Puppet: how to create and manage unix users and groups
This last week I spent all effort into learning Puppet. Now I suffer from a mental buffer overflow and little confidence of ever being able to tame this beast. I came across many annotated examples but due to their countless variations I fail to discern between recommended (recent) Puppet style and conventions, and ad hoc "works for me" approaches. I can't stand it because it seems to be about basic level stuff.
So. Using Puppet to manage groups and users, users' primary group equal to their own username, other groups could be lan
for lan logins, wheel
for admins, shell
for users with a shell on arbitrary nodes, mail
for users, daemons
for various daemons. Admin logins will be on all nodes and to make things worse a lan login could be a shell login too.
From what I understand it's okay to define a user multiple times if you make use of virtual definitions that are realised at some point. Sounds fab, so how does that work with multiple groups for a user? Say Bob can use both LAN nodes and node beastie.wan; is his login thebob
then defined two times, in lanusers.pp with groups => ["lan"]
and in shellusers.pp with groups => ["shell"]
? What if Bob wants his lan password to be separate from his shell password?
The code I currently use has no virtual definitions, users are just hard coded single inclusions. At one point I came across an example using virtuals and this is where I got stuck because I don't understand how to expand the code so that Puppet creates a primary group and the required groups I defined first and then joins the user in those groups.
Right. Please cluebat me properly.
Solution 1:
Now I suffer from a mental buffer overflow and little confidence of ever being able to tame this beast.
First: Relax. I've learned that, when you're new to something with a learning curve such as Puppet, it is pretty easy to become overwhelmed and not be able to get much done.
is his login thebob then defined two times, in lanusers.pp with groups => ["lan"] and in shellusers.pp with groups => ["shell"]?
Nope. Virtually define it in one place (maybe users.pp
) with groups => ['shell', 'lan',]
.
On the nodes, realize the users you need. For example, if for node beamin
we want all shell
users:
node beamin {
Account <| groups == 'shell' |>
}
What if Bob wants his lan password to be separate from his shell password?
Then Bob should probably get 2 different accounts with different login names.
Solution 2:
Puppet does not do well with complicated user/group management. You'd be far better off deploying something like LDAP -- as much as I dislike it, it'll work a lot better than trying to beat Puppet into submission.