puppetlabs/accounts - separate user list and declaration of users

[Devminded]

Hi.

We are using the puppetlabs/accounts module to setup user accounts and SSH keys but finds it lacking.

We are using Hiera and have divided users up by role, type of machine and region/environment. The issue here is that if a user should exist on multiple groups of machines, but not in others, we have to repeat the entire definition; password, groups, ssh-key, etc. for every "group" of users. Multiple places to change things.

I had expected it to have two concepts:

• List of account definitions (passwords, ssh-keys, groups, etc)
• List of accounts to be applied to a target (with the possibility to override properties)

Definitions

accounts::users:

  joe:

    password: '$6......'

    sshkeys: - 'ssh-rsa ... j...@corp.com'

  sally:

    password: '$6......'

    sshkeys: - 'ssh-rsa ... sa...@corp.com' 

Declare/Apply

(hieradata/accounts/DBA.yaml)

accounts::user_list:

  joe:

  sally:

(hieradata/accounts/paymentservice.yaml)

accounts::user_list:

  joe:

Is this possible?

Is it possible using Hiera?

What am I missing?

[Henrik Lindberg]

On 2020-09-20 16:31, Devminded wrote:
> Hi.
>

> We are using the *puppetlabs/accounts* module to setup user accounts and

> SSH keys but finds it lacking.

> We are using *Hiera* and have divided users up by role, type of machine

> and region/environment. The issue here is that if a user should exist on

> multiple groups of machines, but not in others, we /have to repeat the
> entire definition;/ password, groups, ssh-key, etc. for every "group" of

> users. Multiple places to change things.
> I had expected it to have two concepts:
>

> * List of account definitions (passwords, ssh-keys, groups, etc)
> * List of accounts to be applied to a target (with the possibility to
> override properties)
>
>
> *Definitions*

> accounts::users:
>   joe:
>     password: '$6......'
>     sshkeys: - 'ssh-rsa ... j...@corp.com'
>   sally:
>     password: '$6......'
>     sshkeys: - 'ssh-rsa ... sa...@corp.com'
>

> *Declare/Apply*
> *(*hieradata/accounts/DBA.yaml)
> accounts::user_list:
>   joe:
>   sally:
>
> *(*hieradata/accounts/paymentservice.yaml)

> accounts::user_list:
>   joe:
>
> Is this possible?
> Is it possible using Hiera?
> What am I missing?
>

You could do it by having a unique key per user and then referencing
those in each list. Here is an example:

user::joe:
name: 'joe'

password: '$6......'
sshkeys: - 'ssh-rsa ... j...@corp.com'

user::sally:
name: 'sally'

password: '$6......'
sshkeys: - 'ssh-rsa ... sa...@corp.com'

# *(*hieradata/accounts/DBA.yaml)
accounts::user_list:
- '%{alias("user::joe")}
- '%{alias("user::sally")}

# *(*hieradata/accounts/paymentservice.yaml)
accounts::user_list:
- '%{alias("user::joe")}

When you lookup `accounts::user_list` you will get an array of hashes.
If you instead would prefer one hash with all users where the keys are
names you could do something like this:

accounts::user_list:
joe:'%{alias("user::joe")}
sally: '%{alias("user::sally")}

Hope that helps.
- henrik
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/366bedce-0c3f-43f8-82d2-d7e854057686n%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/366bedce-0c3f-43f8-82d2-d7e854057686n%40googlegroups.com?utm_medium=email&utm_source=footer>.


--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/