Task failed Ansible Level 4: Create Users and Groups

KodeKloud Engineer
#1

Hello,
i failed the following tasks that i think i did right, please review:

There is already an `inventory` file `~/playbooks/inventory` on `jump host`.

On `jump host` itself there is a list of users in `~/playbooks/data/users.yml` file and there are two groups — `admins` and `developers` —that have list of different users. Create a playbook `~/playbooks/add_users.yml` on `jump host` to perform the following tasks on `app server 3` in `Stratos DC`.

a. Add all users given in the `users.yml` file on `app server 3`.

b. Also add `developers` and `admins` groups on the same server.

c. As per the list given in the `users.yml` file, make each user member of the respective group they are listed under.

d. Make sure home directory for all of the users under `developers` group is `/var/www` (not the default i.e `/var/www/{USER}`). Users under `admins` group should use the default home directory (i.e `/home/devid` for user `devid`).

e. Set password `GyQkFRVNr3` for all of the users under `developers` group and `dCV3szSGNA` for of the users under `admins` group. Make sure to use the password given in the `~/playbooks/secrets/vault.txt` file as Ansible vault password to encrypt the original password strings. You can use `~/playbooks/secrets/vault.txt` file as a vault secret file while running the playbook (make necessary changes in `~/playbooks/ansible.cfg` file).

f. All users under `admins` group must be added as sudo users. To do so, simply make them member of the `wheel` group as well.

I did the following:
added vault_password_file = ~/playbooks/secrets/vault.txt in ansible.cfg

[defaults]
host_key_checking = False
vault_password_file = ~/playbooks/secrets/vault.txt

encrypting the passwords with vault

thor@jump_host ~/playbooks$ ansible-vault encrypt_string 'GyQkFRVNr3' --name=dev_passworddev_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          62303264643065316637643331663635396138376361623339613036343461396430373530363134
          3832373063323536613833353730626164393330353166640a376663643338336230376331333566
          65613433316334323338343335343538376533303130666664653462303166353065363330333734
          3032653231303064380a346438366466366134653163326137633838363638343365383230333336
          3632
Encryption successful

thor@jump_host ~/playbooks$ ansible-vault encrypt_string 'dCV3szSGNA' --name=admin_password
admin_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          65323030353465363864306636343566323831323561396638666361383163353236633032663365
          6333303833363765666435353036326339373663306437380a633835326639346637326636616361
          61656438356632623636366536346231613337373332306630653039656564383062666332343566
          6638636132643236370a383464313165353839616133316362363433376435626164643138353838
          6261
Encryption successful

create the playbook ~/playbooks/add_users.yml:

- name: create and add users
  hosts: stapp03
  become: yes
  vars_files:
    - ~/playbooks/data/users.yml
  tasks:
    - name: add groups
      group:
        name: admins
        state: present
    - name: add group developers
      group:
        name: developers
        state: present
    - name: add users to admins
      user:
        name: "{{ item }}"
        groups: admins,wheel
        home: "/home/{{ item }}"
        password: "{{ admin_password }}"
      vars:
        admin_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          65323030353465363864306636343566323831323561396638666361383163353236633032663365
          6333303833363765666435353036326339373663306437380a633835326639346637326636616361
          61656438356632623636366536346231613337373332306630653039656564383062666332343566
          6638636132643236370a383464313165353839616133316362363433376435626164643138353838
          6261
      loop: "{{ admins }}"
    - name: add users to developers
      user:
        name: "{{ item }}"
        group: developers
        home: "/var/www/{{ item }}"
        password: "{{ dev_password }}"
      vars:
        dev_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          62303264643065316637643331663635396138376361623339613036343461396430373530363134
          3832373063323536613833353730626164393330353166640a376663643338336230376331333566
          65613433316334323338343335343538376533303130666664653462303166353065363330333734
          3032653231303064380a346438366466366134653163326137633838363638343365383230333336
          3632
      loop: "{{ developers }}"


thor@jump_host ~/playbooks$ ansible-playbook -i inventory add_users.yml

PLAY [create and add users] *****************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************
ok: [stapp03]

TASK [add groups] ***************************************************************************************************************
changed: [stapp03]

TASK [add group developers] *****************************************************************************************************
changed: [stapp03]

TASK [add users to admins] ******************************************************************************************************
changed: [stapp03] => (item=rob)
changed: [stapp03] => (item=david)
changed: [stapp03] => (item=joy)
[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work
properly.

TASK [add users to developers] **************************************************************************************************
changed: [stapp03] => (item=tim)
changed: [stapp03] => (item=ray)
changed: [stapp03] => (item=jim)
changed: [stapp03] => (item=mark)

PLAY RECAP **********************************************************************************************************

grafik
grafik910×678 42.8 KB

#3

@tsanghan

thanks for the hints. Yes i did see the warning but thought it could be ignored, because the password was hashed with ansible vault.

so i created a hash with ansible ad hoc command:
ansible all -i localhost, -m debug -a "msg={{ 'B4zNgHA7Ya' | password_hash('sha512') }}"

Afterwards i set the hashed values to the password.

- name: create and add users
  hosts: stapp03
  become: yes
  vars_files:
    - ~/playbooks/data/users.yml
  tasks:
    - name: add group admins
      group:
        name: admins
        state: present
    - name: add group developers
      group:
        name: developers
        state: present
    - name: add users to admins
      user:
        name: "{{ item }}"
        groups: admins,wheel
        home: "/home/{{ item }}"
        password: "$6$yxqgUgcyXOCxyLZW$aoJH3Zp1lO4hLZYw1Abi3SqzSxe0gJGZuSFn7TiZbKjcPC2T1lJk3WXO85qyaGqjvTk.0ewUINL1dQen4GDFC1"
      vars:
        admin_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          65356638623135653236353237333736613834353937626439383237343430323065383237313566
          3830316266353536386139646161383237396538396337350a376236343733323335326439373030
          64303066336135386263366263626430646665393238316463613963326661313465396562633730
          3732656538396166300a363965346562383830306539396234346462326130616339646531303337
          3537
      loop: "{{ admins }}"
    - name: add users to developers
      user:
        name: "{{ item }}"
        group: developers
        home: "/var/www/{{ item }}"
        password: "$6$DHShSeLXae5fPZKa$VLyKmyS2Z5hQgh8NjKOoTEBnFJ4nn0Y3QHVORXJVDioqXjGPtIrUgW1ZMX8whxz7Kwz97XMRO8cgHtpSF/A6x1"
      vars:
        dev_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66623461356237376232653234663036353361326266616565623163333534643838306365323664
          6266636238643864636337343034646236373165643831650a333332373132653135303762613462
          61346561366338313062393061313636383734616532626237373532346236383532333335636138
          3030323132323637370a306163303634346130343266376264333765383264666161303936613166
          3561
      loop: "{{ developers }}"

I tested now and it works! But the vault encryption would be unnecessary then, because i dont use it?

The task e was: " Make sure to use the password given in the ~/playbooks/secrets/vault.txt file as Ansible vault password to encrypt the original password strings."

Note: I started a new lab so the passwords changed.

#5

@tsanghan,

yes i passed the task :slight_smile:

i think i understand, you encrypted the plain password first with password_hash(‘sha512’) or something similar.
Afterwards you encrypted the hash with ansible-vault!

Thanks for showing the optimal playbook :slight_smile: . So all hardcoded values are in a seperate file and in the playbook you will just reference them! Also using loops to avoid redundance for the modules.