core-module 'user' with option 'expires' - cannot "unexpire" accounts with "-1" #20096

Open
ronator opened this Issue Jan 10, 2017 · 0 comments

Projects

None yet

3 participants

@ronator
ronator commented Jan 10, 2017
ISSUE TYPE
  • Feature Idea
COMPONENT NAME

ansible-modules-core/system/user.py

ANSIBLE VERSION
ansible 2.1.1.0
CONFIGURATION
OS / ENVIRONMENT

Ubuntu 16.04

SUMMARY

The module user is supposed to be based on system commands "useradd, userdel and usermod". It has no account locking function because people discussed that an expire date option would be better. So to disable a bunch of users I can use 'expires' with time in epoch format, but ...

.. the problem is, that you cannot reset the expire date (disable expiry) as you could with the system commands. Usually, you can use the expiredate option of e.g. adduser and set it to "-1" or nothing (emtpy string):

The man pages for adduser/useradd say: "By default, the password expiry value set to -1 means never expire." Furthermore, adduser allows to set an empty string: "If not specified, useradd will use the default expiry date specified by the EXPIRE variable in /etc/default/useradd, or an empty string (no expiry) by default."

Since this module uses system commands, I would expect it to offer similiar functionality but it does not:

  • if you set expires=-1 it does not change anything at all, account stays expired. YOu can't use an empty string either: -> "msg": "argument expires is of type <type 'str'> and we were unable to convert to float"

In terms of shell you can easily unset expire date with: usermod USER -e -1

I would suggest that it should be able to use the module "user" as you would use adduser/moduser option --expiredate. Until now, you would have to use the command/shell/raw module. It would make sense to me to enable this for the user module.

STEPS TO REPRODUCE

First, expire a user:

---
- name: test expire
  hosts: all
  become: yes
  vars_files:
    - /etc/ansible/secrets.yml
  tasks:
    - name: Disable user accounts with expires
      user: name={{ item.name }} expires=1

      with_items:
        - { name: 'USER' }

Now, "unexpire" the user with expires=-1 or expires="" or even expires=

---
- name: test expire
  hosts: all
  become: yes
  vars_files:
    - /etc/ansible/secrets.yml
  tasks:
    - name: Disable user accounts with expires
      user: name={{ item.name }} expires=-1

      with_items:
        - { name: 'USER' }
EXPECTED RESULTS

It should re-enable the user account, unsetting any expire date as it would with usermod/moduser

ACTUAL RESULTS

With "-1" ansible tells you "changed: [HOST] => (item={u'name': u'USER'} but it has changed nothing:
Your account has expired; please contact your system administrator

If you use an empty string for expire, it fails:
failed: [HOST] (item={u'name': u'USER'}) => {"failed": true, "item": {"name": "USER"}, "msg": "argument expires is of type <type 'str'> and we were unable to convert to float"

@abadger abadger removed the needs_triage label Jan 11, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment