Christopher
2009-Nov-03 23:11 UTC
[Puppet Users] user::virtual and selectivly removing users
Hello...
I have an existing puppet infrastructure, part of which manages adding
and removing users from our servers. Now I would like to manage users
in a way similar to the best practices
http://reductivelabs.com/trac/puppet/wiki/PuppetBestPractice#managing-users
guide, with different combinations of users on different servers. something
like; admins, managers, dba, developers, qa. On different server types like;
restricted, database, general, web, mail, etc.
Now my problem is that I currently have every user on every server (for
legacy reasons) and need to either add or remove users based on the
above classifications. My test structure looks something like:
define manage-user (...) {
# takes name, uid, etc. to create user with local defaults
# tests for NFS home dirs to manage home or not, etc.
}
class all-users {
# calls @manage-user with name, uid, etc creating a virtual user call
}
class admins {
User { ensure => present }
realize each admin via Manage-user["username"]
}
class dbas {
realize each admin via Manage-user["username"]
}
class managers|devel|qa like above {}
Now the hard part, something like this does not work:
class dbas::remove {
# doesn''t work
User { ensure => absent }
include dbas
}
if ( ( $hostname == "foo") or ( $some-fact == "bar") ) {
# none of these combinations will work
User { ensure => present }
include admins
User { ensure => absent }
include dbas::remove
include developers
etc.
}
Has anyone run into a similar need or developed a solution for this
problem?
p.s. FWIW , PCI compliance sucks
--
Christopher McCrory
"The guy that keeps the servers running"
chrismcc@pricegrabber.com
http://www.pricegrabber.com
Let''s face it, there''s no Hollow Earth, no robots, and
no ''mute rays.'' And even if there were, waxed paper is
no defense. I tried it. Only tinfoil works.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
Russ Allbery
2009-Nov-04 01:00 UTC
[Puppet Users] Re: user::virtual and selectivly removing users
Christopher <chrismcc@pricegrabber.com> writes:> I have an existing puppet infrastructure, part of which manages adding > and removing users from our servers. Now I would like to manage users > in a way similar to the best practices > http://reductivelabs.com/trac/puppet/wiki/PuppetBestPractice#managing-users > guide, with different combinations of users on different servers. > something like; admins, managers, dba, developers, qa. On different > server types like; restricted, database, general, web, mail, etc.> Now my problem is that I currently have every user on every server (for > legacy reasons) and need to either add or remove users based on the > above classifications.If you turn on purging for user resources, any users not explicitly added to that server will be automatically deleted by Puppet unless they''re in the UID range for system users. resources { user: purge => true } Then you don''t have to generate removal rules for users, just make sure that you have all the users defined that you want. -- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Christopher
2009-Nov-04 23:20 UTC
[Puppet Users] Re: user::virtual and selectivly removing users
Hello... On Tue, 2009-11-03 at 17:00 -0800, Russ Allbery wrote:> Christopher <chrismcc@pricegrabber.com> writes: > > > I have an existing puppet infrastructure, part of which manages adding > > and removing users from our servers. Now I would like to manage users > > in a way similar to the best practices > > http://reductivelabs.com/trac/puppet/wiki/PuppetBestPractice#managing-users > > guide, with different combinations of users on different servers. > > something like; admins, managers, dba, developers, qa. On different > > server types like; restricted, database, general, web, mail, etc.<snip>> > If you turn on purging for user resources, any users not explicitly added > to that server will be automatically deleted by Puppet unless they''re in > the UID range for system users. > > resources { user: purge => true } > > Then you don''t have to generate removal rules for users, just make sure > that you have all the users defined that you want. >W00t! , you da'' man! I''ve been testing this for the past several hours, works as described. from the code: newparam(:unless_system_user) do desc "This keeps system users from being purged. By default, it does not purge users whose UIDs are less than or equal to 500, but you can specify a different UID as the inclusive limit." ... if current_values[resource.property(:uid)] <= self[:unless_system_user] </code>>From what I remember (and after looking at the RH docs on users) , UIDsfrom 1-499 are for system users, and UIDs from 500 and up are for regular users. Luke, James, et al.: Is it a bug that the code uses less than or equal to 500? I would think it should be less than 500 ( no equal ). I could use resources { user: purge => true , unless_system_user => "499" } , but IMHO , ''less than'' in the puppet code would be better. yes? no? maybe? -- Christopher McCrory "The guy that keeps the servers running" chrismcc@pricegrabber.com http://www.pricegrabber.com Let''s face it, there''s no Hollow Earth, no robots, and no ''mute rays.'' And even if there were, waxed paper is no defense. I tried it. Only tinfoil works. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Russ Allbery
2009-Nov-04 23:23 UTC
[Puppet Users] Re: user::virtual and selectivly removing users
Christopher <chrismcc@pricegrabber.com> writes:> From what I remember (and after looking at the RH docs on users) , UIDs > from 1-499 are for system users, and UIDs from 500 and up are for > regular users.> Luke, James, et al.:> Is it a bug that the code uses less than or equal to 500? I would think > it should be less than 500 ( no equal ). I could use resources { user: > purge => true , unless_system_user => "499" } , but IMHO , ''less than'' > in the puppet code would be better.> yes? no? maybe?Yup, that looks like a bug to me too. -- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
danielbln
2009-Nov-13 14:38 UTC
[Puppet Users] Re: user::virtual and selectivly removing users
Thanks for the purging advice, I faced a similar problem recently. @Christopher Did you file a bug report yet? On 5 Nov., 00:23, Russ Allbery <r...@stanford.edu> wrote:> Christopher <chris...@pricegrabber.com> writes: > > From what I remember (and after looking at the RH docs on users) , UIDs > > from 1-499 are for system users, and UIDs from 500 and up are for > > regular users. > > Luke, James, et al.: > > Is it a bug that the code uses less than or equal to 500? I would think > > it should be less than 500 ( no equal ). I could use resources { user: > > purge => true , unless_system_user => "499" } , but IMHO , ''less than'' > > in the puppet code would be better. > > yes? no? maybe? > > Yup, that looks like a bug to me too. > > -- > Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/>--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---