Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Install sudo through puppet on Debian-, RedHat- and SUSE-based distributions

README.md

puppet-sudo Build Status

Manage sudo configuration via Puppet

Gittip

Support via Gittip

Usage

WARNING

This module will purge your current sudo config

If this is not what you're expecting, set purge and/or config_file_replace to false

Install sudo with default sudoers

Purge current sudo config

    class { 'sudo': }

Purge sudoers.d directory, but leave sudoers file as it is

    class { 'sudo':
      config_file_replace => false,
    }

Leave current sudo config as it is

    class { 'sudo':
      purge               => false,
      config_file_replace => false,
    }

Adding sudoers configuration

Using Code

    class { 'sudo': }
    sudo::conf { 'web':
      source => 'puppet:///files/etc/sudoers.d/web',
    }
    sudo::conf { 'admins':
      priority => 10,
      content  => "%admins ALL=(ALL) NOPASSWD: ALL",
    }
    sudo::conf { 'joe':
      priority => 60,
      source   => 'puppet:///files/etc/sudoers.d/users/joe',
    }

Using Hiera

A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.

Examples using:

  • YAML backend
  • an environment called production
  • a /etc/puppet/hiera.yaml hierarchy configuration:
:hierarchy:
  - "%{environment}"
  - "defaults"
Load module
Using Puppet version 3+

Load the module via Puppet Code or your ENC.

    include sudo
Using Puppet version 2.7+

After Installing Hiera:

  • Load the sudo and sudo::configs modules via Puppet Code or your ENC.
    include sudo
    include sudo::configs
Configure Hiera YAML (defaults.yaml)

These defaults will apply to all systems.

sudo::configs:
    'web':
        'source'    : 'puppet:///files/etc/sudoers.d/web'
    'admins':
        'content'   : "%admins ALL=(ALL) NOPASSWD: ALL"
        'priority'  : 10
    'joe':
        'priority'  : 60
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
Configure Hiera YAML (production.yaml)

This will only apply to the production environment. In this example we are:

  • inheriting/preserving the web configuration
  • overriding the admins configuration
  • removing the joe configuration
sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
        'priority'  : 10
    'joe':
        'ensure'    : 'absent'
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'

If you have Hiera version >= 1.2.0 and enable Hiera Deeper Merging you may conditionally override any setting.

In this example we are:

  • inheriting/preserving the web configuration
  • overriding the admins:content setting
  • inheriting/preserving the admins:priority setting
  • inheriting/preserving the joe:source and joe:priority settings
  • removing the joe configuration
sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
    'joe':
        'ensure'    : 'absent'
Set a custom name for the sudoers file

In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the sudo_file_name option to manually set the desired file name.

sudo::conf { "foreman-proxy":
    ensure          => "present",
    source          => "puppet:///modules/sudo/foreman-proxy",
    sudo_file_name  => "foreman-proxy",
}

sudo::conf / sudo::configs notes

  • You can pass template() through content parameter.
  • One of content or source must be set.

sudo class parameters

Parameter Type Default Description
enable boolean true Set this to remove or purge all sudoers configs
package string OS specific Set package name (for unsupported platforms)
package_ensure string present latest, absent, or a specific package version
package_source string OS specific Set package source (for unsupported platforms)
purge boolean true Purge unmanaged files from config_dir
purge_ignore string undef Files excluded from purging in config_dir
config_file string OS specific Set config_file (for unsupported platforms)
config_file_replace boolean true Replace config file with module config file
config_dir string OS specific Set config_dir (for unsupported platforms)
source string OS specific Set source (for unsupported platforms)

sudo::conf class / sudo::configs hash parameters

Parameter Type Default Description
ensure string present present or absent
priority number 10 file name prefix
content string undef content of configuration snippet
source string undef source of configuration snippet
sudo_config_dir string OS Specific configuration snippet directory (for unsupported platforms)
sudo_file_name string undef custom file name for sudo file in sudoers directory
Something went wrong with that request. Please try again.