Puppet users - Apr 2007 - Managing a user''s groups

I''m looking for a way to conditionally add a user to a group, and
can''t figure out a clean way to do it in Puppet.

I have the following recipe:

###### BEGIN RECIPE

class "apache-server" {
    group { "apache":
        gid => 100,
    }

    user { "apache":
        uid => 100,
        gid => 100,
    }

    ...
}

class "site-a" {
    include apache-server
    group { "site-a": }
    ...
}

class "site-b" {
    include apache-server
    group { "site-b": }
    ...
}

node "server00" {
    include site-a
}

node "server01" {
    include site-a
    include site-b
}

###### END RECIPE

I would like the apache user to be added to the relevant group for
each "site" class, so that the user would belong to "site-a"
on
server00 and both "site-a" and "site-b" on server01.  But I
can''t
figure out the best way of doing so.

I can''t have an apache user element in the "site" classes,
because that
would be a duplicate definition.

I could move the apache user element out of the apache class and into
the node definitions, but that would lead to a proliferation of those
elements as I add more nodes.

The best way I can see is to write my own "add-user-to-group"
function, which I then add to each "site" class.  Not a huge deal, but
it seems like something Puppet should handle out-of-the-box.

Any ideas?

On Apr 17, 2007, at 4:37 PM, Steve Caldwell wrote:
>
> I''m looking for a way to conditionally add a user to a group, and
> can''t figure out a clean way to do it in Puppet.
>
<..snip..>
> I would like the apache user to be added to the relevant group for
> each "site" class, so that the user would belong to
"site-a" on
> server00 and both "site-a" and "site-b" on server01. 
But I can''t
> figure out the best way of doing so.
>
> I can''t have an apache user element in the "site"
classes, because
> that
> would be a duplicate definition.
You should put this in a definition, and you can easily wrap things up.

define apache_site($apache_user = apache) {
    user { "apache-$name":
       name => "apache",
       groups => $name,
       membership => ''minimum'',
       uid => 100,
       gid => 100
    }
    ... other stuff you need on a per site basis ...
}

Then, in your class:

class site-01 {
    apache_site { "site-01": }
}

That is just pseudo-code, but it should get you closer to what you  
are looking for.  The trick is the
use of the "name" variable to have the name of the User object be  
unique, but still work on the same lower level system user.  Also,  
using membership "minimum", to ensure you don''t get removed
from
other groups.

Hope this helps,
Adam

On Apr 18, 2007, at 1:45 PM, Adam Jacob wrote:
> On Apr 17, 2007, at 4:37 PM, Steve Caldwell wrote:
>
>>
>> I''m looking for a way to conditionally add a user to a group,
and
>> can''t figure out a clean way to do it in Puppet.
>>
>
> You should put this in a definition, and you can easily wrap things  
> up.
>
> define apache_site($apache_user = apache) {
>     user { "apache-$name":
>        name => "apache",
>        groups => $name,
>        membership => ''minimum'',
>        uid => 100,
>        gid => 100
>     }
>     ... other stuff you need on a per site basis ...
> }
>
> Then, in your class:
>
> class site-01 {
>     apache_site { "site-01": }
> }
I doubt this will work, since Puppet registers resources under both  
names and titles, so you won''t get a conflict in the parser but you  
will on the client (I think; I know this is the case for files).

I don''t think there''s a way to compose parameter values at
this
point, which is essentially what you''re looking for.  You need some  
way to add values to an existing parameter, which is currently not  
possible.

If only one group would ever be added on a given host, then you can  
do it with overrides, but I expect that''s not the case.

  --
  I have a switch in my apartment... It doesn''t do anything. Every once
  in a while, I turn it on and off. One day I got a call... It was from
  a woman in France... She said, "Cut it out!"
                  -- Stephen Wright
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

On Apr 18, 2007, at 4:03 PM, Luke Kanies wrote:
> On Apr 18, 2007, at 1:45 PM, Adam Jacob wrote:
> 
> > On Apr 17, 2007, at 4:37 PM, Steve Caldwell wrote:
> >
> >>
> >> I''m looking for a way to conditionally add a user to a
group, and
> >> can''t figure out a clean way to do it in Puppet.
> >>
> >
> > You should put this in a definition, and you can easily wrap things  
> > up.
> >
> 
> I doubt this will work, since Puppet registers resources under both  
> names and titles, so you won''t get a conflict in the parser but
you
> will on the client (I think; I know this is the case for files).
> 
> I don''t think there''s a way to compose parameter values
at this
> point, which is essentially what you''re looking for.  You need
some
> way to add values to an existing parameter, which is currently not  
> possible.
> 
> 
Luke''s right, I get the following error when I try Adam''s
suggestion:

err: Could not create apache-site-a: apache already exists with name apache

I guess my original idea of writing an "add-user-to-group" function is
my only choice...