Sorry for the long question.  Running puppet 3.6, so no .each fancy stuff 
in manifests available.

We're in the middle of transitioning from local Linux user accounts to 
LDAP/AD-based accounts using sssd.  Because we haven't (not my call) yet 
switched to use LDAP groups, we're still using local groups.  That is, for 
example, to have sudo privs you must be in the system's local 'sysadmins' 
group.  The sssd module I wrote configures sssd and cleans up (removes) 
local accounts.  This is a key part: After removing a local user, they're 
still a valid user because their POSIX attributes are obtained through sssd.

Using a list generated by a custom facter fact, I can easily remove those 
local accounts that don't belong.  Unfortunately, this is not a one-time 
thing (nor is Puppet, obviously) because we've already found people adding 
local accounts to systems with sssd enabled - so it is going to be an 
ongoing cleanup effort.  The trouble comes when I tell Puppet to remove a 
user account (ensure => absent), it also removes the user from all the 
groups they were in - meaning it takes away effective privileges granted by 
their membership in supplemental groups like 'sysadmins'.  That's the 
expected behavior of ensure=absent, so I'm finding a way to deal with it.

The custom fact also supplies the list of groups each candidate user is a 
member of before they're removed - so I have the information I need.

{ 
user1: { groups: ['sysadmins','testgroup'] },
user2: { groups: ['sysadmins','bowlers'] }
}

Puppet does not permit a resource to be defined twice (once to remove the 
User, once to add the User back to the groups they're supposed to be in), 
and I don't think that the resource type Group supports directly managing 
the members of a group on RHEL systems.  At least, it hasn't worked. 
 Puppet just seems to ignore the Group resource.

Augeus looks like the right solution for managing /etc/group in this 
specific situation.  I'm borrowing the idea from duritong[1], but I cannot 
for the life of me get my nested loop to work correctly.  That is, I need 
to iterate over the users, and then iterate over each group for each of 
those users to call users::groups::manage_user.  Instead, what keeps 
happening is that Augeus mashes the array of groups into a single string, 
instead of user::groups::manage_user getting called once for each 
user+group combination.

I understand how to loop over the users, but can't figure out how *then* go 
through and loop over each group.  I have to supply both a user and a group 
to the augues call.

I've managed to get around the problem by making facter return a hash like 
so:

{
  user1_sysadmins: { user: user1, group: sysadmins },
user1_testgroup: { user: user1, group: testgroup },
        user2_sysadmins: {user: user2, group: sysadmins },
        user2_bowlers: { user: user2, group: bowlers }
}

In the manifest, I call 
create_resources(user::groups::manage_user, my_ugly_hash)

As the name implies, this is very ugly.  It strongly ties the exact format 
of facter's output to what create_resources and the augues custom resource 
demand (a specifically formatted hash) in a bad way.  Surely there's a 
better way to make this work?

thanks!


[1] 
https://github.com/duritong/puppet-user/blob/9bbd720da1549bf58c7707c1ac109a47e4b4a946/manifests/groups/manage_user.pp

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4b41f058-3f87-4f34-adf7-a11001eaf742%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to