Skip to content

Commit

Permalink
[COOK-499] sudo cookbook improvements
Browse files Browse the repository at this point in the history
  • Loading branch information
@schisamo
schisamo committed Apr 19, 2011
1 parent 668a08e commit ae9f896
Show file tree
Hide file tree
Showing 6 changed files with 122 additions and 105 deletions.
17 changes: 12 additions & 5 deletions sudo/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,15 @@ ATTRIBUTES

The following attributes are set to blank arrays:

node[:authorization][:sudo][:groups]
node[:authorization][:sudo][:users]
node['authorization']['sudo']['groups']
node['authorization']['sudo']['users']

They are passed into the sudoers template which iterates over the values to add sudo permission to the specified users and groups.

If you prefer to use passwordless sudo just set the following attribute to true:

node['authorization']['sudo']['passwordless']

USAGE
=====

Expand All @@ -26,7 +30,8 @@ To use this cookbook, set the attributes above on the node via a role or the nod
"authorization" => {
"sudo" => {
"groups" => ["admin", "wheel", "sysadmin"],
"users" => ["jerry", "greg"]
"users" => ["jerry", "greg"],
"passwordless" => true
}
}

Expand All @@ -42,7 +47,8 @@ In JSON (role.json or on the node object):
"users": [
"jerry",
"greg"
]
],
"passwordless": true
}
}

Expand All @@ -52,8 +58,9 @@ LICENSE AND AUTHOR
==================

Author:: Adam Jacob <adam@opscode.com>
Author:: Seth Chisamore <schisamo@opscode.com>

Copyright 2009-2010, Opscode, Inc.
Copyright 2009-2011, Opscode, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
7 changes: 4 additions & 3 deletions sudo/attributes/default.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Cookbook Name:: sudo
# Attribute File:: sudoers
#
# Copyright 2008-2009, Opscode, Inc.
# Copyright 2008-2011, Opscode, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand All @@ -17,5 +17,6 @@
# limitations under the License.
#

default[:authorization][:sudo][:groups] = Array.new
default[:authorization][:sudo][:users] = Array.new
default['authorization']['sudo']['groups'] = Array.new
default['authorization']['sudo']['users'] = Array.new
default['authorization']['sudo']['passwordless'] = false
174 changes: 88 additions & 86 deletions sudo/metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,102 +1,104 @@
{
"providing": {
},
"attributes": {
"authorization/sudoers/groups": {
"required": "optional",
"calculated": false,
"choice": [

],
"default": "",
"type": "array",
"recipes": [

],
"description": "Groups who are allowed sudo ALL",
"display_name": "Sudo Groups"
},
"authorization": {
"required": "optional",
"calculated": false,
"choice": [
"name": "sudo",
"description": "Installs sudo and configures /etc/sudoers",
"long_description": "",
"maintainer": "Opscode, Inc.",
"maintainer_email": "cookbooks@opscode.com",
"license": "Apache 2.0",
"platforms": {
"redhat": ">= 0.0.0",
"centos": ">= 0.0.0",
"fedora": ">= 0.0.0",
"ubuntu": ">= 0.0.0",
"debian": ">= 0.0.0",
"freebsd": ">= 0.0.0"
},
"dependencies": {
},
"recommendations": {
},
"suggestions": {
},
"conflicting": {
},
"providing": {
},
"replacing": {
},
"attributes": {
"authorization": {
"display_name": "Authorization",
"description": "Hash of Authorization attributes",
"type": "hash",
"choice": [

],
"type": "hash",
"recipes": [

],
"description": "Hash of Authorization attributes",
"display_name": "Authorization"
},
"authorization/sudoers/users": {
"required": "optional",
"calculated": false,
"choice": [

],
"default": "",
"type": "array",
"recipes": [
],
"calculated": false,
"required": "optional",
"recipes": [

],
"description": "Users who are allowed sudo ALL",
"display_name": "Sudo Users"
},
"authorization/sudoers": {
"required": "optional",
"calculated": false,
"choice": [
]
},
"authorization/sudoers": {
"display_name": "Authorization Sudoers",
"description": "Hash of Authorization/Sudoers attributes",
"type": "hash",
"choice": [

],
"type": "hash",
"recipes": [
],
"calculated": false,
"required": "optional",
"recipes": [

],
"description": "Hash of Authorization/Sudoers attributes",
"display_name": "Authorization Sudoers"
}
},
"replacing": {
},
"dependencies": {
},
"groupings": {
},
"recommendations": {
]
},
"platforms": {
"debian": [
"authorization/sudoers/users": {
"display_name": "Sudo Users",
"description": "Users who are allowed sudo ALL",
"type": "array",
"default": "",
"choice": [

],
"fedora": [
"calculated": false,
"required": "optional",
"recipes": [

],
"centos": [
]
},
"authorization/sudoers/groups": {
"display_name": "Sudo Groups",
"description": "Groups who are allowed sudo ALL",
"type": "array",
"default": "",
"choice": [

],
"freebsd": [
"calculated": false,
"required": "optional",
"recipes": [

],
"ubuntu": [
]
},
"authorization/sudoers/passwordless": {
"display_name": "Passwordless Sudo",
"description": "",
"type": "string",
"default": "false",
"choice": [

],
"redhat": [
"calculated": false,
"required": "optional",
"recipes": [

]
},
"license": "Apache 2.0",
"version": "0.9.1",
"maintainer": "Opscode, Inc.",
"suggestions": {
},
"recipes": {
"sudo": "Installs sudo and configures /etc/sudoers"
},
"maintainer_email": "cookbooks@opscode.com",
"name": "sudo",
"conflicting": {
},
"description": "Installs sudo and configures /etc/sudoers",
"long_description": ""
}
}
},
"groupings": {
},
"recipes": {
"sudo": "Installs sudo and configures /etc/sudoers"
},
"version": "1.0.0"
}
8 changes: 7 additions & 1 deletion sudo/metadata.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
maintainer_email "cookbooks@opscode.com"
license "Apache 2.0"
description "Installs sudo and configures /etc/sudoers"
version "0.9.1"
version "1.0.0"

recipe "sudo", "Installs sudo and configures /etc/sudoers"

Expand Down Expand Up @@ -31,3 +31,9 @@
:description => "Groups who are allowed sudo ALL",
:type => "array",
:default => ""

attribute "authorization/sudoers/passwordless",
:display_name => "Passwordless Sudo",
:description => "",
:type => "string",
:default => "false"
7 changes: 4 additions & 3 deletions sudo/recipes/default.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Cookbook Name:: sudo
# Recipe:: default
#
# Copyright 2008-2009, Opscode, Inc.
# Copyright 2008-2011, Opscode, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand All @@ -27,7 +27,8 @@
owner "root"
group "root"
variables(
:sudoers_groups => node[:authorization][:sudo][:groups],
:sudoers_users => node[:authorization][:sudo][:users]
:sudoers_groups => node['authorization']['sudo']['groups'],
:sudoers_users => node['authorization']['sudo']['users'],
:passwordless => node['authorization']['sudo']['passwordless']
)
end
14 changes: 7 additions & 7 deletions sudo/templates/default/sudoers.erb
View file
Original file line number Diff line number Diff line change
@@ -1,22 +1,22 @@
#
# /etc/sudoers
#
#
# Generated by Chef for <%= node[:fqdn] %>
#
#

Defaults !lecture,tty_tickets,!fqdn

# User privilege specification
root ALL=(ALL) ALL
root ALL=(ALL) ALL

<% @sudoers_users.each do |user| -%>
<%= user %> ALL=(ALL) ALL
<%= user %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %>ALL
<% end -%>

# Members of the sysadmin group may gain root privileges
%sysadmin ALL=(ALL) ALL
%sysadmin ALL=(ALL) <%= "NOPASSWD:" if @passwordless %>ALL

<% @sudoers_groups.each do |group| -%>
# Members of the group '<%= group %>' may gain root privileges
%<%= group %> ALL=(ALL) ALL
<% end -%>
%<%= group %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %>ALL
<% end -%>

0 comments on commit ae9f896

Please sign in to comment.