Michael Conigliaro
2009-Feb-11 15:58 UTC
[Puppet Users] basic question about template conditionals
Hello, I want to use Puppet to manage /etc/access.conf on our managed Linux servers. The problem is that the servers on our network will be accessed by different groups of users, so I will need slightly different configurations for each server. My first impression is that I probably don''t want to create completely different access.conf files for each server, so I thought I might try using template conditionals for this. I''m just not sure if what I''m trying to do is possible, or if there''s a better way. I''ve pasted my basic idea below. The part I''m not sure about is the "if $hostname in [server1, server2, server3]" part. I didn''t see anything in the documentation about checking if a value exists in an array, but I assume this is possible. Any thoughts? # # etc/access.conf controls access to this machine # # User "root" can only log in locally and from trusted network subnets - : root : ALL EXCEPT LOCAL 192.168.0.0/16 # Tech support users can log in from all sources. + : @support : ALL <% if $hostname in [server1, server2, server3] %> # group1 can log into this server + : @group1 : ALL <% end %> <% if $hostname in [server4, server5, server6] %> # group2 can log into this server + : @group2 : ALL <% end %> All other users should be denied to get access from all sources. - : ALL : ALL -- Michael Conigliaro Computer Analyst Fuss & O''Neill Technologies www.fandotech.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Michael Conigliaro
2009-Feb-11 18:36 UTC
[Puppet Users] basic question about template conditionals
Hello, Sorry if this ends up getting posted twice. I originally sent this about 3 hours ago, and I never saw it get posted, so I''m trying again. I want to use Puppet to manage /etc/access.conf on our managed Linux servers. The problem is that the servers on our network will be accessed by different groups of users, so I will need slightly different configurations for each server. My first impression is that I probably don''t want to create completely different access.conf files for each server, so I thought I might try using template conditionals for this. I''m just not sure if what I''m trying to do is possible, or if there''s a better way. I''ve pasted my basic idea below. The part I''m not sure about is the "if $hostname in [server1, server2, server3]" part. I didn''t see anything in the documentation about checking if a value exists in an array, but I assume this is possible. Any thoughts? # # etc/access.conf controls access to this machine # # User "root" can only log in locally and from trusted network subnets - : root : ALL EXCEPT LOCAL 192.168.0.0/16 # Tech support users can log in from all sources. + : @support : ALL <% if $hostname in [server1, server2, server3] %> # group1 can log into this server + : @group1 : ALL <% end %> <% if $hostname in [server4, server5, server6] %> # group2 can log into this server + : @group2 : ALL <% end %> All other users should be denied to get access from all sources. - : ALL : ALL -- Michael Conigliaro Computer Analyst Fuss & O''Neill Technologies www.fandotech.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Paul Lathrop
2009-Feb-11 21:42 UTC
[Puppet Users] Re: basic question about template conditionals
Michael, Templates are ERB, which uses pure ruby. I think what you are doing should work in concept, thought I think your syntax is a bit off. --Paul On Wed, Feb 11, 2009 at 10:36 AM, Michael Conigliaro <mconigliaro@fandotech.com> wrote:> > Hello, > > Sorry if this ends up getting posted twice. I originally sent this > about 3 hours ago, and I never saw it get posted, so I''m trying again. > > I want to use Puppet to manage /etc/access.conf on our managed Linux > servers. The problem is that the servers on our network will be > accessed by different groups of users, so I will need slightly different > configurations for each server. My first impression is that I probably > don''t want to create completely different access.conf files for each > server, so I thought I might try using template conditionals for this. > I''m just not sure if what I''m trying to do is possible, or if there''s a > better way. I''ve pasted my basic idea below. The part I''m not sure > about is the "if $hostname in [server1, server2, server3]" part. I > didn''t see anything in the documentation about checking if a value > exists in an array, but I assume this is possible. Any thoughts? > > # > # etc/access.conf controls access to this machine # > > # User "root" can only log in locally and from trusted network subnets > - : root : ALL EXCEPT LOCAL 192.168.0.0/16 > > # Tech support users can log in from all sources. > + : @support : ALL > > <% if $hostname in [server1, server2, server3] %> # group1 can log into > this server > + : @group1 : ALL > <% end %> > > <% if $hostname in [server4, server5, server6] %> # group2 can log into > this server > + : @group2 : ALL > <% end %> > > All other users should be denied to get access from all sources. > - : ALL : ALL > > -- > Michael Conigliaro > Computer Analyst > Fuss & O''Neill Technologies > www.fandotech.com > > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
James Turnbull
2009-Feb-11 22:05 UTC
[Puppet Users] Re: basic question about template conditionals
Michael Conigliaro wrote:> Hello, > > Sorry if this ends up getting posted twice. I originally sent this > about 3 hours ago, and I never saw it get posted, so I''m trying again.The list is moderated to new posters to stop spam. I release emails 2-3 times a day as does Luke and Andrew. Regards James Turnbull -- Author of: * Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) * Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) * Hardening Linux (http://www.amazon.com/gp/product/1590594444/)
Steven Nemetz
2009-Feb-12 00:05 UTC
[Puppet Users] Re: basic question about template conditionals
I do a lot of this and usually use regular expression to handle it A couple examples: <% if hostname =~ /server[135]/ %> <% if hostname =~ /dns1001|mail2002|web1003/ %> Steven -----Original Message----- From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] On Behalf Of Michael Conigliaro Sent: Wednesday, February 11, 2009 7:58 AM To: puppet-users@googlegroups.com Subject: [Puppet Users] basic question about template conditionals # # etc/access.conf controls access to this machine # # User "root" can only log in locally and from trusted network subnets - : root : ALL EXCEPT LOCAL 192.168.0.0/16 # Tech support users can log in from all sources. + : @support : ALL <% if $hostname in [server1, server2, server3] %> # group1 can log into this server + : @group1 : ALL <% end %> <% if $hostname in [server4, server5, server6] %> # group2 can log into this server + : @group2 : ALL <% end %> All other users should be denied to get access from all sources. - : ALL : ALL -- Michael Conigliaro Computer Analyst Fuss & O''Neill Technologies www.fandotech.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Eric Heydrick
2009-Feb-12 04:14 UTC
[Puppet Users] Re: basic question about template conditionals
Here''s how we generate access.conf. We define a type that adds and removes access.conf entries and use this type in the node that we need a particular group to be able to login to. class pam { $access = "/etc/security/access.conf" exec {"prep access.conf": command => "echo - : ALL : ALL > $access", unless => "tail -n 1 $access | grep ''^\\- : ALL : ALL''", } define accesslogin($origins = "ALL", $ensure = "present") { case $ensure { present: { exec {"$ensure : $name : $origins": command => "sed -i ''\$i+ : $name : $origins'' ${pam::access}", unless => "grep ''$perm : $name : $origins'' ${pam::access}", require => Exec["prep access.conf"], } } default: { exec {"$ensure : $name : $origins": command => "sed -i ''/+ : $name : $origins/d'' ${pam::access}", onlyif => "grep ''$perm : $name : $origins'' ${pam::access}", require => Exec["prep access.conf"], } } } } # defaults accesslogin { ["root", "backup"]: ; } } node ''node1'' { include pam pam::accesslogin { "group1": } } node ''node2'' { include pam # let the apache user run cron jobs but not login pam::accesslogin { "apache": origins => "cron", } } -Eric On Wed, 11 Feb 2009, Michael Conigliaro wrote:> > Hello, > > Sorry if this ends up getting posted twice. I originally sent this > about 3 hours ago, and I never saw it get posted, so I''m trying again. > > I want to use Puppet to manage /etc/access.conf on our managed Linux > servers. The problem is that the servers on our network will be > accessed by different groups of users, so I will need slightly different > configurations for each server. My first impression is that I probably > don''t want to create completely different access.conf files for each > server, so I thought I might try using template conditionals for this. > I''m just not sure if what I''m trying to do is possible, or if there''s a > better way. I''ve pasted my basic idea below. The part I''m not sure > about is the "if $hostname in [server1, server2, server3]" part. I > didn''t see anything in the documentation about checking if a value > exists in an array, but I assume this is possible. Any thoughts? > > # > # etc/access.conf controls access to this machine # > > # User "root" can only log in locally and from trusted network subnets > - : root : ALL EXCEPT LOCAL 192.168.0.0/16 > > # Tech support users can log in from all sources. > + : @support : ALL > > <% if $hostname in [server1, server2, server3] %> # group1 can log into > this server > + : @group1 : ALL > <% end %> > > <% if $hostname in [server4, server5, server6] %> # group2 can log into > this server > + : @group2 : ALL > <% end %> > > All other users should be denied to get access from all sources. > - : ALL : ALL > > -- > Michael Conigliaro > Computer Analyst > Fuss & O''Neill Technologies > www.fandotech.com > > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---