Gonzalo Servat
2012-Jan-04 06:48 UTC
[Puppet Users] Making a system user member of a Puppet managed group
Hi All, I have a particular requirement where a Puppet managed group needs to have several members that are either local and not managed by Puppet (e.g. mysql) or they reside in LDAP. Apart from running an exec call to "groupmems", is there another way to achieve this? Thanks in advance. Gonzalo -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
jcbollinger
2012-Jan-04 14:00 UTC
[Puppet Users] Re: Making a system user member of a Puppet managed group
On Jan 4, 12:48 am, Gonzalo Servat <gser...@gmail.com> wrote:> Hi All, > > I have a particular requirement where a Puppet managed group needs to have > several members that are either local and not managed by Puppet (e.g. > mysql) or they reside in LDAP. > > Apart from running an exec call to "groupmems", is there another way to > achieve this?It depends on the Group provider, which usually depends on operating system. If you are using the default Group provider for AIX, OS X, or Windows, then group membership is managed as an attribute of the group instead of the user. In those cases you can manage the group in question and use its ''members'' property to achieve your end. Otherwise, group membership is managed as a property of Users, ergo you cannot manage it (directly) if you do not manage the users in question. Your only options in that case are an Exec or a custom Group provider. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Gonzalo Servat
2012-Jan-04 14:06 UTC
Re: [Puppet Users] Re: Making a system user member of a Puppet managed group
On Thu, Jan 5, 2012 at 1:00 AM, jcbollinger <John.Bollinger@stjude.org>wrote:> > It depends on the Group provider, which usually depends on operating > system. If you are using the default Group provider for AIX, OS X, or > Windows, then group membership is managed as an attribute of the group > instead of the user. In those cases you can manage the group in > question and use its ''members'' property to achieve your end. >My group provider is "groupadd" I believe (default for most platforms), as they are all RHEL boxes.> Otherwise, group membership is managed as a property of Users, ergo > you cannot manage it (directly) if you do not manage the users in > question. Your only options in that case are an Exec or a custom > Group provider. >Ah, ok. That confirms it then. I managed to create a define to do what I want and it seems to work. Happy to share it if anyone is interested in it. Thanks for your reply! - Gonzalo -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Josh Cooper
2012-Jan-04 17:14 UTC
Re: [Puppet Users] Re: Making a system user member of a Puppet managed group
On Wed, Jan 4, 2012 at 6:00 AM, jcbollinger <John.Bollinger@stjude.org>wrote:> If you are using the default Group provider for AIX, OS X, or > Windows, then group membership is managed as an attribute of the group > instead of the user.Windows can actually manage ''members'' as an attribute of the group, or ''groups'' as an attribute of the user. Josh -- Josh Cooper Developer, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Andreas N
2012-Jan-04 23:50 UTC
Re: [Puppet Users] Re: Making a system user member of a Puppet managed group
On Wednesday, January 4, 2012 3:06:27 PM UTC+1, Gonzalo wrote:> > > Otherwise, group membership is managed as a property of Users, ergo >> you cannot manage it (directly) if you do not manage the users in >> question. Your only options in that case are an Exec or a custom >> Group provider. >> > > Ah, ok. That confirms it then. I managed to create a define to do what I > want and it seems to work. Happy to share it if anyone is interested in it. >I''d be very interested in your solution, as I am in a similar situation. Thanks! Andreas -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/O3k9N-ITDKUJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Gonzalo Servat
2012-Jan-06 08:37 UTC
Re: [Puppet Users] Re: Making a system user member of a Puppet managed group
On Thu, Jan 5, 2012 at 10:50 AM, Andreas N <daff@pseudoterminal.org> wrote:> On Wednesday, January 4, 2012 3:06:27 PM UTC+1, Gonzalo wrote: >> >> >> Otherwise, group membership is managed as a property of Users, ergo >>> you cannot manage it (directly) if you do not manage the users in >>> question. Your only options in that case are an Exec or a custom >>> Group provider. >>> >> >> Ah, ok. That confirms it then. I managed to create a define to do what I >> want and it seems to work. Happy to share it if anyone is interested in it. >> > > I''d be very interested in your solution, as I am in a similar situation. >Sure. Just a quick disclaimer, there may be better ways of doing this!! But it works for me: define groups::addlocalmembers ( $group, $ensure=''present'' ) { case $ensure { ''present'': { exec { "add_${name}_to_${group}": command => "groupmems -g $group -a $name", onlyif => [ "id $name" ], unless => [ "groups $name | grep '' $group\\( \\|\$\\)''" ], require => Group["$group"], } } ''absent'': { exec { "remove_${name}_to_${group}": command => "groupmems -g $group -d $name", onlyif => [ "groups $name | grep '' $group\\( \\|\$\\)''" ], require => Group["$group"], } } default: { fail("Unknown ensure value: $ensure") } } } ... so essentially I would call it like so: groups::addlocalmembers { ["mysql", "user1", "user2"]: group => "local_group_here" } Hope this helps. - Gonzalo -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.