Puppet Class: admin

Defined in:
modules/admin/manifests/init.pp

Overview

Parameters:

  • groups (Any) (defaults to: [])
  • groups_no_ssh (Any) (defaults to: [])
  • always_groups (Any) (defaults to: ['absent', 'ops', 'wikidev', 'ops-adm-group'])


16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# File 'modules/admin/manifests/init.pp', line 16

class admin(
    $groups=[],
    $groups_no_ssh=[],
    $always_groups=['absent', 'ops', 'wikidev', 'ops-adm-group'],
)
{
    include ::sudo

    $module_path = get_module_path($module_name)
    $base_data = loadyaml("${module_path}/data/data.yaml")
    # Fill the all-users group with all active users
    $data = add_all_users($base_data)

    $uinfo = $data['users']
    $users = keys($uinfo)

    $system_users = $uinfo.filter |$user, $config| { $config['system'] == true }.keys
    $system_groups = $data['groups'].filter |$group, $config| { $config['system'] == true }.keys

    # making sure to include always_groups
    # These are groups containing users with SSH access
    $regular_groups = $always_groups + $groups

    # These are all groups configured
    $all_groups = $regular_groups + $groups_no_ssh + $system_groups

    # Note: the unique_users() custom function eliminates the need for virtual users.

    # List of users with SSH access
    $users_set_ssh = unique_users($data, $regular_groups)

    # List of users without SSH access
    # Note: since a user may be listed among groups in $groups
    # and at the same time groups in $groups_no_ssh,
    # we need to make sure that the two sets don't overlap.
    $users_set_nossh = unique_users($data, $groups_no_ssh).filter |$user| { !($user in $users_set_ssh) }

    file { '/usr/local/sbin/enforce-users-groups':
        ensure => file,
        mode   => '0555',
        source => 'puppet:///modules/admin/enforce-users-groups.sh',
    }

    admin::hashgroup { $all_groups:
        before => [
            Admin::Hashuser[$users_set_ssh],
            Admin::Hashuser[$users_set_nossh],
        ],
    }

    admin::hashuser { $users_set_ssh:
        ensure_ssh_key => true,
    }

    admin::hashuser { $users_set_nossh:
        ensure_ssh_key => false,
    }

    admin::hashuser { $system_users:
        ensure_ssh_key => false,
    }

    admin::groupmembers { $all_groups:
        before => Exec['enforce-users-groups-cleanup'],
    }

    # Ensure ordering of resources
    Admin::Hashuser<| |> -> Admin::Groupmembers<| |>

    # Declarative gotcha: non-defined users can get left behind
    # Here we cleanup anyone not in a supplementary group above a certain UID
    exec { 'enforce-users-groups-cleanup':
        command   => '/usr/local/sbin/enforce-users-groups',
        unless    => '/usr/local/sbin/enforce-users-groups dryrun',
        logoutput => true,
    }
}