Puppet Class: admin

Defined in:
modules/admin/manifests/init.pp

Overview

Parameters:

  • groups (Array[String[1]]) (defaults to: [])
  • groups_no_ssh (Array[String[1]]) (defaults to: [])
  • always_groups (Array[String[1]]) (defaults to: ['absent', 'ops', 'wikidev', 'ops-adm-group', 'sre-admins'])
  • managehome (Boolean) (defaults to: false)
  • managelingering (Boolean) (defaults to: false)
  • additional_shells (Array[String]) (defaults to: ['zsh'])


17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# File 'modules/admin/manifests/init.pp', line 17

class admin(
    Array[String[1]] $groups            = [],
    Array[String[1]] $groups_no_ssh     = [],
    Array[String[1]] $always_groups     = ['absent', 'ops', 'wikidev', 'ops-adm-group', 'sre-admins'],
    Boolean          $managehome        = false,
    Boolean          $managelingering   = false,
    Array[String]    $additional_shells = ['zsh'],
)
{
    ensure_packages($additional_shells)
    $module_path = get_module_path($module_name)
    $base_data = loadyaml("${module_path}/data/data.yaml")

    $uinfo = $base_data['users']
    $users = $uinfo.keys

    # Fill the all-users group with all active users
    $real_users = $uinfo.filter |$user, $config| {
        $config['ensure'] == 'present' and (!('system' in $config) or $config['system'] == false)
    }.keys
    $data = deep_merge($base_data, {'groups' => {'all-users' => {'members' => $real_users}}})

    $system_users = $uinfo.filter |$user, $config| { $config['system'] == true }.keys
    $system_groups = $data['groups'].filter |$group, $config| { $config['system'] == true }.keys

    # making sure to include always_groups
    # These are groups containing users with SSH access
    $regular_groups = $always_groups + $groups

    # These are all groups configured
    $all_groups = $regular_groups + $groups_no_ssh + $system_groups

    # Note: the unique_users() custom function eliminates the need for virtual users.

    # List of users with SSH access
    $users_set_ssh = admin::unique_users($regular_groups)

    # List of users without SSH access
    # Note: since a user may be listed among groups in $groups
    # and at the same time groups in $groups_no_ssh,
    # we need to make sure that the two sets don't overlap.
    $users_set_nossh = admin::unique_users($groups_no_ssh).filter |$user| { !($user in $users_set_ssh) }

    # List of Kerberos enabled users
    $users_krb_enabled = admin::kerberos_users($data)

    file { '/usr/local/sbin/enforce-users-groups':
        ensure => file,
        mode   => '0555',
        source => 'puppet:///modules/admin/enforce-users-groups.sh',
    }

    admin::hashgroup { $all_groups: }

    admin::hashuser { $users_set_ssh:
        ensure_ssh_key => true,
    }

    admin::hashuser { $users_set_nossh:
        ensure_ssh_key => false,
    }

    admin::hashuser { $system_users:
        ensure_ssh_key => false,
    }

    admin::groupmembers { $all_groups:
        before => Exec['enforce-users-groups-cleanup'],
    }

    # Declarative gotcha: non-defined users can get left behind
    # Here we cleanup anyone not in a supplementary group above a certain UID
    exec { 'enforce-users-groups-cleanup':
        command   => '/usr/local/sbin/enforce-users-groups',
        unless    => '/usr/local/sbin/enforce-users-groups dryrun',
        logoutput => true,
    }

    # For hosts where we allow user lingering, create the directory to hold linger records
    # Then create an empty file in that directory for each kerberos enabled user account
    if $managelingering {
        file { '/var/lib/systemd/linger':
            ensure => directory,
            mode   => '0555',
            owner  => 'root',
            group  => 'root',
        }
        admin::userlinger { $users_krb_enabled: }
    }
}