kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Update cookbooks and add wordpress cookbook

Browse Source
This commit is contained in:
Greg Karékinian
2016-02-19 18:09:49 +01:00
parent 9ba973e3ac
commit 820b0ab3f8
606 changed files with 22421 additions and 14084 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
cookbooks/users/CHANGELOG.md
View File

@@ -1,77 +1,81 @@
users Cookbook CHANGELOG
========================
# users Cookbook CHANGELOG
This file is used to list changes made in each version of the users cookbook.
v1.8.2 (2015-03-18)
-------------------
## v2.0.3
- ([@nkadel-skyhook][]) - create .ssh directory only if keys are configured.
- ([@signe][]) - allow force parameter to be specified for users configured to be removed.
- ([@FlorentFlament][]) - adding the ability to manage groups for existing users.
## v2.0.2 (2016-1-25)
- ([@375gnu][]) - validate uid/gid for strings versus numeric
- fix rubocop errors based on https://github.com/bbatsov/rubocop/issues/2608
- fix kitchen configurations for testing
## v2.0.1 (2016-1-8)
- Fixed provider to work on Mac OS X
- funzoneq - add correct default shell for FreeBSD if not provided
- Added kitchen.dokken to speed up platform testing
## v2.0.0 (2015-12-11)
- Removed Chef 10 compatibility code
- Removed the nodes fqdn from the authorized_keys file
- Removed a trailing comma in a readme example
- Added chef standard .gitignore and chefignore files
- Added chef standard .rubocop.yml file and resolved warnings
- Resolved foodcritic warnings
## v1.8.2 (2015-03-18)
- No changes, just republishing 1.8.1
v1.8.1 (2015-03-12)
-------------------
- Add `source_url` and `issues_url` to the metadata.rb so Supermarket can display
appropriate links
## v1.8.1 (2015-03-12)
- Add `source_url` and `issues_url` to the metadata.rb so Supermarket can display appropriate links
v1.8.0 (2015-03-09)
-------------------
## v1.8.0 (2015-03-09)
- Expose LWRP state attributes
- [COOK-4401] - Add unit tests with ChefSpec
- [COOK-4404] - Determine file system and add manage_nfs_home_dirs attribute to disable
managing NFS mounted home directories
- Remove `converge_by` when creating home directory, the directory resource
already handles this
- [COOK-4404] - Determine file system and add manage_nfs_home_dirs attribute to disable managing NFS mounted home directories
- Remove `converge_by` when creating home directory, the directory resource already handles this
- Do not manage home directory if the path does not exist
- Add integration with TravisCI
- "Opscode" to "Chef" replacements
- Retire unsupported Ruby 1.9.3 and add Ruby 2.2 to the Travis integration tests
- Updates for RSpec 3
v1.7.0 (2014-02-14)
-------------------
## v1.7.0 (2014-02-14)
- [COOK-4139] - users_manage resource always notifies
- [COOK-4078] - users cookbook fails in why-run mode for .ssh directory
- [COOK-3959] - Add support for Mac OS X to users cookbook
v1.6.0
------
## v1.6.0
### Bug
- **[COOK-3744](https://tickets.opscode.com/browse/COOK-3744)** - Allow passing an action option via the `data_bag` to the user resource
v1.5.2
------
## v1.5.2
### Bug
- **[COOK-3215](https://tickets.opscode.com/browse/COOK-3215)** - Make `group_id` optional
v1.5.0
------
## v1.5.0
- [COOK-2427] - Mistakenly released instead of sudo :-).
v1.4.0
------
## v1.4.0
- [COOK-2479] - Permit users cookbook to work with chef-solo if edelight/chef-solo-search is installed
- [COOK-2486] - specify precedence when setting node attribute
v1.3.0
------
## v1.3.0
- [COOK-1842] - allow specifying private SSH keys
- [COOK-2021] - Empty default recipe for including users LWRPs
v1.2.0
------
## v1.2.0
- [COOK-1398] - Provider manage.rb ignores username attribute
- [COOK-1582] - ssh_keys should take an array in addition to a string separated by new lines
v1.1.4
------
## v1.1.4
- [COOK-1396] - removed users get recreated
- [COOK-1433] - resolve foodcritic warnings
- [COOK-1583] - set passwords for users
v1.1.2
------
## v1.1.2
- [COOK-1076] - authorized_keys template not found in another cookbook
v1.1.0
------
## v1.1.0
- [COOK-623] - LWRP conversion

2
cookbooks/users/CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,2 @@
Please refer to
https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD

19
cookbooks/users/MAINTAINERS.md Normal file
View File

@@ -0,0 +1,19 @@
<!-- This is a generated file. Please do not edit directly -->
# Maintainers
This file lists how this cookbook project is maintained. When making changes to the system, this
file tells you who needs to review your patch - you need a simple majority of maintainers
for the relevant subsystems to provide a :+1: on your pull request. Additionally, you need
to not receive a veto from a Lieutenant or the Project Lead.
Check out [How Cookbooks are Maintained](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD)
for details on the process and how to become a maintainer or the project lead.
# Project Maintainer
* [Tim Smith](https://github.com/tas50)
# Maintainers
* [Jennifer Davis](https://github.com/sigje)
* [Sean OMeara](https://github.com/someara)
* [Tim Smith](https://github.com/tas50)
* [Thom May](https://github.com/thommay)

255
cookbooks/users/README.md
View File

@@ -1,35 +1,181 @@
users Cookbook
==============
![Build Status](https://travis-ci.org/opscode-cookbooks/users.svg?branch=master)
# users Cookbook
[![Build Status](https://travis-ci.org/chef-cookbooks/users.svg?branch=master)](http://travis-ci.org/chef-cookbooks/users) [![Cookbook Version](https://img.shields.io/cookbook/v/users.svg)](https://supermarket.chef.io/cookbooks/users)
Creates users from a databag search.
Manages OS users from databags.
## Scope
Requirements
------------
### Platforms
- Debian, Ubuntu
- CentOS, Red Hat, Fedora
- FreeBSD
This cookbook is concerned with the management of OS users and groups from databags. It also manages the distribution of ssh keys to a user's home directory.
A data bag populated with user objects must exist. The default data
bag in this recipe is `users`. See USAGE.
## Requirements
A data bag populated with user objects must exist. The default data bag in this recipe is `users`. See USAGE.
Usage
-----
To include just the LWRPs in your cookbook, use:
### Chef
```ruby
include_recipe "users"
- Chef 11+
### Platform Support
The following platforms have been tested with Test Kitchen:
- Debian / Ubuntu and derivatives
- RHEL and derivatives
- Fedora
- FreeBSD / OpenBSD
- Mac OS X
### Cookbook Dependencies
- none
## Usage
To use the resource `users_manage`, make sure to add the dependency on the users cookbook by the following line to your wrapper cookbook's [metadata.rb](https://docs.chef.io/config_rb_metadata.html):
```
depends 'users'
```
or to pin to a specific version of the users cookbook, in this case any version of 2.X:
```
depends 'users', '~> 2'
```
Then in a recipe:
```ruby
users_manage 'GROUPNAME' do
group_id GROUPID
action [:remove, :create]
data_bag 'DATABAG_NAME'
end
```
Example:
```ruby
users_manage 'testgroup' do
group_id 3000
action [:remove, :create]
data_bag 'test_home_dir'
end
```
**Note**: If you do not specify the data_bag, the default will be to look for a databag called users.
## Databag Definition
A sample user object in a users databag would look like:
```json
{
"id": "test_user",
"password": "$1$5cE1rI/9$4p0fomh9U4kAI23qUlZVv/",
"ssh_keys": [
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU\nGPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3\nPbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA\nt3FaoJoAsncM1Q9x5+3V0Ww68/eIFmb1zuUFljQJKprrX88XypNDvjYNby6vw/Pb0rwert/En\nmZ+AW4OZPnTPI89ZPmVMLuayrD2cE86Z/il8b+gw3r3+1nKatmIkjn2so1d01QraTlMqVSsbx\nNrRFi9wrf+M7Q== chefuser@mylaptop.local",
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU\nGPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3\nPbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA\nt3FaoJoAsncM1Q9x5+3V0Ww68/eIFmb1zuUFljQJKprrX88XypNDvjYNby6vw/Pb0rwert/En\nmZ+AW4OZPnTPI89ZPmVMLuayrD2cE86Z/il8b+gw3r3+1nKatmIkjn2so1d01QraTlMqVSsbx\nNQCPO0ZZEa1== chefuser@mylaptop.local"
],
"groups": [ "testgroup", "nfsgroup" ],
"uid": 9001,
"shell": "\/bin\/bash",
"comment": "Test User"
}
```
### Databag Key Definitions
* `id`: *String* specifies the username, as well as the data bag object id.
* `password`: *String* specifies the user's password.
* `ssh_keys`: *Array* an array of authorized keys that will be managed by Chef to the user's home directory in .ssh/authorized_keys
* `groups`: *Array* an array of groups that the user will be added to
* `uid`: *Integer* a unique identifier for the user
* `shell`: *String* the user's shell
* `comment`:*String* the [GECOS field](https://en.wikipedia.org/wiki/Gecos_field), generally the User's full name.
Other potential fields:
* `home`: *String* User's home directory. If not assigned, will be set based on platform and username.
* `action`: *String* Supported actions are one's supported by the [user](https://docs.chef.io/resource_user.html#actions) resource. If not specified, the default action is `create`.
* `ssh_private_key`: *String* manages user's private key generally ~/.ssh/id_*
* `ssh_public_key`: *String* manages user's public key generally ~/.ssh/id_*.pub
## Resources Overview
### users_manage
The `users_manage` resource manages users and groups based off of a data bag search and specified action.
#### Examples
Creates the `sysadmin` group and users defined in the `users` databag.
```ruby
users_manage 'sysadmin' do
group_id 2300
action [:remove, :create]
end
```
Removes, then creates the `testgroup` group, and users defined in the `test_home_dir` databag.
```ruby
users_manage 'testgroup' do
group_id 3000
action [:remove, :create]
data_bag 'test_home_dir'
end
```
Removes, then creates the `nfsgroup` group, and users defined in the `test_home_dir` databag and does not manage nfs home directories.
```ruby
users_manage 'nfsgroup' do
group_id 4000
action [:remove, :create]
data_bag 'test_home_dir'
manage_nfs_home_dirs false
end
```
#### Parameters
* `data_bag` *String* is the data bag to search
* `search_group` *String* groups name to search for, defaults to resource name
* `group_name` *String* name of the group to create, defaults to resource name
* `group_id` *Integer* numeric id of the group to create, default is to allow the OS to pick next
* `cookbook` *String* name of the cookbook that the authorized_keys template should be found in
* `manage_nfs_home_dirs` *Boolean* whether to manage nfs home directories.
Otherwise, this cookbook is specific for setting up `sysadmin` group and users with the sysadmins recipe for now.
## Recipe Overview
`sysadmins.rb`: recipe that manages the group sysadmins with group id 2300, and adds users to this group.
To use:
```ruby
include_recipe "users::sysadmins"
```
The recipe is defined as follows:
```ruby
users_manage "sysadmin" do
group_id 2300
action [ :remove, :create ]
end
```
This `users_manage` resource searches the `users` data bag for the `sysadmin` group attribute, and adds those users to a Unix security group `sysadmin`. The only required attribute is group_id, which represents the numeric Unix gid and _must_ be unique. The default action for the resource is `:create`.
The recipe, by default, will also create the sysadmin group. The sysadmin group will be created with GID 2300. This may become an attribute at a later date.
## Data bag Overview
**Reminder** Data bags generally should not be stored in cookbooks, but in a policy repo within your organization. Data bags are useful across cookbooks, not just for a single cookbook.
Use knife to create a data bag for users.
```bash
@@ -38,7 +184,7 @@ $ knife data bag create users
Create a user in the data_bag/users/ directory.
When using an [Omnibus ruby](http://tickets.opscode.com/browse/CHEF-2848), one can specify an optional password hash. This will be used as the user's password.
An optional password hash can be specified that will be used as the user's password.
The hash can be generated with the following command.
@@ -48,14 +194,14 @@ $ openssl passwd -1 "plaintextpassword"
Note: The ssh_keys attribute below can be either a String or an Array. However, we are recommending the use of an Array.
```javascript
```json
{
"id": "bofh",
"ssh_keys": "ssh-rsa AAAAB3Nz...yhCw== bofh",
"ssh_keys": "ssh-rsa AAAAB3Nz...yhCw== bofh"
}
```
```javascript
```json
{
"id": "bofh",
"password": "$1$d...HgH0",
@@ -66,12 +212,7 @@ Note: The ssh_keys attribute below can be either a String or an Array. However,
"groups": [ "sysadmin", "dba", "devops" ],
"uid": 2001,
"shell": "\/bin\/bash",
"comment": "BOFH",
"nagios": {
"pager": "8005551212@txt.att.net",
"email": "bofh@example.com"
},
"openid": "bofh.myopenid.com"
"comment": "BOFH"
}
```
@@ -113,32 +254,23 @@ And then change the action to "remove":
}
```
* Note only user bags with the "action : remove" and a search-able "group" attribute will be purged by the :remove action.
The sysadmins recipe makes use of the `users_manage` Lightweight Resource Provider (LWRP), and looks like this:
```ruby
users_manage "sysadmin" do
group_id 2300
action [ :remove, :create ]
end
```
Note this LWRP searches the `users` data bag for the `sysadmin` group attribute, and adds those users to a Unix security group `sysadmin`. The only required attribute is group_id, which represents the numeric Unix gid and *must* be unique. The default action for the LWRP is `:create` only.
- Note only user bags with the "action : remove" and a search-able "group" attribute will be purged by the :remove action.
- As of v2.0.3 you can use the force parameter within the user data bag object for users with action remove. As per [user docs](https://docs.chef.io/resource_user.html) this may leave the system in an inconsistent state. For example, a user account will be removed even if the user is logged in. A users home directory will be removed, even if that directory is shared by multiple users.
If you have different requirements, for example:
- You want to search a different data bag specific to a role such as
- mail. You may change the data_bag searched.
- data_bag `mail`
* You want to search a different data bag specific to a role such as
mail. You may change the data_bag searched.
- data_bag `mail`
* You want to search for a different group attribute named
`postmaster`. You may change the search_group attribute. This
attribute defaults to the LWRP resource name.
- search_group `postmaster`
* You want to add the users to a security group other than the
lightweight resource name. You may change the group_name attribute.
This attribute also defaults to the LWRP resource name.
- group_name `wheel`
- You want to search for a different group attribute named
- `postmaster`. You may change the search_group attribute. This
- attribute defaults to the LWRP resource name.
- search_group `postmaster`
- You want to add the users to a security group other than the
- lightweight resource name. You may change the group_name attribute.
- This attribute also defaults to the LWRP resource name.
- group_name `wheel`
Putting these requirements together our recipe might look like this:
@@ -150,35 +282,26 @@ users_manage "postmaster" do
end
```
The latest version of knife supports reading data bags from a file and automatically looks in a directory called +data_bags+ in the current directory. The "bag" should be a directory with JSON files of each item. For the above:
Knife supports reading data bags from a file and automatically looks in a directory called +data_bags+ in the current directory. The "bag" should be a directory with JSON files of each item. For the above:
```bash
$ mkdir data_bags/users
$EDITOR data_bags/users/bofh.json
```
Paste the user's public SSH key into the ssh_keys value. Also make sure the uid is unique, and if you're not using bash, that the shell is installed. The default search, and Unix group is sysadmin.
The recipe, by default, will also create the sysadmin group. If you're using the chef sudo cookbook, they'll have sudo access in the default site-cookbooks template. They won't have passwords though, so the sudo cookbook's template needs to be adjusted so the sysadmin group has NOPASSWD.
The sysadmin group will be created with GID 2300. This may become an attribute at a later date.
Paste the user's public SSH key into the ssh_keys value. Also make sure the uid is unique, and if you're not using bash, that the shell is installed.
The Apache cookbook can set up authentication using OpenIDs, which is set up using the openid key here. See the Chef Software 'apache2' cookbook for more information about this.
Chef Solo
---------
## Chef Solo
As of version 1.4.0, this cookbook might work with Chef Solo when using [chef-solo-search by edelight](https://github.com/edelight/chef-solo-search). That cookbook is not a dependency of this one as Chef solo doesn't support dependency resolution using cookbook metadata - all cookbooks must be provided to the node manually when using Chef Solo.
## License & Authors
**Author:** Cookbook Engineering Team ([cookbooks@chef.io](mailto:cookbooks@chef.io))
License & Authors
-----------------
- Author:: Joshua Timberman (<joshua@chef.io>)
- Author:: Seth Chisamore (<schisamo@chef.io>)
```text
Copyright:: 2009-2015, Chef Software, Inc
**Copyright:** 2009-2016, Chef Software, Inc.
```
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

20
cookbooks/users/libraries/helpers.rb
View File

@@ -7,13 +7,11 @@ module Users
#
# @return [String]
def fs_type(mount)
begin
# Doesn't support macosx
stat = Mixlib::ShellOut.new("stat -f -L -c %T #{mount} 2>&1").run_command
stat.stdout.chomp
rescue
'none'
end
# Doesn't support macosx
stat = Mixlib::ShellOut.new("stat -f -L -c %T #{mount} 2>&1").run_command
stat.stdout.chomp
rescue
'none'
end
# Determines if provided mount point is remote.
@@ -22,6 +20,14 @@ module Users
def fs_remote?(mount)
fs_type(mount) == 'nfs' ? true : false
end
# Validates passed id.
#
# @return [Numeric, String]
# handles checking whether uid was specified as a string
def validate_id(id)
id.to_i.to_s == id ? id.to_i : id
end
end
end

41
cookbooks/users/metadata.json
View File

File diff suppressed because one or more lines are too long

140
cookbooks/users/providers/manage.rb
View File

@@ -3,7 +3,7 @@
# Provider:: manage
#
# Copyright 2011, Eric G. Wolfe
# Copyright 2009-2011, Chef Software, Inc.
# Copyright 2009-2015, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -18,92 +18,93 @@
# limitations under the License.
#
use_inline_resources if defined?(use_inline_resources)
use_inline_resources
def whyrun_supported?
true
end
def initialize(*args)
super
@action = :create
end
def chef_solo_search_installed?
klass = ::Search::const_get('Helper')
klass = ::Search.const_get('Helper')
return klass.is_a?(Class)
rescue NameError
return false
end
def search_missing?
Chef::Config[:solo] && !(Chef::Config[:local_mode] || chef_solo_search_installed?)
end
action :remove do
if Chef::Config[:solo] and not chef_solo_search_installed?
Chef::Log.warn("This recipe uses search. Chef Solo does not support search unless you install the chef-solo-search cookbook.")
if search_missing?
Chef::Log.warn('This recipe uses search. Chef Solo does not support search unless you install the chef-solo-search cookbook.')
else
search(new_resource.data_bag, "groups:#{new_resource.search_group} AND action:remove") do |rm_user|
user rm_user['username'] ||= rm_user['id'] do
action :remove
force rm_user['force'] ||= false
end
end
end
end
action :create do
security_group = Array.new
users_groups = {}
users_groups[new_resource.group_name] = []
if Chef::Config[:solo] and not chef_solo_search_installed?
Chef::Log.warn("This recipe uses search. Chef Solo does not support search unless you install the chef-solo-search cookbook.")
if search_missing?
Chef::Log.warn('This recipe uses search. Chef Solo does not support search unless you install the chef-solo-search cookbook.')
else
search(new_resource.data_bag, "groups:#{new_resource.search_group} AND NOT action:remove") do |u|
u['username'] ||= u['id']
security_group << u['username']
u['groups'].each do |g|
users_groups[g] = [] unless users_groups.key?(g)
users_groups[g] << u['username']
end
if node['apache'] and node['apache']['allowed_openids']
if node['apache'] && node['apache']['allowed_openids']
Array(u['openid']).compact.each do |oid|
node.default['apache']['allowed_openids'] << oid unless node['apache']['allowed_openids'].include?(oid)
end
end
# Set home_basedir based on platform_family
# Platform specific checks
# Set home_basedir
# Set shell on FreeBSD
home_basedir = '/home'
case node['platform_family']
when 'mac_os_x'
home_basedir = '/Users'
when 'debian', 'rhel', 'fedora', 'arch', 'suse', 'freebsd'
home_basedir = '/home'
when 'freebsd'
# Check if we need to prepend shell with /usr/local/?
u['shell'] = (!File.exist?(u['shell']) && File.exist?("/usr/local#{u['shell']}") ? "/usr/local#{u['shell']}" : '/bin/sh')
end
# Set home to location in data bag,
# or a reasonable default ($home_basedir/$user).
if u['home']
home_dir = u['home']
else
home_dir = "#{home_basedir}/#{u['username']}"
end
home_dir = (u['home'] ? u['home'] : "#{home_basedir}/#{u['username']}")
# check whether home dir is null
manage_home = (home_dir == '/dev/null' ? false : true)
# The user block will fail if the group does not yet exist.
# See the -g option limitations in man 8 useradd for an explanation.
# This should correct that without breaking functionality.
if u['gid'] and u['gid'].kind_of?(Numeric)
group u['username'] do
gid u['gid']
end
group u['username'] do
gid validate_id(u['gid'])
only_if { u['gid'] && u['gid'].is_a?(Numeric) }
end
# Create user object.
# Do NOT try to manage null home directories.
user u['username'] do
uid u['uid']
if u['gid']
gid u['gid']
end
uid validate_id(u['uid'])
gid validate_id(u['gid']) if u['gid']
shell u['shell']
comment u['comment']
password u['password'] if u['password']
if home_dir == "/dev/null"
supports :manage_home => false
else
supports :manage_home => true
end
supports manage_home: manage_home
home home_dir
action u['action'] if u['action']
end
@@ -112,65 +113,72 @@ action :create do
Chef::Log.debug("Managing home files for #{u['username']}")
directory "#{home_dir}/.ssh" do
owner u['username']
group u['gid'] || u['username']
mode "0700"
owner u['uid'] ? validate_id(u['uid']) : u['username']
group validate_id(u['gid']) if u['gid']
mode '0700'
only_if { u['ssh_keys'] || u['ssh_private_key'] || u['ssh_public_key'] }
end
if u['ssh_keys']
template "#{home_dir}/.ssh/authorized_keys" do
source "authorized_keys.erb"
cookbook new_resource.cookbook
owner u['username']
group u['gid'] || u['username']
mode "0600"
variables :ssh_keys => u['ssh_keys']
end
template "#{home_dir}/.ssh/authorized_keys" do
source 'authorized_keys.erb'
cookbook new_resource.cookbook
owner u['uid'] ? validate_id(u['uid']) : u['username']
group validate_id(u['gid']) if u['gid']
mode '0600'
variables ssh_keys: u['ssh_keys']
only_if { u['ssh_keys'] }
end
if u['ssh_private_key']
key_type = u['ssh_private_key'].include?("BEGIN RSA PRIVATE KEY") ? "rsa" : "dsa"
key_type = u['ssh_private_key'].include?('BEGIN RSA PRIVATE KEY') ? 'rsa' : 'dsa'
template "#{home_dir}/.ssh/id_#{key_type}" do
source "private_key.erb"
source 'private_key.erb'
cookbook new_resource.cookbook
owner u['id']
group u['gid'] || u['id']
mode "0400"
variables :private_key => u['ssh_private_key']
owner u['uid'] ? validate_id(u['uid']) : u['username']
group validate_id(u['gid']) if u['gid']
mode '0400'
variables private_key: u['ssh_private_key']
end
end
if u['ssh_public_key']
key_type = u['ssh_public_key'].include?("ssh-rsa") ? "rsa" : "dsa"
key_type = u['ssh_public_key'].include?('ssh-rsa') ? 'rsa' : 'dsa'
template "#{home_dir}/.ssh/id_#{key_type}.pub" do
source "public_key.pub.erb"
source 'public_key.pub.erb'
cookbook new_resource.cookbook
owner u['id']
group u['gid'] || u['id']
mode "0400"
variables :public_key => u['ssh_public_key']
owner u['uid'] ? validate_id(u['uid']) : u['username']
group validate_id(u['gid']) if u['gid']
mode '0400'
variables public_key: u['ssh_public_key']
end
end
else
Chef::Log.debug("Not managing home files for #{u['username']}")
end
end
# Populating users to appropriates groups
users_groups.each do |g, u|
group g do
members u
append true
action :manage # Do nothing if group doesn't exist
end unless g == new_resource.group_name # Dealing with managed group later
end
end
group new_resource.group_name do
if new_resource.group_id
gid new_resource.group_id
end
members security_group
gid new_resource.group_id if new_resource.group_id
members users_groups[new_resource.group_name]
end
end
private
def manage_home_files?(home_dir, user)
def manage_home_files?(home_dir, _user)
# Don't manage home dir if it's NFS mount
# and manage_nfs_home_dirs is disabled
if home_dir == "/dev/null"
if home_dir == '/dev/null'
false
elsif fs_remote?(home_dir)
new_resource.manage_nfs_home_dirs ? true : false

2
cookbooks/users/recipes/default.rb
View File

@@ -2,7 +2,7 @@
# Cookbook Name:: users
# Recipe:: default
#
# Copyright 2009-2012, Chef Software, Inc.
# Copyright 2009-2015, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

6
cookbooks/users/recipes/sysadmins.rb
View File

@@ -3,7 +3,7 @@
# Recipe:: sysadmins
#
# Copyright 2011, Eric G. Wolfe
# Copyright 2009-2011, Chef Software, Inc.
# Copyright 2009-2015, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -20,7 +20,7 @@
# Searches data bag "users" for groups attribute "sysadmin".
# Places returned users in Unix group "sysadmin" with GID 2300.
users_manage "sysadmin" do
users_manage 'sysadmin' do
group_id 2300
action [ :remove, :create ]
action [:remove, :create]
end

18
cookbooks/users/resources/manage.rb
View File

@@ -19,6 +19,7 @@
# Data bag user object needs an "action": "remove" tag to actually be removed by the action.
actions :create, :remove
default_action :create
state_attrs :cookbook,
:data_bag,
@@ -31,14 +32,9 @@ state_attrs :cookbook,
# :group_name is the string name of the group to create, defaults to resource name
# :group_id is the numeric id of the group to create, default is to allow the OS to pick next
# :cookbook is the name of the cookbook that the authorized_keys template should be found in
attribute :data_bag, :kind_of => String, :default => "users"
attribute :search_group, :kind_of => String, :name_attribute => true
attribute :group_name, :kind_of => String, :name_attribute => true
attribute :group_id, :kind_of => Integer
attribute :cookbook, :kind_of => String, :default => "users"
attribute :manage_nfs_home_dirs, :kind_of => [TrueClass, FalseClass], :default => true
def initialize(*args)
super
@action = :create
end
attribute :data_bag, kind_of: String, default: 'users'
attribute :search_group, kind_of: String, name_attribute: true
attribute :group_name, kind_of: String, name_attribute: true
attribute :group_id, kind_of: Integer
attribute :cookbook, kind_of: String, default: 'users'
attribute :manage_nfs_home_dirs, kind_of: [TrueClass, FalseClass], default: true

2
cookbooks/users/templates/default/authorized_keys.erb
View File

@@ -1,4 +1,4 @@
# Generated by Chef for <%= node['fqdn'] %>
# Generated by Chef
# Local modifications will be overwritten.
<% Array(@ssh_keys).each do |key| %>