Puppet users - Nov 2011 - Adding users by using 'spaceship' syntax

Hello,
I have setup scripts / modules that allow adding ssh users courtesy of
the Puppet Wiki. I have defined my users in a central file called
''sshusers.pp'' and am importing that file into my
''nodes.pp'' file. One
question am I trying to resolve is how to add multiple users without
having to specify the user names.

Keep in mind that the ssh::auth class from the Puppet wiki defines
almost everything virtually, so as I understand, I have to
''realize''
those users that are defined. Here is an example:

from /etc/puppet/manifests/sshusers.pp, I define a user:

users::define_ssh {''jspies'':
  name       => ''Justin Spies'',
  email      => ''justin@gmail.com'',
  userid     => 1001
}

users::define_ssh {''jdoe'':
  name       => ''John Doe,
  email      => ''john@doe.com'',
  userid     => 1002
}


in /etc/puppet/manifests/nodes.pp, I then realize the users and call a
custom defined code block (users::create) to create the users, create
the user home directories, create the SSH keys, and copy the SSH keys
to the users authorized_keys file on the server:

  # Realize all users that are a member of the ''users'' group
  User <| group == ''ssh'' |> { ensure => present }

  # Actually create the users and their SSH keys
  #users::create{User <| group = ''ssh'' |>: ensure =>
present }
  users::create{[''jspies'', ''lspies'']: ensure
=> present }


So I''d like to avoid having to type the user titles in the call to
users::create. Is there a way to do this using the ''User <| group
=''ssh'' |>'' syntax to select what I want? Or do I
need to just define an
array in the sshusers.pp file and pass the array to the users::create?
I''d like to use dynamic logic rather than having to code and update an
array every time we add/remove users.


Thanks!

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Justin,
> So I''d like to avoid having to type the user titles in the call to
> users::create. Is there a way to do this using the ''User <|
group => ''ssh'' |>'' syntax to select what I
want?
Unfortunately the spaceship operator can''t contain anything other than
== and !=, and doesn''t accept anything but simple variables.
Actually I doubt User <| group == ''ssh'' |> will work
that well. During
past tests I did, it only found the first member of an array. So if
you had a user defined like this:

users::define_ssh {''jspies'':
 [...]
  group => [''group1'',''ssh''],
}

it wouldn''t be realized by User <| group == ''ssh''
|>, because ssh is
at the second position of the group parameter. Maybe that wasn''t
discovered yet over at this wiki you mentioned.

Or do I need to just define an
> array in the sshusers.pp file and pass the array to the users::create?
May I ask what your reason is for not ensuring that users should be
present right away? Sounds like you want to add all your new users
right away. In this case you don''t have to have separate user::define
and user::create groups. Would be enough just to have the ensure =>
present inside the user::define and then include or require it in your
node, eg. your default node.

Hope that helps
Stephan

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Nov 15, 12:27 pm, Stephan <stephan.eckwei...@admin.ox.ac.uk>
wrote:
> Hi Justin,
>
> > So I''d like to avoid having to type the user titles in the
call to
> > users::create. Is there a way to do this using the ''User
<| group => > ''ssh'' |>'' syntax to select
what I want?
>
> Unfortunately the spaceship operator can''t contain anything other
than
> == and !=, and doesn''t accept anything but simple variables.
> Actually I doubt User <| group == ''ssh'' |> will
work that well. During
> past tests I did, it only found the first member of an array. So if
> you had a user defined like this:
>
> users::define_ssh {''jspies'':
>  [...]
>   group => [''group1'',''ssh''],
>
> }
>
> it wouldn''t be realized by User <| group ==
''ssh'' |>, because ssh is
> at the second position of the group parameter. Maybe that wasn''t
> discovered yet over at this wiki you mentioned.
>
> Or do I need to just define an
>
> > array in the sshusers.pp file and pass the array to the users::create?
>
> May I ask what your reason is for not ensuring that users should be
> present right away? Sounds like you want to add all your new users
> right away. In this case you don''t have to have separate
user::define
> and user::create groups. Would be enough just to have the ensure =>
> present inside the user::define and then include or require it in your
> node, eg. your default node.
Hi Stephan, thanks for the reply. The example I''m following / using is
http://projects.puppetlabs.com/projects/puppet/wiki/Module_Ssh_Auth_Patterns

Great question regarding ''why'', and it made me think hard
about what
I''m trying to accomplish.

My reason for not realizing users immediately is because I wanted to
define a user in one place (sshusers.pp) and then realize those users
on most (but not all) of my servers (let''s say there are 20 servers.)
So the users are defined virtually in sshusers.pp using the
users::define_ssh and then they are realized (inside of each node
definition) using users::create based on which users go on each
server. I would prefer to add users to a group and then in the node
definition, specify to the server ''ensure that all users who are a
member of group ssh are created''. A better example, perhaps, would be
if you think in terms of a DBA group. I only want to add the DBA
users, who are in the DBA group, to the database servers.

So for a web server node, I would have ''user::create{ User <| group
=''webservers'' |>: ensure => present }'' and
''user::create{ User <| group
== ''dba'' |>: ensure => absent }''. That would
create the web server
admins on the web server, and ensure the DBA users were not there
(admittedly, I''m not sure what the results would be if I had one user
in both groups). On the DB server, I would just reverse the value of
the ensure parameter so that the web server users are not created and
the DBA users are created.

I am not stuck on the use of the spaceship syntax, it was just my
starting point. I was hoping to just extract an array of users some
how and pass that to the users::create definition. I am also open to
suggestions on how to better structure this if I''m going off in some
crazy direction. I am new to Puppet and am still getting a grasp on
how it works and how to properly code up classes and defines.

Thanks again.
>
> Hope that helps
> Stephan
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hmm, I see. We went another avenue. We create all users on all systems
and then let another instance decide which users to let log in to
which machine. RADIUS servers or Kerberos servers are capable of this.
But depending on the surroundings this might be overkill.

So I agree that for you the spaceship makes sense. But am afraid won''t
be of much help. Am still struggling myself to get my head around it,
and must admit, am not really overly impressed by it so far. But rule
1 with open source: "contribute nothing, expect nothing"

On Nov 15, 7:30 pm, Justin Spies <jus...@thespies.org>
wrote:
> On Nov 15, 12:27 pm, Stephan <stephan.eckwei...@admin.ox.ac.uk>
wrote:
>
>
>
>
>
>
>
>
>
> > Hi Justin,
>
> > > So I''d like to avoid having to type the user titles in
the call to
> > > users::create. Is there a way to do this using the ''User
<| group => > > ''ssh'' |>'' syntax to
select what I want?
>
> > Unfortunately the spaceship operator can''t contain anything
other than
> > == and !=, and doesn''t accept anything but simple variables.
> > Actually I doubt User <| group == ''ssh'' |>
will work that well. During
> > past tests I did, it only found the first member of an array. So if
> > you had a user defined like this:
>
> > users::define_ssh {''jspies'':
> >  [...]
> >   group => [''group1'',''ssh''],
>
> > }
>
> > it wouldn''t be realized by User <| group ==
''ssh'' |>, because ssh is
> > at the second position of the group parameter. Maybe that
wasn''t
> > discovered yet over at this wiki you mentioned.
>
> > Or do I need to just define an
>
> > > array in the sshusers.pp file and pass the array to the
users::create?
>
> > May I ask what your reason is for not ensuring that users should be
> > present right away? Sounds like you want to add all your new users
> > right away. In this case you don''t have to have separate
user::define
> > and user::create groups. Would be enough just to have the ensure =>
> > present inside the user::define and then include or require it in your
> > node, eg. your default node.
>
> Hi Stephan, thanks for the reply. The example I''m following /
using ishttp://projects.puppetlabs.com/projects/puppet/wiki/Module_Ssh_Auth_P...
>
> Great question regarding ''why'', and it made me think hard
about what
> I''m trying to accomplish.
>
> My reason for not realizing users immediately is because I wanted to
> define a user in one place (sshusers.pp) and then realize those users
> on most (but not all) of my servers (let''s say there are 20
servers.)
> So the users are defined virtually in sshusers.pp using the
> users::define_ssh and then they are realized (inside of each node
> definition) using users::create based on which users go on each
> server. I would prefer to add users to a group and then in the node
> definition, specify to the server ''ensure that all users who are a
> member of group ssh are created''. A better example, perhaps, would
be
> if you think in terms of a DBA group. I only want to add the DBA
> users, who are in the DBA group, to the database servers.
>
> So for a web server node, I would have ''user::create{ User <|
group => ''webservers'' |>: ensure => present
}'' and ''user::create{ User <| group
> == ''dba'' |>: ensure => absent }''. That
would create the web server
> admins on the web server, and ensure the DBA users were not there
> (admittedly, I''m not sure what the results would be if I had one
user
> in both groups). On the DB server, I would just reverse the value of
> the ensure parameter so that the web server users are not created and
> the DBA users are created.
>
> I am not stuck on the use of the spaceship syntax, it was just my
> starting point. I was hoping to just extract an array of users some
> how and pass that to the users::create definition. I am also open to
> suggestions on how to better structure this if I''m going off in
some
> crazy direction. I am new to Puppet and am still getting a grasp on
> how it works and how to properly code up classes and defines.
>
> Thanks again.
>
>
>
>
>
>
>
>
>
> > Hope that helps
> > Stephan
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

RADIUS is something I haven''t used for a long time (and my last use
was AAA for DSL subscribers, not for Linux), but that is a
possibility. The only issue I''ll have there is that I am working with
internal machines that live in a private ''cloud'' network @ the
office
and a set of private, and customer, servers in the Amazon cloud. I
would probably end up, due to security restrictions, setting up RADIUS
for our private machines (it could be one for the internal network and
one for the Amazon network of our servers only), and then one RADIUS
server for each customer, in order to ensure separation. Since we have
only two, three, or four servers (typically) for each customer,
setting up one more server for authentication seems a bit overkill
(for customers.) But the user base is mostly the same across all
servers, with a few exceptions.

Thanks for your feedback.

On Nov 15, 6:58 pm, Stephan <stephan.eckwei...@admin.ox.ac.uk>
wrote:
> Hmm, I see. We went another avenue. We create all users on all systems
> and then let another instance decide which users to let log in to
> which machine. RADIUS servers or Kerberos servers are capable of this.
> But depending on the surroundings this might be overkill.
>
> So I agree that for you the spaceship makes sense. But am afraid
won''t
> be of much help. Am still struggling myself to get my head around it,
> and must admit, am not really overly impressed by it so far. But rule
> 1 with open source: "contribute nothing, expect nothing"
>
> On Nov 15, 7:30 pm, Justin Spies <jus...@thespies.org> wrote:
>
>
>
>
>
>
>
> > On Nov 15, 12:27 pm, Stephan <stephan.eckwei...@admin.ox.ac.uk>
wrote:
>
> > > Hi Justin,
>
> > > > So I''d like to avoid having to type the user titles
in the call to
> > > > users::create. Is there a way to do this using the
''User <| group => > > > ''ssh''
|>'' syntax to select what I want?
>
> > > Unfortunately the spaceship operator can''t contain
anything other than
> > > == and !=, and doesn''t accept anything but simple
variables.
> > > Actually I doubt User <| group == ''ssh''
|> will work that well. During
> > > past tests I did, it only found the first member of an array. So
if
> > > you had a user defined like this:
>
> > > users::define_ssh {''jspies'':
> > >  [...]
> > >   group =>
[''group1'',''ssh''],
>
> > > }
>
> > > it wouldn''t be realized by User <| group ==
''ssh'' |>, because ssh is
> > > at the second position of the group parameter. Maybe that
wasn''t
> > > discovered yet over at this wiki you mentioned.
>
> > > Or do I need to just define an
>
> > > > array in the sshusers.pp file and pass the array to the
users::create?
>
> > > May I ask what your reason is for not ensuring that users should
be
> > > present right away? Sounds like you want to add all your new
users
> > > right away. In this case you don''t have to have separate
user::define
> > > and user::create groups. Would be enough just to have the ensure
=>
> > > present inside the user::define and then include or require it in
your
> > > node, eg. your default node.
>
> > Hi Stephan, thanks for the reply. The example I''m following /
using ishttp://projects.puppetlabs.com/projects/puppet/wiki/Module_Ssh_Auth_P...
>
> > Great question regarding ''why'', and it made me think
hard about what
> > I''m trying to accomplish.
>
> > My reason for not realizing users immediately is because I wanted to
> > define a user in one place (sshusers.pp) and then realize those users
> > on most (but not all) of my servers (let''s say there are 20
servers.)
> > So the users are defined virtually in sshusers.pp using the
> > users::define_ssh and then they are realized (inside of each node
> > definition) using users::create based on which users go on each
> > server. I would prefer to add users to a group and then in the node
> > definition, specify to the server ''ensure that all users who
are a
> > member of group ssh are created''. A better example, perhaps,
would be
> > if you think in terms of a DBA group. I only want to add the DBA
> > users, who are in the DBA group, to the database servers.
>
> > So for a web server node, I would have ''user::create{ User
<| group => > ''webservers'' |>: ensure =>
present }'' and ''user::create{ User <| group
> > == ''dba'' |>: ensure => absent }''.
That would create the web server
> > admins on the web server, and ensure the DBA users were not there
> > (admittedly, I''m not sure what the results would be if I had
one user
> > in both groups). On the DB server, I would just reverse the value of
> > the ensure parameter so that the web server users are not created and
> > the DBA users are created.
>
> > I am not stuck on the use of the spaceship syntax, it was just my
> > starting point. I was hoping to just extract an array of users some
> > how and pass that to the users::create definition. I am also open to
> > suggestions on how to better structure this if I''m going off
in some
> > crazy direction. I am new to Puppet and am still getting a grasp on
> > how it works and how to properly code up classes and defines.
>
> > Thanks again.
>
> > > Hope that helps
> > > Stephan
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.