I feel like this should be way easier than it seems to be. -_- Let''s say I have users alice, bob, carol, ... Different users get added on different servers. On all servers, any users *not* selected should be removed. So far, it seems like virtual resources handle this, and I''ve experimented with something like: Users::DefineUser <| tag == vm or tag == qa |> Users::RemoveUser <| tag != vm and tag != qa |> where defineUser and removeUser are defines, and there''s one for each user. Two issues: 1. There''s a problem there, in as much as there doesn''t seem to be a way to say "items that do not have any of these tags anywhere in their tag list at all"; so things with "tag => [ vm, foo ]" will get caught in the abev RemoveUser. Is there a way around that? 2. Here''s the other place where I get into trouble: what if one hostOne, alice should be in the wheel group, and on hostTwo, she shouldn''t? Thanks for any insight. I''m hoping there''s a totally different way to do what I want. -Robin -- http://singinst.org/ : Our last, best hope for a fantastic future. .i ko na cpedu lo nu stidi vau loi jbopre .i danfu lu na go''i li''u .e lu go''i li''u .i ji''a go''i lu na''e go''i li''u .e lu go''i na''i li''u .e lu no''e go''i li''u .e lu to''e go''i li''u .e lu lo mamta be do cu sofybakni li''u -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Robin Lee Powell
2012-Mar-21 00:51 UTC
Re: [Puppet Users] More complicated user management?
On Tue, Mar 20, 2012 at 01:27:45AM -0700, Robin Lee Powell wrote:> > I feel like this should be way easier than it seems to be. -_- > > Let''s say I have users alice, bob, carol, ... > > Different users get added on different servers. > > On all servers, any users *not* selected should be removed. > > So far, it seems like virtual resources handle this, and I''ve > experimented with something like: > > Users::DefineUser <| tag == vm or tag == qa |> > Users::RemoveUser <| tag != vm and tag != qa |> > > where defineUser and removeUser are defines, and there''s one for > each user. > > Two issues: > > 1. There''s a problem there, in as much as there doesn''t seem to be a > way to say "items that do not have any of these tags anywhere in > their tag list at all"; so things with "tag => [ vm, foo ]" will get > caught in the abev RemoveUser. Is there a way around that? > > 2. Here''s the other place where I get into trouble: what if one > hostOne, alice should be in the wheel group, and on hostTwo, she > shouldn''t?So I just couldn''t make this be sane with virtual resources. Here''s what I did instead: Each node does something like this: $user_types = [ qa, dev, special ] (often using += ) They all include a class that includes many other user classes, that then set "ensure" based on user_types. Here''s an example of a simple case: class users::devUsers inherits users { if ''dev'' in $user_types { $user_ensure = present } else { $user_ensure = absent } develUserSetup { "alice": uid => 123, ensure => $user_ensure, } develUserSetup { "bob": uid => 321, ensure => $user_ensure, } } Here''s a more complicated case, where this user is sometimes an admin and sometimes a regular dev, depending on host: class users::carol inherits users { if ''staging'' in $user_types { adminUserSetup { "carol": uid => 1337, ensure => present, } } elsif ''prod'' in $user_types or ''dev'' in $user_types { develUserSetup { "carol": uid => 1337, ensure => present, } } else { develUserSetup { "carol": uid => 1337, ensure => absent, } } } It''s working really well for me. -Robin -- http://singinst.org/ : Our last, best hope for a fantastic future. .i ko na cpedu lo nu stidi vau loi jbopre .i danfu lu na go''i li''u .e lu go''i li''u .i ji''a go''i lu na''e go''i li''u .e lu go''i na''i li''u .e lu no''e go''i li''u .e lu to''e go''i li''u .e lu lo mamta be do cu sofybakni li''u -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.