layout | title | subtitle | canonical |
---|---|---|---|
default |
PE 2.6 » Accounts Module » The pe_accounts Class |
The pe_accounts Class |
/pe/latest/accounts_class.html |
This class is part of pe_accounts
, a pre-built Puppet module included with Puppet Enterprise.
The pe_accounts
class can do any or all of the following:
- Create and manage a set of
pe_accounts::user
resources - Create and manage a set of shared
group
resources - Maintain a pair of rules in the
sudoers
file to grant privileges to thesudo
andsudonopw
groups
This class is designed for cases where your account data is maintained separately from your Puppet manifests. This usually means one of the following is true:
- The data is being read from a non-Puppet directory service or CMDB, probably with a custom function.
- The data is being maintained manually by a user who does not write Puppet code.
- The data is being generated by an out-of-band process.
If your site's account data will be maintained manually by a sysadmin able to write Puppet code, it will make more sense to maintain it as a normal set of pe_accounts::user
and group
resources, although you may still wish to use the pe_accounts
class to maintain sudoers
rules.
To manage users and groups with the pe_accounts
class, you must prepare a data store and configure the class for the data store when you declare it.
Note: In Puppet Enterprise 1.2, this class was called accounts
; it was renamed in PE 2 to avoid namespace conflicts. If you are upgrading and wish to continue using the older name, the upgrader can install a wrapper module to enable it. See the chapter on upgrading for more details.
Note: In Puppet Enterprise 2.0 and higher, this class is assigned to the console's default group with no parameters, which will prevent it from being redeclared with any configuration. To use the class, you must:
- Unassign it from the default group in the console
- Create a wrapper module that declares this class with the necessary parameters
- Re-assign the wrapper class to whichever nodes need it
To use YAML files as a data store:
class {'pe_accounts':
data_store => yaml,
}
To use a Puppet class as a data store (and manage sudoers
rules):
class {'pe_accounts':
data_store => namespace,
data_namespace => 'site::pe_accounts::data',
manage_sudoers => true,
}
To manage sudoers
rules without managing any users or groups:
class {'pe_accounts':
manage_users => false,
manage_groups => false,
manage_sudoers => true,
}
Account data can come from one of two sources: a Puppet class that declares three variables, or a set of three YAML files stored in /etc/puppetlabs/puppet/data
.
This option is most useful if you are able to generate or import your user data with a custom function, which may be querying from an LDAP directory or some other data source.
The Puppet class containing the data must have a name ending in ::data
. (We recommend site::pe_accounts::data
.) This class must declare the following variables:
$users_hash
should be a hash in which each key is the title of ape_accounts::user
resource and each value is a hash containing that resource's attributes and values.$groups_hash
should be a hash in which each key is the title of a group and each value is a hash containing that resource's attributes and values.
See below for examples of the data formats used in these variables.
When declaring the pe_accounts
class to use data in a Puppet class, use the following attributes:
data_store => namespace,
data_namespace => {name of class},
This option is most useful if your user data is being generated by an out-of-band process or is being maintained by a user who does not write Puppet manifests.
When storing data in YAML, the following valid YAML files must exist in /etc/puppetlabs/puppet/data
:
pe_accounts_users_hash.yaml
, which should contain an anonymous hash in which each key is the title of ape_accounts::user
resource and each value is a hash containing that resource's attributes and values.pe_accounts_groups_hash.yaml
, which should contain an anonymous hash in which each key is the title of a group and each value is a hash containing that resource's attributes and values.
See below for examples of the data formats used in these variables.
When declaring the pe_accounts
class to use data in YAML files, use the following attribute:
data_store => yaml,
This class uses three hashes of data to construct the pe_accounts::user
and group
resources it manages.
The users hash represents a set of pe_accounts::user
resources. Each key should be the title of a pe_accounts::user
resource, and each value should be another hash containing that resource's attributes and values.
$users_hash = {
sysop => {
locked => false,
comment => 'System Operator',
uid => '700',
gid => '700',
groups => ['admin', 'sudonopw'],
sshkeys => ['ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwLBhQefRiXHSbVNZYKu2o8VWJjZJ/B4LqICXuxhiiNSCmL8j+5zE/VLPIMeDqNQt8LjKJVOQGZtNutW4OhsLKxdgjzlYnfTsQHp8+JMAOFE3BD1spVnGdmJ33JdMsQ/fjrVMacaHyHK0jW4pHDeUU3kRgaGHtX4TnC0A175BNTH9yJliDvddRzdKR4WtokNzqJU3VPtHaGmJfXEYSfun/wFfc46+hP6u0WcSS7jZ2WElBZ7gNO4u2Z+eJjFWS9rjQ/gNE8HHlvmN0IUuvdpKdBlJjzSiKZR+r/Bo9ujQmGY4cmvlvgmcdajM/X1TqP6p3OuouAk5QSPUlDRV91oEHw== sysop+moduledevkey@puppetlabs.com'],
},
villain => {
locked => true,
comment => 'Test Locked Account',
uid => '701',
gid => '701',
groups => ['admin', 'sudonopw'],
sshkeys => ['ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwLBhQefRiXHSbVNZYKu2o8VWJjZJ/B4LqICXuxhiiNSCmL8j+5zE/VLPIMeDqNQt8LjKJVOQGZtNutW4OhsLKxdgjzlYnfTsQHp8+JMAOFE3BD1spVnGdmJ33JdMsQ/fjrVMacaHyHK0jW4pHDeUU3kRgaGHtX4TnC0A175BNTH9yJliDvddRzdKR4WtokNzqJU3VPtHaGmJfXEYSfun/wFfc46+hP6u0WcSS7jZ2WElBZ7gNO4u2Z+eJjFWS9rjQ/gNE8HHlvmN0IUuvdpKdBlJjzSiKZR+r/Bo9ujQmGY4cmvlvgmcdajM/X1TqP6p3OuouAk5QSPUlDRV91oEHw== villain+moduledevkey@puppetlabs.com'],
},
}
---
sysop:
locked: false
comment: System Operator
uid: '700'
gid: '700'
groups:
- admin
- sudonopw
sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwLBhQefRiXHSbVNZYKu2o8VWJjZJ/B4LqICXuxhiiNSCmL8j+5zE/VLPIMeDqNQt8LjKJVOQGZtNutW4OhsLKxdgjzlYnfTsQHp8+JMAOFE3BD1spVnGdmJ33JdMsQ/fjrVMacaHyHK0jW4pHDeUU3kRgaGHtX4TnC0A175BNTH9yJliDvddRzdKR4WtokNzqJU3VPtHaGmJfXEYSfun/wFfc46+hP6u0WcSS7jZ2WElBZ7gNO4u2Z+eJjFWS9rjQ/gNE8HHlvmN0IUuvdpKdBlJjzSiKZR+r/Bo9ujQmGY4cmvlvgmcdajM/X1TqP6p3OuouAk5QSPUlDRV91oEHw== sysop+moduledevkey@puppetlabs.com
villain:
locked: true
comment: Test Locked Account
uid: '701'
gid: '701'
groups:
- admin
- sudonopw
sshkeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwLBhQefRiXHSbVNZYKu2o8VWJjZJ/B4LqICXuxhiiNSCmL8j+5zE/VLPIMeDqNQt8LjKJVOQGZtNutW4OhsLKxdgjzlYnfTsQHp8+JMAOFE3BD1spVnGdmJ33JdMsQ/fjrVMacaHyHK0jW4pHDeUU3kRgaGHtX4TnC0A175BNTH9yJliDvddRzdKR4WtokNzqJU3VPtHaGmJfXEYSfun/wFfc46+hP6u0WcSS7jZ2WElBZ7gNO4u2Z+eJjFWS9rjQ/gNE8HHlvmN0IUuvdpKdBlJjzSiKZR+r/Bo9ujQmGY4cmvlvgmcdajM/X1TqP6p3OuouAk5QSPUlDRV91oEHw== villain+moduledevkey@puppetlabs.com
The groups hash represents a set of shared group
resources. Each key should be the title of a group
resource, and each value should be another hash containing that resource's attributes and values.
$groups_hash = {
developer => {
gid => 3003,
ensure => present,
},
sudonopw => {
gid => 3002,
ensure => present,
},
sudo => {
gid => 3001,
ensure => present,
},
admin => {
gid => 3000,
ensure => present,
},
}
---
developer:
gid: "3003"
ensure: "present"
sudonopw:
gid: "3002"
ensure: "present"
sudo:
gid: "3001"
ensure: "present"
admin:
gid: "3000"
ensure: "present"
Specifies whether or not to manage a set of shared groups, which can be used by all pe_accounts::user
resources. If true, your data store must define these groups in the $groups_hash
variable or the pe_accounts_groups_hash.yaml
file. Allowed values are true
and false
; defaults to true
.
Specifies whether or not to manage a set of pe_accounts::user
resources. If true, your data store must define these users in the $users_hash
variable or the pe_accounts_users_hash.yaml
file. Allowed values are true
and false
; defaults to true
.
Specifies whether or not to add sudo rules to the node's sudoers
file. If true, the class will add %sudo
and %sudonopw
groups to the sudoers
file and give them full sudo and passwordless sudo privileges respectively. You will need to make sure that the sudo
and sudonopw
groups exist in the groups hash, and that your chosen users have those groups in their groups
arrays. Managing sudoers
is not supported on Solaris.
Allowed values are true
and false
; defaults to false
.
Specifies the data store to use for accounts and groups.
When set to namespace
, data will be read from the puppet class specified in the data_namespace
parameter. When set to yaml
, data will be read from specially-named YAML files in the /etc/puppetlabs/puppet/data
directory. (If you have changed your $confdir
, it will look in $confdir/data
.) Example YAML files are provided in the ext/data/
directory of this module.
Allowed values are yaml
and namespace
; defaults to namespace
.
Specifies the Puppet namespace from which to read data. This must be the name of a Puppet class, and must end with ::data
(we recommend using site::pe_accounts::data
); the class will automatically be declared by the pe_accounts
class. The class cannot have any parameters, and must declare variables named:
$users_hash
$groups_hash
See the pe_accounts::data
class included in this module (in manifests/data.pp
) for an example; see the data formats section for information on each hash's data structure.
Defaults to pe_accounts::data
.
Specifies the path to the sudoers
file on this system. Defaults to /etc/sudoers
.