Revoke Access Role
The revoke_access
role immediately removes the user’s elevated access by deleting the file in the sudoers.d
directory and cleaning up the scheduled at
jobs.
The--tags revoke_access
option is required to execute this.
---
# tasks file for revoke_access
- import_tasks: revoke_access.yml
tags:
- revoke_access
...
---
# Create a sudoers.d file
- name: "Searching for sudoers files for {{ username | lower }}"
find:
path: /etc/sudoers.d/
patterns: "{{ username | lower }}_*"
register: files_to_delete
- name: "Remove sudoers files for {{ username | lower }}"
file:
path: "{{ item.path }}"
state: absent
with_items: "{{ files_to_delete.files }}"
- name: "Find and remove all at jobs for {{ username | lower }}"
shell:
cmd: "for j in $(atq | sort -k6,6 -k3,3M -k4,4 -k5,5 |cut -f 1); do if at -c ${j} | grep {{ username | lower }} >/dev/null 2>&1; then atrm ${j}; fi; done"
...