User management
41 views
Skip to first unread message
Gregory Orange
Aug 20, 2014, 11:45:28 PM8/20/14
to Puppet Users
How do people manage users? I'm slowly marching toward LDAP (someone
recently suggested FreeIPA, not sure if it's relevant), but trying to
stave it off for the time being. I've read a few blogs and posts on the
topic, but nothing clear comes out - except that if one gets too
complicated, one should move to a proper user management system!
I have a 'util::user' class to create individual users, and a
'users($profile)' class which uses 'util::user' to create sets of users
and groups.
If a group exists for a machine, then users who are assigned to that
group should be in it. Otherwise, they're not put in that group (because
that would give an error). I achieve this in 'users' with this code:
case $profile {
'profile1': {
$_management = 'management'
$_dataentry = 'dataentry'
$_users_grp = 'users'
$_accounts = 'accounts'
}
'profile2': {
}
'profile3': {
$_rel_m = 'releasemasters'
}
default: {
fail("Unsupported users profile ${profile}")
}
then users are created with e.g.
util::user 'username' ...
groups => [$_users_grp, $_rel_m, $_dataentry]
and the util::user class strips out any undefs or blanks.
It all works quite nicely, but I'd like to clean up this last portion of
it with a nicer way of saying "if the group exists (or is defined by
Puppet to exist) on this machine, and the user is to be put in this
group, then put the user in this group on this machine".
Any suggestions?
TIA,
Greg.
PS: I discovered tags the other day, and now use that in 'users' to
instantiate the right users and groups for a machine based on $profile.
Clean and easy to follow.
recently suggested FreeIPA, not sure if it's relevant), but trying to
stave it off for the time being. I've read a few blogs and posts on the
topic, but nothing clear comes out - except that if one gets too
complicated, one should move to a proper user management system!
I have a 'util::user' class to create individual users, and a
'users($profile)' class which uses 'util::user' to create sets of users
and groups.
If a group exists for a machine, then users who are assigned to that
group should be in it. Otherwise, they're not put in that group (because
that would give an error). I achieve this in 'users' with this code:
case $profile {
'profile1': {
$_management = 'management'
$_dataentry = 'dataentry'
$_users_grp = 'users'
$_accounts = 'accounts'
}
'profile2': {
}
'profile3': {
$_rel_m = 'releasemasters'
}
default: {
fail("Unsupported users profile ${profile}")
}
then users are created with e.g.
util::user 'username' ...
groups => [$_users_grp, $_rel_m, $_dataentry]
and the util::user class strips out any undefs or blanks.
It all works quite nicely, but I'd like to clean up this last portion of
it with a nicer way of saying "if the group exists (or is defined by
Puppet to exist) on this machine, and the user is to be put in this
group, then put the user in this group on this machine".
Any suggestions?
TIA,
Greg.
PS: I discovered tags the other day, and now use that in 'users' to
instantiate the right users and groups for a machine based on $profile.
Clean and easy to follow.
Garrett Honeycutt
Aug 21, 2014, 2:46:00 PM8/21/14
to puppet...@googlegroups.com
Directory services like LDAP are definitely something to look into and
can really make life simpler.
Here[1] is the code that I use to manage local users. You could use it
for your scenario by placing users in different levels in Hiera and
keying off the profile.
[1] - https://github.com/ghoneycutt/puppet-module-common#commonmkuser-define
Best regards,
-g
--
Garrett Honeycutt
@learnpuppet
Puppet Training with LearnPuppet.com
Mobile: +1.206.414.8658
Gregory Orange
Sep 1, 2014, 3:27:39 AM9/1/14
to puppet...@googlegroups.com
On 22/08/14 02:45, Garrett Honeycutt wrote:
> Here[1] is the code that I use to manage local users. You could use it
> for your scenario by placing users in different levels in Hiera and
> keying off the profile.
Thanks, I'll give that idea a try and see if it works out any better for
> Here[1] is the code that I use to manage local users. You could use it
> for your scenario by placing users in different levels in Hiera and
> keying off the profile.
this setup.
Cheers,
Greg.
Reply all
Reply to author
Forward
0 new messages