Let's assume user01 has two groups defined: groupA and groupB (in addition to the primary group).
I can add the account to groupC (ensure user01 belongs to groupC) using:
- user: name=user01 groups=groupC append=yes
How can I remove user01 from groupB (ensure user01 does not belong to groupB) without specifying all the groups the account should belong to?
As far as I can tell, you can't with just the normal user module.
However, with some fairly crazy gyrations, you can do it in a playbook. I'm not sure I recommend this though; it was just an interesting exercise. (I did test this and it worked.)
The interesting part is the task "build the new groups list", which removes a list entry. If calling .remove() on a python list returned the new list, that would all be uneccessary.
---
- hosts: target
gather_facts: no
vars:
group_to_remove: admins
new_groups_list: []
user_to_check: user1
tasks:
- user: name="{{ user_to_check }}" groups=testers,developers,admins
- name: get the current groups list
command: groups "{{ user_to_check }}"
register: current_groups
- debug: var=current_groups
# parse the output of the groups command into a python list
# of the current groups
- set_fact:
current_group_list: "{{ current_groups.stdout.replace( user_to_check+' : ','').split(' ') }}"
- name: show user_group_list
debug: var=current_group_list
- name: build the new groups list
set_fact:
new_groups_list: "{{ new_groups_list + [ item ] }}"
no_log: False
when: "not '{{ group_to_remove }}' == '{{ item }}'"
with_items: "{{ current_group_list }}"
# turn the list, into a comma-delimited string
- set_fact:
new_groups: "{{ ','.join(new_groups_list) }}"
- name: show new_groups_list
debug: var=new_groups
- name: set new user groups
user: name="{{ user_to_check }}" groups="{{ new_groups }}"
- name: get the new groups list
command: groups "{{ user_to_check }}"
register: new_groups
- debug: var=new_groups
that feature is missing and this is the open bug for that:
https://github.com/ansible/ansible/issues/11024
As workaround, use something like this.
become: true
shell: "/usr/sbin/delgroup telegraf varnish"
ignore_errors: yes
when: ansible_hostname | lower not in groups['varnish'] | lower
Please adapt this to your down needs, i'm removing telegraf user from host varnish group if the current host is not in the ansible group varnish list
Improving a bit the answer from higuita adding a right condition:
- name: Get info from user1
user:
name: user1
state: present
register: user1_data
- name: remove user1 user from grouptodelete group
become: true
command: "gpasswd -d user1 grouptodelete"
when: user1_data.groups is defined and 'grouptodelete' in user1_data.groups
There is a way to do this using Ansible too you have to use the right flag
You need to use the append flag to no or false to tell Ansbile not to append the user to group
- user:
name: hive
shell: /bin/bash
groups: hadoop
append: no
state: present
来源:https://stackoverflow.com/questions/38988986/how-to-remove-user-from-a-specified-group-in-ansible