[Systems] Puppetization - User Management

Bernie Innocenti bernie at codewiz.org
Sat Mar 6 16:30:28 EST 2010


On Sat, 2010-03-06 at 11:26 -0600, David Farning wrote:
> I my quest to sell the benefits of puppet to bernie and hhardy. I have
> started working on a user management module.  User management is hard
> and many different solutions have been offered.  LDAP seems to be the
> most common solution.  Unfortunately, it does not manage ssh keys.  At
> Sugar Labs, we need to manage ssh keys along with the whicir users.
> 
> My current implementation is that every user is defined in
> users::people such as:
> @useraccount { "someuser":
>         ensure   => "present",
> 
>         uid      => "500",
>         pgroup   => "admin",
>         groups   => ["users"],
> 
>         fullname => "Some User",
>         homefs   => $homefs,
>         shell    => $shell,
> }

Can we fetch the data from ldap instead of duplicating it in puppet?

It's as simple as typing:

  ldapsearch -x uid=dfarning

Adding the appropriate schema, the ssh keys could also live in ldap, but
ssh won't go read them from there.


> Each user has homedir stub which contains:
> 
> .bashrc
> .ssh/
> .ssh/authorized_keys

New homedirs should be created from /etc/skel/ on sunjammer to ensure
that accounts get all the standard goodies.


> This allow us to define user groups such as:
> 
> class users::sysadmins {
>     Useraccount <| pgroup == admin |>
> 
> }
> 
> As a result, adding a single line
> 
> import users::sysadmins
> 
> to individual node manifest casues:
> 1. Each sysadmin user is automatically created and their stub files
> added to new machines.
> 2. The files in homedir_stub are monitored by puppet.  If a change is
> made to the homedir_stub on the puppet server it is pushed out to all
> puppet managed clients.
> 
> Does this sound sane.

Yes, but do we expect to have many users accounts outside sunjammer?
There should be only very few sysadmins on very few machines.

What I do now to create an account on a server, is only slightly more
typing:

 # adduser dfarning
 # addgroup dfarning sudo
 # scp -r sunjammer:/home/dfarning/.ssh/ /home/dfarning/.ssh/
 # chown -R dfarning:dfarning /home/dfarning/.ssh/

It happens only once or twice a month, so I'm not sure it would be worth
the trouble of automating it with puppet.

-- 
   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/



More information about the Systems mailing list