Creating a config file dynamically based on the group membership of a node

[Grant Street]

Hi

First time poster to this forum. I'm in the process of doing a pilot to convert a cfengine v2 install to puppet.

I was wondering if any one had any ideas on the following.

I have machines that can be in any combination(ie 0  or more) of 10 groups, that can change. I need to create an access.conf based on the group membership of the node.
I would like the file to be dynamically created with any redundant lines removed.

I have had a look at augeus but  I can't see how to both add lines based on the group as well as remove unwanted and unknown lines.
I have also had a look at templates but unsure how that would look like when the you have 0-10 insertion points

Thanks for any tips

Grant

[jcbollinger]

A template is probably the way to go.  The point to understand there is that you will be templating the entire contents of the file, not just the lines related to the 10 groups.  Supposing that you have an array of the names of the wanted groups, then, your template might look like this:

+:root:LOCAL
<% @wanted_groups.each do |g| -%>
+:(<%= g %>):ALL
<% end -%>
-:ALL:ALL


John

[Grant Street]

 Hi John

Thanks a lot for the guidance my solution would have been a whole lot more messy.

I was able to massage your example so that I could use a hash to specify the user and origin like this
+:root:LOCAL
<% pam_access.each_pair do |user,origin| -%>
+:<%= user %>:<%= origin %>

<% end -%>
-:ALL:ALL

Now what is the best way to dynamically create the array/hash? I am doing a hash merge at the moment  is there a better/more puppet way?

Thanks

 

[Garrett Honeycutt]

> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/75b1fcd4-4315-40b0-9924-38557eece79d%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/75b1fcd4-4315-40b0-9924-38557eece79d%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

Hi Grant,

I have a puppet module[1] for PAM that manages access.conf. You can
specify an array in Hiera with the key pam::allowed_users. Currently it
uses a parameterized class which will look up the value in Hiera and
stop on the first match. The code could be changed to allow for the use
of the hiera_array[2] function which would return all instances found in
Hiera. So if your groups are defined at multiple levels of the
hierarchy, you would want that functionality. Here's an example[3] of
how you might add it. I would be happy to work with you on a pull request.


[1] - https://github.com/ghoneycutt/puppet-module-pam

[2] - http://docs.puppetlabs.com/references/latest/function.html#hieraarray

[3] -
https://github.com/ghoneycutt/puppet-module-ssh/blob/master/manifests/init.pp#L534-544

Best regards,
-g

--
Garrett Honeycutt
@learnpuppet
Puppet Training with LearnPuppet.com
Mobile: +1.206.414.8658