Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Local users with an expiry date cannot be created #71942

Closed
rpluem-vf opened this issue Sep 25, 2020 · 4 comments · Fixed by #72022
Closed

Local users with an expiry date cannot be created #71942

rpluem-vf opened this issue Sep 25, 2020 · 4 comments · Fixed by #72022
Labels
affects_2.9 This issue/PR affects Ansible v2.9 bug This issue/PR relates to a bug. module This issue/PR relates to a module. P3 Priority 3 - Approved, No Time Limitation python3 support:core This issue/PR relates to code supported by the Ansible Engineering Team. system System category

Comments

@rpluem-vf
Copy link
Contributor

SUMMARY

Local users with an expiry date cannot be created

ISSUE TYPE
  • Bug Report
COMPONENT NAME

ansible.builtin.user

ANSIBLE VERSION
ansible 2.9.13
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Apr 16 2020, 01:36:27) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
CONFIGURATION
OS / ENVIRONMENT
cat /etc/os-release 
NAME="CentOS Linux"
VERSION="8 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Linux 8 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-8"
CENTOS_MANTISBT_PROJECT_VERSION="8"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="8"
STEPS TO REPRODUCE
---
- hosts: localhost
  tasks:
    - name: Create local user with expiry
      user:
        name: test_user
        expires: 1601093139
        local: yes
EXPECTED RESULTS

User test_user gets created locally with an expiry time of 1601093139

ACTUAL RESULTS

Playbook fails

ansible-playbook 2.9.13
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 3.6.8 (default, Apr 16 2020, 01:36:27) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python3.6/site-packages/ansible/plugins/callback/default.py

PLAYBOOK: user_failure.yml ****************************************************************************************************************************************************************************************
Positional arguments: user_failure.yml
verbosity: 4
connection: smart
timeout: 10
become_method: sudo
tags: ('all',)
inventory: ('/etc/ansible/hosts',)
forks: 5
1 plays in user_failure.yml

PLAY [localhost] **************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************************************************************************************************
task path: /home/ruediger/zw/user_failure.yml:2
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: ruediger
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1601043678.8671873-84732-75452603768298 `" && echo ansible-tmp-1601043678.8671873-84732-75452603768298="` echo /root/.ansible/tmp/ansible-tmp-1601043678.8671873-84732-75452603768298 `" ) && sleep 0'
Using module file /usr/lib/python3.6/site-packages/ansible/modules/system/setup.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-847254menfg02/tmptezho3pn TO /root/.ansible/tmp/ansible-tmp-1601043678.8671873-84732-75452603768298/AnsiballZ_setup.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1601043678.8671873-84732-75452603768298/ /root/.ansible/tmp/ansible-tmp-1601043678.8671873-84732-75452603768298/AnsiballZ_setup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3.6 /root/.ansible/tmp/ansible-tmp-1601043678.8671873-84732-75452603768298/AnsiballZ_setup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1601043678.8671873-84732-75452603768298/ > /dev/null 2>&1 && sleep 0'
ok: [localhost]
META: ran handlers

TASK [Create local user with expiry] ******************************************************************************************************************************************************************************
task path: /home/ruediger/zw/user_failure.yml:4
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: ruediger
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1601043682.0082617-84816-139718076329706 `" && echo ansible-tmp-1601043682.0082617-84816-139718076329706="` echo /root/.ansible/tmp/ansible-tmp-1601043682.0082617-84816-139718076329706 `" ) && sleep 0'
Using module file /usr/lib/python3.6/site-packages/ansible/modules/system/user.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-847254menfg02/tmp967iqq6l TO /root/.ansible/tmp/ansible-tmp-1601043682.0082617-84816-139718076329706/AnsiballZ_user.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1601043682.0082617-84816-139718076329706/ /root/.ansible/tmp/ansible-tmp-1601043682.0082617-84816-139718076329706/AnsiballZ_user.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3.6 /root/.ansible/tmp/ansible-tmp-1601043682.0082617-84816-139718076329706/AnsiballZ_user.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1601043682.0082617-84816-139718076329706/ > /dev/null 2>&1 && sleep 0'
fatal: [localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "append": false,
            "authorization": null,
            "comment": null,
            "create_home": true,
            "expires": 1601093139.0,
            "force": false,
            "generate_ssh_key": null,
            "group": null,
            "groups": null,
            "hidden": null,
            "home": null,
            "local": true,
            "login_class": null,
            "move_home": false,
            "name": "test_user",
            "non_unique": false,
            "password": null,
            "password_lock": null,
            "profile": null,
            "remove": false,
            "role": null,
            "seuser": null,
            "shell": null,
            "skeleton": null,
            "ssh_key_bits": 0,
            "ssh_key_comment": "ansible-generated on gauss",
            "ssh_key_file": null,
            "ssh_key_passphrase": null,
            "ssh_key_type": "rsa",
            "state": "present",
            "system": false,
            "uid": null,
            "update_password": "always"
        }
    },
    "msg": "Error parsing arguments: unknown option.\nUsage: luseradd [-irMn?] [-i|--interactive] [-r|--reserved]\n        [-c|--gecos=STRING] [-d|--directory=STRING] [-k|--skeleton=STRING]\n        [-s|--shell=STRING] [-u|--uid=NUM] [-g|--gid=STRING]\n        [-M|--nocreatehome] [-n|--nocreategroup] [-P|--plainpassword=STRING]\n        [-p|--password=STRING] [--commonname=STRING] [--givenname=STRING]\n        [--surname=STRING] [--roomnumber=STRING] [--telephonenumber=STRING]\n        [--homephone=STRING] [-?|--help] [--usage] [OPTION...] user\n",
    "name": "test_user",
    "rc": 1
}

PLAY RECAP ********************************************************************************************************************************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

This is caused by the fact that luseradd / lusermod at least on RedHat / Centos 6, 7, 8 and on Ubuntu 20 LTS do not support the -e option. I see the following options to fix this:

  1. Just ignore expires in case local is yes or print a warning like the one if the user is not found in /etc/passwd for the local case when expires and local are set.
  2. Fail on module level when expires and local are set.
  3. If expires is set and local is yes execute lchage after the user was created / modified to fix the expiry date.

Let me know if one of the above options would be acceptable (or another option) and I try to have a look for a patch / PR.
@ansibot
Copy link
Contributor

ansibot commented Sep 25, 2020

Files identified in the description:
None

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot ansibot added affects_2.9 This issue/PR affects Ansible v2.9 bug This issue/PR relates to a bug. needs_triage Needs a first human triage before being processed. python3 support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Sep 25, 2020
@rpluem-vf
Copy link
Contributor Author

!component =lib/ansible/modules/user.py

@ansibot
Copy link
Contributor

ansibot commented Sep 25, 2020

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot ansibot added module This issue/PR relates to a module. system System category labels Sep 25, 2020
@samdoran
Copy link
Contributor

Option three seems like the best fix.

@samdoran samdoran added P3 Priority 3 - Approved, No Time Limitation and removed needs_triage Needs a first human triage before being processed. labels Sep 29, 2020
rpluem-vf added a commit to rpluem-vf/ansible that referenced this issue Sep 30, 2020
@rpluem-vf
Allow local users with an expiry date to be created
a09cc85 
The luseradd / lusermod commands do not support the -e option. Set
the expiry time in this case via lchage after the user was
created / modified.

Fixes: ansible#71942
@rpluem-vf rpluem-vf mentioned this issue Sep 30, 2020
Merged
samdoran pushed a commit that referenced this issue Oct 2, 2020
@rpluem-vf
user - allow local users with an expiry date to be created (#72022)
a7170da 
The luseradd / lusermod commands do not support the -e option. Set
the expiry time in this case via lchage after the user was
created / modified.

Fixes: #71942

In Python3 math.floor returns an integer whereas Python2 returns a float.
Hence always convert the result of math.floor to an int to ensure that
lexpires is an integer.

Move local expires tests in a separate file and import the tasks to the
main.yml to keep main.yml smaller.
rpluem-vf added a commit to rpluem-vf/ansible that referenced this issue Oct 2, 2020
@rpluem-vf
user - allow local users with an expiry date to be created (ansible#7…
d463524 
…2022)

The luseradd / lusermod commands do not support the -e option. Set
the expiry time in this case via lchage after the user was
created / modified.

Fixes: ansible#71942

In Python3 math.floor returns an integer whereas Python2 returns a float.
Hence always convert the result of math.floor to an int to ensure that
lexpires is an integer.

Move local expires tests in a separate file and import the tasks to the
main.yml to keep main.yml smaller.

(cherry picked from commit a7170da)
@rpluem-vf rpluem-vf mentioned this issue Oct 2, 2020
Merged
rpluem-vf added a commit to rpluem-vf/ansible that referenced this issue Oct 2, 2020
@rpluem-vf
user - allow local users with an expiry date to be created (ansible#7…
dbb364e 
…2022)

The luseradd / lusermod commands do not support the -e option. Set
the expiry time in this case via lchage after the user was
created / modified.

Fixes: ansible#71942

In Python3 math.floor returns an integer whereas Python2 returns a float.
Hence always convert the result of math.floor to an int to ensure that
lexpires is an integer.

Move local expires tests in a separate file and import the tasks to the
main.yml to keep main.yml smaller.

(cherry picked from commit a7170da)
@rpluem-vf rpluem-vf mentioned this issue Oct 2, 2020
Merged
heiderich pushed a commit to heiderich/ansible that referenced this issue Oct 4, 2020
@rpluem-vf @heiderich
user - allow local users with an expiry date to be created (ansible#7…
2a2851b 
…2022)

The luseradd / lusermod commands do not support the -e option. Set
the expiry time in this case via lchage after the user was
created / modified.

Fixes: ansible#71942

In Python3 math.floor returns an integer whereas Python2 returns a float.
Hence always convert the result of math.floor to an int to ensure that
lexpires is an integer.

Move local expires tests in a separate file and import the tasks to the
main.yml to keep main.yml smaller.
relrod pushed a commit that referenced this issue Oct 21, 2020
@rpluem-vf
user - allow local users with an expiry date to be created (#72022) (#…
7499848 
…72085)

The luseradd / lusermod commands do not support the -e option. Set
the expiry time in this case via lchage after the user was
created / modified.

Fixes: #71942

In Python3 math.floor returns an integer whereas Python2 returns a float.
Hence always convert the result of math.floor to an int to ensure that
lexpires is an integer.

Move local expires tests in a separate file and import the tasks to the
main.yml to keep main.yml smaller.

(cherry picked from commit a7170da)
relrod pushed a commit that referenced this issue Oct 23, 2020
@rpluem-vf
user - allow local users with an expiry date to be created (#72022) (#…
3d17393 
…72086)

The luseradd / lusermod commands do not support the -e option. Set
the expiry time in this case via lchage after the user was
created / modified.

Fixes: #71942

In Python3 math.floor returns an integer whereas Python2 returns a float.
Hence always convert the result of math.floor to an int to ensure that
lexpires is an integer.

Move local expires tests in a separate file and import the tasks to the
main.yml to keep main.yml smaller.

(cherry picked from commit a7170da)
@ansible ansible locked and limited conversation to collaborators Oct 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
affects_2.9 This issue/PR affects Ansible v2.9 bug This issue/PR relates to a bug. module This issue/PR relates to a module. P3 Priority 3 - Approved, No Time Limitation python3 support:core This issue/PR relates to code supported by the Ansible Engineering Team. system System category
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow local users with an expiry date to be created rpluem-vf/ansible
3 participants
@samdoran @ansibot @rpluem-vf