retained.

 - name:禁用用户hosts:dev_servers become:yes tasks: -name:锁定charlie账户ansible.builtin.user: name:charlie password_lock:yes

Successfully executing the following command will produce the following result:

 ansible-playbook lock_charlie.yml

Summarize

Ansible's user module provides powerful automation capabilities for Linux server user management, which can greatly improve operation and maintenance efficiency and reduce human errors. This article demonstrates the following key functions through typical scenarios:

• Create batches of users and assign permissions
• Configure Sudo permissions for the operation and maintenance account
• Disable User
• Delete the user and keep the home directory

Through these cases, I believe you have mastered the basic usage of the user module and can apply it flexibly in actual work. I hope this tutorial can help you manage server users more easily and improve your operation and maintenance automation capabilities!