Puppet: how to create and manage unix users and groups

puppet users groups

This last week I spent all effort into learning Puppet. Now I suffer from a mental buffer overflow and little confidence of ever being able to tame this beast. I came across many annotated examples but due to their countless variations I fail to discern between recommended (recent) Puppet style and conventions, and ad hoc "works for me" approaches. I can't stand it because it seems to be about basic level stuff.

So. Using Puppet to manage groups and users, users' primary group equal to their own username, other groups could be lan for lan logins, wheel for admins, shell for users with a shell on arbitrary nodes, mail for users, daemons for various daemons. Admin logins will be on all nodes and to make things worse a lan login could be a shell login too.

From what I understand it's okay to define a user multiple times if you make use of virtual definitions that are realised at some point. Sounds fab, so how does that work with multiple groups for a user? Say Bob can use both LAN nodes and node beastie.wan; is his login thebob then defined two times, in lanusers.pp with groups => ["lan"] and in shellusers.pp with groups => ["shell"]? What if Bob wants his lan password to be separate from his shell password?

The code I currently use has no virtual definitions, users are just hard coded single inclusions. At one point I came across an example using virtuals and this is where I got stuck because I don't understand how to expand the code so that Puppet creates a primary group and the required groups I defined first and then joins the user in those groups.

Right. Please cluebat me properly.


Solution 1:

Now I suffer from a mental buffer overflow and little confidence of ever being able to tame this beast.

First: Relax. I've learned that, when you're new to something with a learning curve such as Puppet, it is pretty easy to become overwhelmed and not be able to get much done.

is his login thebob then defined two times, in lanusers.pp with groups => ["lan"] and in shellusers.pp with groups => ["shell"]?

Nope. Virtually define it in one place (maybe users.pp) with groups => ['shell', 'lan',].

On the nodes, realize the users you need. For example, if for node beamin we want all shell users:

node beamin {
    Account <| groups == 'shell' |>
}

What if Bob wants his lan password to be separate from his shell password?

Then Bob should probably get 2 different accounts with different login names.

Solution 2:

Puppet does not do well with complicated user/group management. You'd be far better off deploying something like LDAP -- as much as I dislike it, it'll work a lot better than trying to beat Puppet into submission.

Related

Encrypt git repository on server (safe against theft of physical hardware)
Apache AB (ApacheBench) : -no-check-certificate option available?
How can I get Jenkins to execute a script that it pulled from Git?
How to split out Prometheus config files?
Sysadmin in the Developing World: What are the differences between various kinds of power protection?
Is there a MySQL performance benchmark to measure the impact of utf8_unicode_ci versus utf8_general_ci?
Is there any alternative to SpamAssassin? [closed]
Can the msdeploy agent service open up an attack vector on our servers?
How to adjust nginx keepalive_timeout?
Windows Authentication kept asking for username/password
How to play traffic against a shadow network?
How to change default user (ubuntu) via CloudInit on AWS