Ideas to allow users only on certain servers

29 vues
Accéder directement au premier message non lu

Philippe Conway

non lue,
13 mars 2014, 17:52:3913/03/2014
à puppet...@googlegroups.com
So at my organization, we have different departments that should only have access to certain servers.

For example:

Dev Team: Dev Servers
Tech Support: Production Server
Admins: All servers

How Puppet manages our users now, is once you add the user to the user manifest, it adds them too all the servers. 

I've tried adding an if/else statement as sort of mentioned here:


But I learned that wasn't best practice.

I've also tried putting users in different classes such as:

users::dev
users::ts
users::admins

However that gets a little redundant...Is there another way to do this through Puppet? Or am I better off using something like Active Directory to authenticate and manage groups?

Any advice is much appreciated. Thanks!

- Philippe

Darin Perusich

non lue,
13 mars 2014, 20:22:3813/03/2014
à puppet...@googlegroups.com

Use LDAP so you have a single source for users and limit access w/groups and ssh allowgroups. Check out OpenDJ if you need a powerful and easy to setup LDAP server.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/cafd5282-53c2-4d21-a833-6384bbe396c6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Daniele Sluijters

non lue,
14 mars 2014, 05:24:3314/03/2014
à puppet...@googlegroups.com
Use virtual users.

Instead of declaring your users as 'real', add a @ in front of them. Now they are virtual so they aren't automatically created by Puppet, you need to explicitly realise them, for example based on a tag or group they're a member in.

You can do it along the lines of:
Users <| tag == 'dev' }> on a development machine and Users <||> if you want them all.

See:

Philippe Conway

non lue,
14 mars 2014, 15:40:2714/03/2014
à puppet...@googlegroups.com
Thanks Daren. LDAP authentication is definitely a possibility in our future. 

Philippe Conway

non lue,
14 mars 2014, 15:40:5614/03/2014
à puppet...@googlegroups.com
Thanks Danielle. I have never thought or heard about virtual users. I'll check out the links you provided. Thanks!
Répondre à tous
Répondre à l'auteur
Transférer
0 nouveau message