Making a system user member of a Puppet managed group

[Gonzalo Servat]

Hi All,

I have a particular requirement where a Puppet managed group needs to have several members that are either local and not managed by Puppet (e.g. mysql) or they reside in LDAP.

Apart from running an exec call to "groupmems", is there another way to achieve this?

Thanks in advance.

Gonzalo

[jcbollinger]

It depends on the Group provider, which usually depends on operating
system. If you are using the default Group provider for AIX, OS X, or
Windows, then group membership is managed as an attribute of the group
instead of the user. In those cases you can manage the group in
question and use its 'members' property to achieve your end.

Otherwise, group membership is managed as a property of Users, ergo
you cannot manage it (directly) if you do not manage the users in
question. Your only options in that case are an Exec or a custom
Group provider.


John

[Gonzalo Servat]

On Thu, Jan 5, 2012 at 1:00 AM, jcbollinger <John.Bo...@stjude.org> wrote:

It depends on the Group provider, which usually depends on operating
system.  If you are using the default Group provider for AIX, OS X, or
Windows, then group membership is managed as an attribute of the group
instead of the user.  In those cases you can manage the group in
question and use its 'members' property to achieve your end.

My group provider is "groupadd" I believe (default for most platforms), as they are all RHEL boxes.

 

Otherwise, group membership is managed as a property of Users, ergo
you cannot manage it (directly) if you do not manage the users in
question.  Your only options in that case are an Exec or a custom
Group provider.

Ah, ok. That confirms it then. I managed to create a define to do what I want and it seems to work. Happy to share it if anyone is interested in it. 

Thanks for your reply!

- Gonzalo

[Josh Cooper]

On Wed, Jan 4, 2012 at 6:00 AM, jcbollinger <John.Bo...@stjude.org> wrote:

If you are using the default Group provider for AIX, OS X, or

Windows, then group membership is managed as an attribute of the group
instead of the user.

Windows can actually manage 'members' as an attribute of the group, or 'groups' as an attribute of the user.

Josh

--
Josh Cooper

Developer, Puppet Labs

[Andreas N]

On Wednesday, January 4, 2012 3:06:27 PM UTC+1, Gonzalo wrote:

Otherwise, group membership is managed as a property of Users, ergo
you cannot manage it (directly) if you do not manage the users in
question.  Your only options in that case are an Exec or a custom
Group provider.

Ah, ok. That confirms it then. I managed to create a define to do what I want and it seems to work. Happy to share it if anyone is interested in it.

I'd be very interested in your solution, as I am in a similar situation.

Thanks!

Andreas

[Gonzalo Servat]

Sure. Just a quick disclaimer, there may be better ways of doing this!! But it works for me:

define groups::addlocalmembers (

    $group,

    $ensure='present'

) {

    case $ensure {

        'present': {

            exec { "add_${name}_to_${group}":

                command => "groupmems -g $group -a $name",

                onlyif  => [ "id $name" ],

                unless  => [ "groups $name | grep ' $group\\( \\|\$\\)'" ], 

                require => Group["$group"],

            }

        }

        'absent': {

            exec { "remove_${name}_to_${group}":

                command => "groupmems -g $group -d $name",

                onlyif  => [ "groups $name | grep ' $group\\( \\|\$\\)'" ], 

                require => Group["$group"],

            }

        }

        default: {

            fail("Unknown ensure value: $ensure")

        }

    }

}

... so essentially I would call it like so:

groups::addlocalmembers { ["mysql", "user1", "user2"]: group => "local_group_here" }

Hope this helps.

- Gonzalo