Use the virtual resources and hiera to create the environent specific group os users
83 views
Skip to first unread message
Sans
Apr 30, 2014, 3:06:18 PM4/30/14
to puppet...@googlegroups.com
Hi all,
I have users module, which I don't control but include in my manifest to setup user(s) on my system. This is something I have in one of the .pp files:
and in my manifest, I realize that information like this:
I have four environments and not all user-group are required on all the environment. How can I do the from hiera? I'm planing to have this in my hiera files:
but then I cannot figure out how I can use user_group to create the group of users. Any help/pointer?
Just one thing to note: changing anything in the users module not really an option for me but I'm open to any suggestion(s) if it makes thing even better.
Best!
I have users module, which I don't control but include in my manifest to setup user(s) on my system. This is something I have in one of the .pp files:
class users::productupport {
@group { 'productsupport':
gid => '1553',
}
@produser { 'jake_s':
user => 'jake_s',
uid => '5001',
group => 'productsupport',
comment => 'Jake Sully',
.....
}
@produser { 'nina_g':
....
}
and in my manifest, I realize that information like this:
sudoers::snippet {
'productsupport':
group => 'productsupport',
rights => ['ALL'];
}
Users::Produser <| group == productsupport |>
I have four environments and not all user-group are required on all the environment. How can I do the from hiera? I'm planing to have this in my hiera files:
test.yaml:user_group:
- productsupport
- mondev
stage.yaml:user_group:
- productsupport
- idreport
but then I cannot figure out how I can use user_group to create the group of users. Any help/pointer?
Just one thing to note: changing anything in the users module not really an option for me but I'm open to any suggestion(s) if it makes thing even better.
Best!
jcbollinger
Apr 30, 2014, 10:23:59 PM4/30/14
to puppet...@googlegroups.com
On Wednesday, April 30, 2014 10:06:18 AM UTC-5, Sans wrote:
Hi all,
I have users module, which I don't control but include in my manifest to setup user(s) on my system. This is something I have in one of the .pp files:class users::productupport {
@group { 'productsupport':
gid => '1553',
}
@produser { 'jake_s':
user => 'jake_s',
uid => '5001',
group => 'productsupport',
comment => 'Jake Sully',
.....
}
@produser { 'nina_g':
....
}
For that to be much use, there needs somewhere to be a class that declares that one and all its siblings. Maybe it's class 'users':
modules/users/manifests/init.pp:
----
class users {
include 'users::idreport'
include 'users::mondev'
include 'users::productsupport'
...
}
and in my manifest, I realize that information like this:sudoers::snippet {
'productsupport':
group => 'productsupport',
rights => ['ALL'];
}
Users::Produser <| group == productsupport |>
I have four environments and not all user-group are required on all the environment. How can I do the from hiera? I'm planing to have this in my hiera files:test.yaml:user_group:
- productsupport
- mondev
stage.yaml:user_group:
- productsupport
- idreport
but then I cannot figure out how I can use user_group to create the group of users. Any help/pointer?
Just one thing to note: changing anything in the users module not really an option for me but I'm open to any suggestion(s) if it makes thing even better.
Put your snippet into a defined type, maybe "mymodule::group", and use the array of group names from hiera to declare the appropriate instances of that type.
somewhere.pp:
----
$my_groups = hiera('user_group')
mymodule::group { $my_groups: }
modules/mymodule/manifests/group.pp:
----
define mymodule::group {
include 'users'
sudoers::snippet { $title:
group => $title,
rights => ['ALL']
}
Users::Produser<| group == $title |>
}
John
Garrett Honeycutt
Apr 30, 2014, 11:14:19 PM4/30/14
to puppet...@googlegroups.com
> user_group:
> - productsupport
> - mondev
>
> /*stage.yaml:*/
> - productsupport
> - mondev
>
> user_group:
> - productsupport
> - idreport
>
>
>
> but then I cannot figure out how I can use user_group to create the
> group of users. Any help/pointer?
> Just one thing to note: changing anything in the users module not really
> an option for me but I'm open to any suggestion(s) if it makes thing
> even better.
>
> Best!
Hi Sans,
> - productsupport
> - idreport
>
>
>
> but then I cannot figure out how I can use user_group to create the
> group of users. Any help/pointer?
> Just one thing to note: changing anything in the users module not really
> an option for me but I'm open to any suggestion(s) if it makes thing
> even better.
>
> Best!
I have code available[1] that does exactly this. You could put a level
in hiera.yaml such as
- environments/%{environment}
and then in each file (environments/stage.yaml and
environments/test.yaml) put the users that should be realized.
Though coding aside, from a sysadmin standpoint why you are doing this
seems quite odd. I would recommend realizing all the users in all
environments, which is effectively what happens when you use a directory
service, and then lock down which users can access the system depending
on the environment. If you go that route, check out my pam module[2].
Instead of describing users in different levels of hiera, you would
describe them all in one level of hiera and at the environment level you
would put what groups are allowed to login.
[1] - https://github.com/ghoneycutt/puppet-module-common#commonmkuser-define
[2] - https://github.com/ghoneycutt/puppet-module-pam/#allowed_users
BR,
-g
--
Garrett Honeycutt
@learnpuppet
Puppet Training with LearnPuppet.com
Mobile: +1.206.414.8658
Sans
May 1, 2014, 4:46:17 PM5/1/14
to puppet...@googlegroups.com
Thanks guys for the heads up!
I didn't get time to try any of those, which I'll do tonight and report back.
I didn't get time to try any of those, which I'll do tonight and report back.
Reply all
Reply to author
Forward
0 new messages