David Reagan
2013-Apr-26 20:08 UTC
[Puppet Users] Help me with a local Linux account management module
I''m pretty much brand new to Puppet. I''ve read the tutorials on puppet labs, and most of Pro Puppet. But there''s still a lot I don''t get. So I figured I''d learn by doing. My current goal is to write a user account wrapper. It would only be for local Linux accounts only, only on Ubuntu for now. I''m not just using the user type because I want to manage ssh authorized keys as well. I did find https://github.com/dcsobral/puppet-users, and a few others. But I''m not fond of the use of csv files, and it seems like a simple enough module to learn with. Wrapping user and ssh_authorized_key is simple, just pass in the information. But I do have a couple questions I couldn''t find answers to in the docs, here, or Google. *Questions*: - What happens when a group listed in the user type does not exist on the server? - How do I figure out what hash to use for the password when creating a new user? - Do I just copy the hash directly into the password property? No need to tell puppet what kind of hash it is? - ssh_authorized_key: name has to be unique. So how do I add a key to more than one user? - I''d like to simply pass in an array of links(?) to pub key files to my wrapper instead of the actual ssh key. How would I tell Puppet to split the contents at the spaces so I can get the key, type, and name properties out of it? Future plans would be to manage shell configuration as well. But for now, all I need is what I''ve described above. Oh, when implementing this, does making a /etc/puppet/manifests/accounts/username.pp file per user, then including that file on the nodes that need that user, raise any "bad idea" flags for you? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Ashley Penney
2013-Apr-26 21:31 UTC
Re: [Puppet Users] Help me with a local Linux account management module
On Fri, Apr 26, 2013 at 4:08 PM, David Reagan <jerrac@gmail.com> wrote:> I''m pretty much brand new to Puppet. I''ve read the tutorials on puppet > labs, and most of Pro Puppet. But there''s still a lot I don''t get. So I > figured I''d learn by doing. > > My current goal is to write a user account wrapper. It would only be for > local Linux accounts only, only on Ubuntu for now. > > I''m not just using the user type because I want to manage ssh authorized > keys as well. > > I did find https://github.com/dcsobral/puppet-users, and a few others. > But I''m not fond of the use of csv files, and it seems like a simple enough > module to learn with. > > Wrapping user and ssh_authorized_key is simple, just pass in the > information. But I do have a couple questions I couldn''t find answers to in > the docs, here, or Google. > > *Questions*: > > - What happens when a group listed in the user type does not exist on > the server? > > Generally speaking you shouldn''t let that happen! The user resource willfail because it wants the group to exist first. Create a group{} resource and in the user{} resource add something like require => Group[''users''], or whatever, so that this doesn''t happen.> > - > - How do I figure out what hash to use for the password when creating > a new user? > > There''s several ways to handle this. Generally the way it''s done is via a"custom function" that executes on the puppetmaster and injects the results of that run into the catalog for the client. This way you can use a hash generator. Something like https://github.com/kwilczynski/puppet-functions/blob/master/lib/puppet/parser/functions/random_password.rb> > - Do I just copy the hash directly into the password property? No need > to tell puppet what kind of hash it is? > > It basically takes the contents of password and shovels it into theappropriate /etc/shadow column.> > - ssh_authorized_key: name has to be unique. So how do I add a key to > more than one user? > > You''d want to structure this as a kind of custom_user{} define that wasable to take keys as a parameter and those can be an array or hash of info. This way you''re basically listing all the keys per user rather than trying to assign keys to multiple users. Because you''ll have custom_user{ ''blah'': } you''ll be able to refer to the blah as $name in the define and then you can make your ssh_authorized_key names like: ssh_authorized_key { "${name}-key": } so that they have unique names, I''ll leave the rest of this up to your imagination as you''d need a unique -key bit per key you pass in. That''s one reason I suggested the keys param be a hash, so that you can have a name and then value and use that to build up the name cleanly.> > - I''d like to simply pass in an array of links(?) to pub key files to > my wrapper instead of the actual ssh key. How would I tell Puppet to split > the contents at the spaces so I can get the key, type, and name properties > out of it? > > This stuff is tricky with the language as it stands. The way I''ve solvedthis (and seen others solve this) in the past is that rather than trying to pass in arrays you build a hash in hiera for your users and then pass the entire hash to create_resources(''mycustomusersdefine'', hashname) to have it create a call to the define for each element of the hash. If you google create_resources you should find some examples.> Future plans would be to manage shell configuration as well. But for now, > all I need is what I''ve described above. > > Oh, when implementing this, does making a > /etc/puppet/manifests/accounts/username.pp file per user, then including > that file on the nodes that need that user, raise any "bad idea" flags for > you? >It does, but only because even at this early stage you should start thinking "is this how to do a task, or the data the task needs?" if it''s data you should be thinking of ''hiera'' and how you can use that to seperate your data from your manifests. Good luck! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
David Reagan
2013-May-08 20:57 UTC
Re: [Puppet Users] Help me with a local Linux account management module
>There''s several ways to handle this. Generally the way it''s done is via a "custom function" that executes on the puppetmaster and injects the results of that run into the catalog for the client. This way you can use a hash generator. Something like https://github.com/kwilczynski/puppet-functions/blob/master/lib/puppet/parser/functions/random_password.rbI meant, how do I tell what hash the server will know how to use? I suppose it shouldn''t matter much. I''ll just copy the hash out of the /etc/shadow file. If I get more than 10 users I''ll want to figure out how to use LDAP anyway. I hadn''t realized the ssh_authorized_key name wasn''t limited to what''s in the users .pub file. So making those unique shouldn''t be too hard.>This stuff is tricky with the language as it stands. The way I''ve solved this (and seen others solve this) in the past is that rather than trying to pass in arrays you build a hash in hiera for your users and then pass the entire hash to create_resources(''mycustomusersdefine'', hashname) to have it create a call to the define for each element of the hash. If you google create_resources you should find some examples.Haven''t googled it yet. But it seems a bit more complicated than what I want. I just want to read the .pub file, grab the type and key, then use that to create an ssh_authorized_key. That way, when someone adds or changes their .pub file, it''s as simple as uploading the pub file to the puppetmaster and we''re done. Thus avoiding potential mistakes that could occur if I (or they) formatted the key into json or yaml. I would think I could do something like that with Ruby. But I''m not sure how to integrate that into my module... --David Reagan On Fri, Apr 26, 2013 at 2:31 PM, Ashley Penney <apenney@gmail.com> wrote:> On Fri, Apr 26, 2013 at 4:08 PM, David Reagan <jerrac@gmail.com> wrote: >> >> I''m pretty much brand new to Puppet. I''ve read the tutorials on puppet >> labs, and most of Pro Puppet. But there''s still a lot I don''t get. So I >> figured I''d learn by doing. >> >> My current goal is to write a user account wrapper. It would only be for >> local Linux accounts only, only on Ubuntu for now. >> >> I''m not just using the user type because I want to manage ssh authorized >> keys as well. >> >> I did find https://github.com/dcsobral/puppet-users, and a few others. But >> I''m not fond of the use of csv files, and it seems like a simple enough >> module to learn with. >> >> Wrapping user and ssh_authorized_key is simple, just pass in the >> information. But I do have a couple questions I couldn''t find answers to in >> the docs, here, or Google. >> >> Questions: >> >> What happens when a group listed in the user type does not exist on the >> server? > > Generally speaking you shouldn''t let that happen! The user resource will > fail because it wants the group to exist first. Create a group{} resource > and in the user{} resource add something like require => Group[''users''], or > whatever, so that this doesn''t happen. > >> >> How do I figure out what hash to use for the password when creating a new >> user? > > There''s several ways to handle this. Generally the way it''s done is via a > "custom function" that executes on the puppetmaster and injects the results > of that run into the catalog for the client. This way you can use a hash > generator. Something like > https://github.com/kwilczynski/puppet-functions/blob/master/lib/puppet/parser/functions/random_password.rb > >> >> Do I just copy the hash directly into the password property? No need to >> tell puppet what kind of hash it is? > > It basically takes the contents of password and shovels it into the > appropriate /etc/shadow column. >> >> ssh_authorized_key: name has to be unique. So how do I add a key to more >> than one user? > > You''d want to structure this as a kind of custom_user{} define that was able > to take keys as a parameter and those can be an array or hash of info. This > way you''re basically listing all the keys per user rather than trying to > assign keys to multiple users. > > Because you''ll have custom_user{ ''blah'': } you''ll be able to refer to the > blah as $name in the define and then you can make your ssh_authorized_key > names like: > > ssh_authorized_key { "${name}-key": } so that they have unique names, I''ll > leave the rest of this up to your imagination as you''d need a unique -key > bit per key you pass in. That''s one reason I suggested the keys param be a > hash, so that you can have a name and then value and use that to build up > the name cleanly. > >> >> I''d like to simply pass in an array of links(?) to pub key files to my >> wrapper instead of the actual ssh key. How would I tell Puppet to split the >> contents at the spaces so I can get the key, type, and name properties out >> of it? > > This stuff is tricky with the language as it stands. The way I''ve solved > this (and seen others solve this) in the past is that rather than trying to > pass in arrays you build a hash in hiera for your users and then pass the > entire hash to create_resources(''mycustomusersdefine'', hashname) to have it > create a call to the define for each element of the hash. If you google > create_resources you should find some examples. > >> >> Future plans would be to manage shell configuration as well. But for now, >> all I need is what I''ve described above. >> >> Oh, when implementing this, does making a >> /etc/puppet/manifests/accounts/username.pp file per user, then including >> that file on the nodes that need that user, raise any "bad idea" flags for >> you? > > > It does, but only because even at this early stage you should start thinking > "is this how to do a task, or the data the task needs?" if it''s data you > should be thinking of ''hiera'' and how you can use that to seperate your data > from your manifests. > > Good luck! > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/puppet-users/YG0LpyzkzUo/unsubscribe?hl=en. > To unsubscribe from this group and all its topics, send an email to > puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
David Reagan
2013-May-08 21:45 UTC
Re: [Puppet Users] Help me with a local Linux account management module
So, I just mocked up what I''m thinking of doing. How do I deal with loops? From what I can Puppet doesn''t let you loop through arrays. See https://gist.github.com/jerrac/5543893 for a very very very rough draft of what I''m imagining this could look like. How would you deal with multiple authorized keys, and only adding groups that exist on the server already? --David Reagan On Wed, May 8, 2013 at 1:57 PM, David Reagan <jerrac@gmail.com> wrote:>>There''s several ways to handle this. Generally the way it''s done is viaa "custom function" that executes on the puppetmaster and injects the results of that run into the catalog for the client. This way you can use a hash generator. Something like https://github.com/kwilczynski/puppet-functions/blob/master/lib/puppet/parser/functions/random_password.rb> > I meant, how do I tell what hash the server will know how to use? I > suppose it shouldn''t matter much. I''ll just copy the hash out of the > /etc/shadow file. If I get more than 10 users I''ll want to figure out > how to use LDAP anyway. > > I hadn''t realized the ssh_authorized_key name wasn''t limited to what''s > in the users .pub file. So making those unique shouldn''t be too hard. > >>This stuff is tricky with the language as it stands. The way I''ve solvedthis (and seen others solve this) in the past is that rather than trying to pass in arrays you build a hash in hiera for your users and then pass the entire hash to create_resources(''mycustomusersdefine'', hashname) to have it create a call to the define for each element of the hash. If you google create_resources you should find some examples.> > Haven''t googled it yet. But it seems a bit more complicated than what > I want. I just want to read the .pub file, grab the type and key, then > use that to create an ssh_authorized_key. That way, when someone adds > or changes their .pub file, it''s as simple as uploading the pub file > to the puppetmaster and we''re done. Thus avoiding potential mistakes > that could occur if I (or they) formatted the key into json or yaml. > > I would think I could do something like that with Ruby. But I''m not > sure how to integrate that into my module... > > --David Reagan > > > On Fri, Apr 26, 2013 at 2:31 PM, Ashley Penney <apenney@gmail.com> wrote: >> On Fri, Apr 26, 2013 at 4:08 PM, David Reagan <jerrac@gmail.com> wrote: >>> >>> I''m pretty much brand new to Puppet. I''ve read the tutorials on puppet >>> labs, and most of Pro Puppet. But there''s still a lot I don''t get. So I >>> figured I''d learn by doing. >>> >>> My current goal is to write a user account wrapper. It would only be for >>> local Linux accounts only, only on Ubuntu for now. >>> >>> I''m not just using the user type because I want to manage ssh authorized >>> keys as well. >>> >>> I did find https://github.com/dcsobral/puppet-users, and a few others.But>>> I''m not fond of the use of csv files, and it seems like a simple enough >>> module to learn with. >>> >>> Wrapping user and ssh_authorized_key is simple, just pass in the >>> information. But I do have a couple questions I couldn''t find answersto in>>> the docs, here, or Google. >>> >>> Questions: >>> >>> What happens when a group listed in the user type does not exist on the >>> server? >> >> Generally speaking you shouldn''t let that happen! The user resource will >> fail because it wants the group to exist first. Create a group{}resource>> and in the user{} resource add something like require => Group[''users''],or>> whatever, so that this doesn''t happen. >> >>> >>> How do I figure out what hash to use for the password when creating anew>>> user? >> >> There''s several ways to handle this. Generally the way it''s done is viaa>> "custom function" that executes on the puppetmaster and injects theresults>> of that run into the catalog for the client. This way you can use a hash >> generator. Something like >>https://github.com/kwilczynski/puppet-functions/blob/master/lib/puppet/parser/functions/random_password.rb>> >>> >>> Do I just copy the hash directly into the password property? No need to >>> tell puppet what kind of hash it is? >> >> It basically takes the contents of password and shovels it into the >> appropriate /etc/shadow column. >>> >>> ssh_authorized_key: name has to be unique. So how do I add a key to more >>> than one user? >> >> You''d want to structure this as a kind of custom_user{} define that wasable>> to take keys as a parameter and those can be an array or hash of info.This>> way you''re basically listing all the keys per user rather than trying to >> assign keys to multiple users. >> >> Because you''ll have custom_user{ ''blah'': } you''ll be able to refer to the >> blah as $name in the define and then you can make your ssh_authorized_key >> names like: >> >> ssh_authorized_key { "${name}-key": } so that they have unique names,I''ll>> leave the rest of this up to your imagination as you''d need a unique -key >> bit per key you pass in. That''s one reason I suggested the keys parambe a>> hash, so that you can have a name and then value and use that to build up >> the name cleanly. >> >>> >>> I''d like to simply pass in an array of links(?) to pub key files to my >>> wrapper instead of the actual ssh key. How would I tell Puppet to splitthe>>> contents at the spaces so I can get the key, type, and name propertiesout>>> of it? >> >> This stuff is tricky with the language as it stands. The way I''ve solved >> this (and seen others solve this) in the past is that rather than tryingto>> pass in arrays you build a hash in hiera for your users and then pass the >> entire hash to create_resources(''mycustomusersdefine'', hashname) to haveit>> create a call to the define for each element of the hash. If you google >> create_resources you should find some examples. >> >>> >>> Future plans would be to manage shell configuration as well. But fornow,>>> all I need is what I''ve described above. >>> >>> Oh, when implementing this, does making a >>> /etc/puppet/manifests/accounts/username.pp file per user, then including >>> that file on the nodes that need that user, raise any "bad idea" flagsfor>>> you? >> >> >> It does, but only because even at this early stage you should startthinking>> "is this how to do a task, or the data the task needs?" if it''s data you >> should be thinking of ''hiera'' and how you can use that to seperate yourdata>> from your manifests. >> >> Good luck! >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Puppet Users" group. >> To unsubscribe from this topic, visit >>https://groups.google.com/d/topic/puppet-users/YG0LpyzkzUo/unsubscribe?hl=en .>> To unsubscribe from this group and all its topics, send an email to >> puppet-users+unsubscribe@googlegroups.com. >> To post to this group, send email to puppet-users@googlegroups.com. >> Visit this group at http://groups.google.com/group/puppet-users?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >>-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.