Adding users to multiple groups

797 views
Skip to first unread message

Bryan Ross

unread,
Jul 23, 2009, 8:18:53 PM7/23/09
to puppet...@googlegroups.com
Hi,

I've read puppet isn't great at handling lots of users, but I've got a
small user base and all my servers are geographically distributed and
hidden behind various firewalls/vpns, making them unsuitable for
centralised authentication that requires a constant connection (eg.
LDAP).

We've previously just distributed /etc/passwd and /etc/group files,
but I'm hoping that we could build something better into our new
Puppet deployments. Unfortunately, I'm getting the following error
when I try to add a user to multiple groups. This seems like quite a
simple requirement (aren't they always?) ... so, I'm wondering whether
I just completely misunderstand the use of the '+>' operator, or if
I'm thinking about this the wrong way.

Any help gratefully received!

Thanks,
Bryan


Below code snippet also available at http://pastie.org/556860.

[root@testnode]# puppetd
err: Could not retrieve catalog: Parameter 'groups' is already set on
User[bryan] by user::groupA
________________________________________________________________________
**site.pp**
node testnode {
include user::groupA
include user::groupB
}

class user::groupA inherits user::virtual {
User["bryan"] { groups +> "groupA" }
User["bob"] { groups +> "groupA" }

realize(
Group["groupA"],
User["bryan"],
User["bob"],
)
}

class user::groupB inherits user::virtual {
User["harry"] { groups +> "groupB" }
User["bryan"] { groups +> "groupB" }

realize(
Group["groupB"],
User["harry"],
User["bryan"],
)
}

class user::virtual {
@user { "bryan":
uid => 1001,
gid => 1001,
}

@user { "bob":
uid => 1002,
gid => 1002,
}

@user { "harry":
uid => 1003,
gid => 1003,
}
}

Scott Smith

unread,
Jul 23, 2009, 11:53:58 PM7/23/09
to puppet...@googlegroups.com
Try using: ingroups => ['wheel', 'devel']

Bryan Ross

unread,
Jul 24, 2009, 8:01:26 AM7/24/09
to puppet...@googlegroups.com
> Try using: ingroups => ['wheel', 'devel']

I was hoping to keep my users organised in neat classes as per the
Best Practices documentation, rather than have to define all the
groups a specific user is in all in a single place. However, as you
point out, it is a valid work around.

I presume 'ingroups' is just an alias for 'groups'? Its not mentioned
in the Type Reference documentation, but I tried it, and it seems to
display the same functionality as the 'groups' property.

Generally speaking, am I thinking about the '+>' in the right way? If
you cant update and add to properties of virtual resources, then I'm
struggling to find a use for it? Or, do I need to perhaps need to add
a dependency to ensure that I realize() my virtual resource after I've
changed its properties?

Cheers,
Bryan

Reply all
Reply to author
Forward
0 new messages