Ansible（五）远程创建用户并对密码进行加密设置

1、直接循环创建

1、编写最基本的yml文件，直接循环创建

[root@server4 ~]# su - devopes
[devopes@server4 ~]$ cd ansible/
[devopes@server4 ansible]$ ls
ansible.cfg   apache.yml   files   inventory   playbook.yml   roles   templates
[devopes@server4 ansible]$ vim createuser.yml
---
- hosts: test
  tasks:
    - name: create user
      user:
        name: "{{ item.user }}"
        password: "{{ item.pass| password_hash('sha512') }}"
        state: present
      loop:
        - { user: user1, pass: 12345678a }
        - { user: user2, pass: 12345678a }
        - { user: user3, pass: 12345678a }

2、查看inventory文件

[devopes@server4 ansible]$ vim inventory
[devopes@server4 ansible]$ cat inventory 
[lb]
server4 STATE=MASTER VRID=100 PRIORITY=100 
server7 STATE=BACKUP VRID=100 PRIORITY=50 

[test] 
server5 

[prod] 
server6 

[webserver:children] 
test 
prod

3、执行yml文件创建用户

[devopes@server4 ansible]$ ansible-playbook createuser.yml  ###正确执行

4、查看用户和用户密码

[root@server5 ~]# cat /etc/passwd | grep user    ##可以查看到创建的user1、user2、user3用户
[root@server5 ~]# cat /etc/shadow | grep user   ###发现三个用户密码是加密的

此时就完成了远程主机的用户创建工作

2、指定文件创建

1、为了实现高效添加，引用文件变量，首先创建一个专门存放用户名和密码的用户列表文件

[devopes@server4 ansible]$ vim userlist.yml
---
userlist:
  - user: user1
    pass: 123
  - user: user2
    pass: 123
  - user: user3
    pass: 123

2、创建指定用户文件（将用户列表通过引用变量的形式和此连接起来）

[devopes@server4 ansible]$ vim createuser.yml
---
- hosts: test
  vars_files:
    - userlist.yml
  tasks:
    - name: create user
      user:
        name: "{{ item.user }}"
        password: "{{ item.pass| password_hash('sha512') }}"
        state: present
      loop: "{{ userlist }}"

3、执行创建用户的文件

[devopes@server4 ansible]$ ansible-playbook createuser.yml  ###正确执行

4、切换用户查看是否加密成功

[root@server5 ~]# su - user1
Last login: Mon Aug 12 13:24:22 CST 2019 on pts/0
[user1@server5 ~]$ su - user2
Password:
[user2@server5 ~]$ su - user3
Password:
[user3@server5 ~]$ su - user1
Password:
Last login: Mon Aug 12 13:24:25 CST 2019 on pts/0
[user1@server5 ~]$ logout
[user3@server5 ~]$ logout
[user2@server5 ~]$ logout
[user1@server5 ~]$ logout
[root@server5 ~]#

5、为了安全起见，对存放用户信息的文件进行加密

[devopes@server4 ansible]$ ansible-vault encrypt userlist.yml
New Vault password:
Confirm New Vault password:
Encryption successful
[devopes@server4 ansible]$ cat userlist.yml      ###发现成功加密

6、此时去编辑和查看发现都需要密码

[devopes@server4 ansible]$ ansible-vault edit userlist.yml
Vault password:
[devopes@server4 ansible]$ ansible-vault view userlist.yml
Vault password:
---
userlist:
  - user: user1
    pass: 123
  - user: user2
    pass: 123
  - user: user3
    pass: 123

7、再次直接执行回报错，需要我们指定密码执行

[devopes@server4 ansible]$ ansible-playbook useradd-file.yaml --ask-vault-pass
Vault password:

注意：密码错误时不要使用纯数字