Michael Conigliaro
2009-Feb-11 15:58 UTC
[Puppet Users] basic question about template conditionals
Hello, I want to use Puppet to manage /etc/access.conf on our managed Linux servers. The problem is that the servers on our network will be accessed by different groups of users, so I will need slightly different configurations for each server. My first impression is that I probably don''t want to create completely different access.conf files for each server, so I thought I might try using template conditionals for this. I''m just not sure if what I''m trying to do is possible, or if there''s a better way. I''ve pasted my basic idea below. The part I''m not sure about is the "if $hostname in [server1, server2, server3]" part. I didn''t see anything in the documentation about checking if a value exists in an array, but I assume this is possible. Any thoughts? # # etc/access.conf controls access to this machine # # User "root" can only log in locally and from trusted network subnets - : root : ALL EXCEPT LOCAL 192.168.0.0/16 # Tech support users can log in from all sources. + : @support : ALL <% if $hostname in [server1, server2, server3] %> # group1 can log into this server + : @group1 : ALL <% end %> <% if $hostname in [server4, server5, server6] %> # group2 can log into this server + : @group2 : ALL <% end %> All other users should be denied to get access from all sources. - : ALL : ALL -- Michael Conigliaro Computer Analyst Fuss & O''Neill Technologies www.fandotech.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Michael Conigliaro
2009-Feb-11 18:36 UTC
[Puppet Users] basic question about template conditionals
Hello, Sorry if this ends up getting posted twice. I originally sent this about 3 hours ago, and I never saw it get posted, so I''m trying again. I want to use Puppet to manage /etc/access.conf on our managed Linux servers. The problem is that the servers on our network will be accessed by different groups of users, so I will need slightly different configurations for each server. My first impression is that I probably don''t want to create completely different access.conf files for each server, so I thought I might try using template conditionals for this. I''m just not sure if what I''m trying to do is possible, or if there''s a better way. I''ve pasted my basic idea below. The part I''m not sure about is the "if $hostname in [server1, server2, server3]" part. I didn''t see anything in the documentation about checking if a value exists in an array, but I assume this is possible. Any thoughts? # # etc/access.conf controls access to this machine # # User "root" can only log in locally and from trusted network subnets - : root : ALL EXCEPT LOCAL 192.168.0.0/16 # Tech support users can log in from all sources. + : @support : ALL <% if $hostname in [server1, server2, server3] %> # group1 can log into this server + : @group1 : ALL <% end %> <% if $hostname in [server4, server5, server6] %> # group2 can log into this server + : @group2 : ALL <% end %> All other users should be denied to get access from all sources. - : ALL : ALL -- Michael Conigliaro Computer Analyst Fuss & O''Neill Technologies www.fandotech.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Paul Lathrop
2009-Feb-11 21:42 UTC
[Puppet Users] Re: basic question about template conditionals
Michael, Templates are ERB, which uses pure ruby. I think what you are doing should work in concept, thought I think your syntax is a bit off. --Paul On Wed, Feb 11, 2009 at 10:36 AM, Michael Conigliaro <mconigliaro@fandotech.com> wrote:> > Hello, > > Sorry if this ends up getting posted twice. I originally sent this > about 3 hours ago, and I never saw it get posted, so I''m trying again. > > I want to use Puppet to manage /etc/access.conf on our managed Linux > servers. The problem is that the servers on our network will be > accessed by different groups of users, so I will need slightly different > configurations for each server. My first impression is that I probably > don''t want to create completely different access.conf files for each > server, so I thought I might try using template conditionals for this. > I''m just not sure if what I''m trying to do is possible, or if there''s a > better way. I''ve pasted my basic idea below. The part I''m not sure > about is the "if $hostname in [server1, server2, server3]" part. I > didn''t see anything in the documentation about checking if a value > exists in an array, but I assume this is possible. Any thoughts? > > # > # etc/access.conf controls access to this machine # > > # User "root" can only log in locally and from trusted network subnets > - : root : ALL EXCEPT LOCAL 192.168.0.0/16 > > # Tech support users can log in from all sources. > + : @support : ALL > > <% if $hostname in [server1, server2, server3] %> # group1 can log into > this server > + : @group1 : ALL > <% end %> > > <% if $hostname in [server4, server5, server6] %> # group2 can log into > this server > + : @group2 : ALL > <% end %> > > All other users should be denied to get access from all sources. > - : ALL : ALL > > -- > Michael Conigliaro > Computer Analyst > Fuss & O''Neill Technologies > www.fandotech.com > > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
James Turnbull
2009-Feb-11 22:05 UTC
[Puppet Users] Re: basic question about template conditionals
Michael Conigliaro wrote:> Hello, > > Sorry if this ends up getting posted twice. I originally sent this > about 3 hours ago, and I never saw it get posted, so I''m trying again.The list is moderated to new posters to stop spam. I release emails 2-3 times a day as does Luke and Andrew. Regards James Turnbull -- Author of: * Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) * Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) * Hardening Linux (http://www.amazon.com/gp/product/1590594444/)
Steven Nemetz
2009-Feb-12 00:05 UTC
[Puppet Users] Re: basic question about template conditionals
I do a lot of this and usually use regular expression to handle it A couple examples: <% if hostname =~ /server[135]/ %> <% if hostname =~ /dns1001|mail2002|web1003/ %> Steven -----Original Message----- From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] On Behalf Of Michael Conigliaro Sent: Wednesday, February 11, 2009 7:58 AM To: puppet-users@googlegroups.com Subject: [Puppet Users] basic question about template conditionals # # etc/access.conf controls access to this machine # # User "root" can only log in locally and from trusted network subnets - : root : ALL EXCEPT LOCAL 192.168.0.0/16 # Tech support users can log in from all sources. + : @support : ALL <% if $hostname in [server1, server2, server3] %> # group1 can log into this server + : @group1 : ALL <% end %> <% if $hostname in [server4, server5, server6] %> # group2 can log into this server + : @group2 : ALL <% end %> All other users should be denied to get access from all sources. - : ALL : ALL -- Michael Conigliaro Computer Analyst Fuss & O''Neill Technologies www.fandotech.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Eric Heydrick
2009-Feb-12 04:14 UTC
[Puppet Users] Re: basic question about template conditionals
Here''s how we generate access.conf. We define a type that adds and
removes
access.conf entries and use this type in the node that we need a
particular group to be able to login to.
class pam {
$access = "/etc/security/access.conf"
exec {"prep access.conf":
command => "echo - : ALL : ALL > $access",
unless => "tail -n 1 $access | grep ''^\\- : ALL :
ALL''",
}
define accesslogin($origins = "ALL", $ensure = "present")
{
case $ensure {
present: {
exec {"$ensure : $name : $origins":
command => "sed -i ''\$i+ : $name : $origins''
${pam::access}",
unless => "grep ''$perm : $name :
$origins'' ${pam::access}",
require => Exec["prep access.conf"],
}
}
default: {
exec {"$ensure : $name : $origins":
command => "sed -i ''/+ : $name : $origins/d''
${pam::access}",
onlyif => "grep ''$perm : $name : $origins''
${pam::access}",
require => Exec["prep access.conf"],
}
}
}
}
# defaults
accesslogin { ["root", "backup"]: ; }
}
node ''node1'' {
include pam
pam::accesslogin { "group1": }
}
node ''node2'' {
include pam
# let the apache user run cron jobs but not login
pam::accesslogin { "apache":
origins => "cron",
}
}
-Eric
On Wed, 11 Feb 2009, Michael Conigliaro wrote:
>
> Hello,
>
> Sorry if this ends up getting posted twice. I originally sent this
> about 3 hours ago, and I never saw it get posted, so I''m trying
again.
>
> I want to use Puppet to manage /etc/access.conf on our managed Linux
> servers. The problem is that the servers on our network will be
> accessed by different groups of users, so I will need slightly different
> configurations for each server. My first impression is that I probably
> don''t want to create completely different access.conf files for
each
> server, so I thought I might try using template conditionals for this.
> I''m just not sure if what I''m trying to do is possible,
or if there''s a
> better way. I''ve pasted my basic idea below. The part
I''m not sure
> about is the "if $hostname in [server1, server2, server3]" part.
I
> didn''t see anything in the documentation about checking if a value
> exists in an array, but I assume this is possible. Any thoughts?
>
> #
> # etc/access.conf controls access to this machine #
>
> # User "root" can only log in locally and from trusted network
subnets
> - : root : ALL EXCEPT LOCAL 192.168.0.0/16
>
> # Tech support users can log in from all sources.
> + : @support : ALL
>
> <% if $hostname in [server1, server2, server3] %> # group1 can log
into
> this server
> + : @group1 : ALL
> <% end %>
>
> <% if $hostname in [server4, server5, server6] %> # group2 can log
into
> this server
> + : @group2 : ALL
> <% end %>
>
> All other users should be denied to get access from all sources.
> - : ALL : ALL
>
> --
> Michael Conigliaro
> Computer Analyst
> Fuss & O''Neill Technologies
> www.fandotech.com
>
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---