Puppet users - Feb 2009 - basic question about template conditionals

Hello,

I want to use Puppet to manage /etc/access.conf on our managed Linux
servers.  The problem is that the servers on our network will be
accessed by different groups of users, so I will need slightly different
configurations for each server.  My first impression is that I probably
don''t want to create completely different access.conf files for each
server, so I thought I might try using template conditionals for this.
I''m just not sure if what I''m trying to do is possible, or if
there''s a
better way.  I''ve pasted my basic idea below.  The part I''m
not sure
about is the "if $hostname in [server1, server2, server3]" part.  I
didn''t see anything in the documentation about checking if a value
exists in an array, but I assume this is possible.  Any thoughts?

#
# etc/access.conf controls access to this machine
#

# User "root" can only log in locally and from trusted network subnets
- : root : ALL EXCEPT LOCAL 192.168.0.0/16

# Tech support users can log in from all sources.
+ : @support : ALL

<% if $hostname in [server1, server2, server3] %>
# group1 can log into this server
+ : @group1 : ALL
<% end %>

<% if $hostname in [server4, server5, server6] %>
# group2 can log into this server
+ : @group2 : ALL
<% end %>

All other users should be denied to get access from all sources.
- : ALL : ALL

--
Michael Conigliaro
Computer Analyst
Fuss & O''Neill Technologies
www.fandotech.com
 


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hello,

Sorry if this ends up getting posted twice.  I originally sent this
about 3 hours ago, and I never saw it get posted, so I''m trying again.

I want to use Puppet to manage /etc/access.conf on our managed Linux
servers.  The problem is that the servers on our network will be
accessed by different groups of users, so I will need slightly different
configurations for each server.  My first impression is that I probably
don''t want to create completely different access.conf files for each
server, so I thought I might try using template conditionals for this.
I''m just not sure if what I''m trying to do is possible, or if
there''s a
better way.  I''ve pasted my basic idea below.  The part I''m
not sure
about is the "if $hostname in [server1, server2, server3]" part.  I
didn''t see anything in the documentation about checking if a value
exists in an array, but I assume this is possible.  Any thoughts?

#
# etc/access.conf controls access to this machine #

# User "root" can only log in locally and from trusted network subnets
- : root : ALL EXCEPT LOCAL 192.168.0.0/16

# Tech support users can log in from all sources.
+ : @support : ALL

<% if $hostname in [server1, server2, server3] %> # group1 can log into
this server
+ : @group1 : ALL
<% end %>

<% if $hostname in [server4, server5, server6] %> # group2 can log into
this server
+ : @group2 : ALL
<% end %>

All other users should be denied to get access from all sources.
- : ALL : ALL

--
Michael Conigliaro
Computer Analyst
Fuss & O''Neill Technologies
www.fandotech.com
 


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Michael,

Templates are ERB, which uses pure ruby. I think what you are doing
should work in concept, thought I think your syntax is a bit off.

--Paul

On Wed, Feb 11, 2009 at 10:36 AM, Michael Conigliaro
<mconigliaro@fandotech.com> wrote:
>
> Hello,
>
> Sorry if this ends up getting posted twice.  I originally sent this
> about 3 hours ago, and I never saw it get posted, so I''m trying
again.
>
> I want to use Puppet to manage /etc/access.conf on our managed Linux
> servers.  The problem is that the servers on our network will be
> accessed by different groups of users, so I will need slightly different
> configurations for each server.  My first impression is that I probably
> don''t want to create completely different access.conf files for
each
> server, so I thought I might try using template conditionals for this.
> I''m just not sure if what I''m trying to do is possible,
or if there''s a
> better way.  I''ve pasted my basic idea below.  The part
I''m not sure
> about is the "if $hostname in [server1, server2, server3]" part. 
I
> didn''t see anything in the documentation about checking if a value
> exists in an array, but I assume this is possible.  Any thoughts?
>
> #
> # etc/access.conf controls access to this machine #
>
> # User "root" can only log in locally and from trusted network
subnets
> - : root : ALL EXCEPT LOCAL 192.168.0.0/16
>
> # Tech support users can log in from all sources.
> + : @support : ALL
>
> <% if $hostname in [server1, server2, server3] %> # group1 can log
into
> this server
> + : @group1 : ALL
> <% end %>
>
> <% if $hostname in [server4, server5, server6] %> # group2 can log
into
> this server
> + : @group2 : ALL
> <% end %>
>
> All other users should be denied to get access from all sources.
> - : ALL : ALL
>
> --
> Michael Conigliaro
> Computer Analyst
> Fuss & O''Neill Technologies
> www.fandotech.com
>
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Michael Conigliaro wrote:
> Hello,
> 
> Sorry if this ends up getting posted twice.  I originally sent this
> about 3 hours ago, and I never saw it get posted, so I''m trying
again.
The list is moderated to new posters to stop spam.  I release emails 2-3
times a day as does Luke and Andrew.

Regards

James Turnbull

-- 
Author of:
* Pulling Strings with Puppet
(http://www.amazon.com/gp/product/1590599780/)
* Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)
* Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)

I do a lot of this and usually use regular expression to handle it

A couple examples:

<% if hostname =~ /server[135]/ %>
<% if hostname =~ /dns1001|mail2002|web1003/ %>

Steven

-----Original Message-----
From: puppet-users@googlegroups.com
[mailto:puppet-users@googlegroups.com] On Behalf Of Michael Conigliaro
Sent: Wednesday, February 11, 2009 7:58 AM
To: puppet-users@googlegroups.com
Subject: [Puppet Users] basic question about template conditionals

#
# etc/access.conf controls access to this machine
#

# User "root" can only log in locally and from trusted network subnets
- : root : ALL EXCEPT LOCAL 192.168.0.0/16

# Tech support users can log in from all sources.
+ : @support : ALL

<% if $hostname in [server1, server2, server3] %>
# group1 can log into this server
+ : @group1 : ALL
<% end %>

<% if $hostname in [server4, server5, server6] %>
# group2 can log into this server
+ : @group2 : ALL
<% end %>

All other users should be denied to get access from all sources.
- : ALL : ALL

--
Michael Conigliaro
Computer Analyst
Fuss & O''Neill Technologies
www.fandotech.com
 


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Here''s how we generate access.conf. We define a type that adds and
removes
access.conf entries and use this type in the node that we need a 
particular group to be able to login to.

class pam { 

  $access = "/etc/security/access.conf"

  exec {"prep access.conf":
    command => "echo - : ALL : ALL > $access",
    unless  => "tail -n 1 $access | grep ''^\\- : ALL :
ALL''",
  }

  define accesslogin($origins = "ALL", $ensure = "present")
{
    case $ensure {
      present: {
        exec {"$ensure : $name : $origins":
          command => "sed -i ''\$i+ : $name : $origins''
${pam::access}",
            unless  => "grep ''$perm : $name :
$origins'' ${pam::access}",
            require => Exec["prep access.conf"],
        }
      }
      default: {
        exec {"$ensure : $name : $origins":
          command => "sed -i ''/+ : $name : $origins/d''
${pam::access}",
          onlyif  => "grep ''$perm : $name : $origins''
${pam::access}",
          require => Exec["prep access.conf"],
        }
      }
    }
  }

  # defaults
  accesslogin { ["root", "backup"]: ; }

}

node ''node1'' { 
  include pam

  pam::accesslogin { "group1": }
}

node ''node2'' { 
  include pam
 
  # let the apache user run cron jobs but not login
  pam::accesslogin { "apache": 
    origins => "cron",
  }
}
  
-Eric

On Wed, 11 Feb 2009, Michael Conigliaro wrote:
> 
> Hello,
> 
> Sorry if this ends up getting posted twice.  I originally sent this
> about 3 hours ago, and I never saw it get posted, so I''m trying
again.
> 
> I want to use Puppet to manage /etc/access.conf on our managed Linux
> servers.  The problem is that the servers on our network will be
> accessed by different groups of users, so I will need slightly different
> configurations for each server.  My first impression is that I probably
> don''t want to create completely different access.conf files for
each
> server, so I thought I might try using template conditionals for this.
> I''m just not sure if what I''m trying to do is possible,
or if there''s a
> better way.  I''ve pasted my basic idea below.  The part
I''m not sure
> about is the "if $hostname in [server1, server2, server3]" part. 
I
> didn''t see anything in the documentation about checking if a value
> exists in an array, but I assume this is possible.  Any thoughts?
> 
> #
> # etc/access.conf controls access to this machine #
> 
> # User "root" can only log in locally and from trusted network
subnets
> - : root : ALL EXCEPT LOCAL 192.168.0.0/16
> 
> # Tech support users can log in from all sources.
> + : @support : ALL
> 
> <% if $hostname in [server1, server2, server3] %> # group1 can log
into
> this server
> + : @group1 : ALL
> <% end %>
> 
> <% if $hostname in [server4, server5, server6] %> # group2 can log
into
> this server
> + : @group2 : ALL
> <% end %>
> 
> All other users should be denied to get access from all sources.
> - : ALL : ALL
> 
> --
> Michael Conigliaro
> Computer Analyst
> Fuss & O''Neill Technologies
> www.fandotech.com
>  
> 
> 
> > 
> 
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---