Sorry for the long question. Running puppet 3.6, so no .each fancy stuff
in manifests available.
We're in the middle of transitioning from local Linux user accounts to
LDAP/AD-based accounts using sssd. Because we haven't (not my call) yet
switched to use LDAP groups, we're still using local groups. That is, for
example, to have sudo privs you must be in the system's local 'sysadmins'
group. The sssd module I wrote configures sssd and cleans up (removes)
local accounts. This is a key part: After removing a local user, they're
still a valid user because their POSIX attributes are obtained through sssd.
Using a list generated by a custom facter fact, I can easily remove those
local accounts that don't belong. Unfortunately, this is not a one-time
thing (nor is Puppet, obviously) because we've already found people adding
local accounts to systems with sssd enabled - so it is going to be an
ongoing cleanup effort. The trouble comes when I tell Puppet to remove a
user account (ensure => absent), it also removes the user from all the
groups they were in - meaning it takes away effective privileges granted by
their membership in supplemental groups like 'sysadmins'. That's the
expected behavior of ensure=absent, so I'm finding a way to deal with it.
The custom fact also supplies the list of groups each candidate user is a
member of before they're removed - so I have the information I need.
{
user1: { groups: ['sysadmins','testgroup'] },
user2: { groups: ['sysadmins','bowlers'] }
}
Puppet does not permit a resource to be defined twice (once to remove the
User, once to add the User back to the groups they're supposed to be in),
and I don't think that the resource type Group supports directly managing
the members of a group on RHEL systems. At least, it hasn't worked.
Puppet just seems to ignore the Group resource.
Augeus looks like the right solution for managing /etc/group in this
specific situation. I'm borrowing the idea from duritong[1], but I cannot
for the life of me get my nested loop to work correctly. That is, I need
to iterate over the users, and then iterate over each group for each of
those users to call users::groups::manage_user. Instead, what keeps
happening is that Augeus mashes the array of groups into a single string,
instead of user::groups::manage_user getting called once for each
user+group combination.
I understand how to loop over the users, but can't figure out how *then* go
through and loop over each group. I have to supply both a user and a group
to the augues call.
I've managed to get around the problem by making facter return a hash like
so:
{
user1_sysadmins: { user: user1, group: sysadmins },
user1_testgroup: { user: user1, group: testgroup },
user2_sysadmins: {user: user2, group: sysadmins },
user2_bowlers: { user: user2, group: bowlers }
}
In the manifest, I call
create_resources(user::groups::manage_user, my_ugly_hash)
As the name implies, this is very ugly. It strongly ties the exact format
of facter's output to what create_resources and the augues custom resource
demand (a specifically formatted hash) in a bad way. Surely there's a
better way to make this work?
thanks!
[1]
https://github.com/duritong/puppet-user/blob/9bbd720da1549bf58c7707c1ac109a47e4b4a946/manifests/groups/manage_user.pp
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/4b41f058-3f87-4f34-adf7-a11001eaf742%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
