-- mode: markdown; mode: visual-line; --
Configure and manage sudo and sudoers files
Copyright (c) 2020 UL HPC Team <[email protected]>
| Project Page | Sources | Documentation | Issues |
Manage sudo configuration via Puppet.
This module implements the following elements:
-
Puppet classes:
sudo
sudo::common
sudo::common::debian
sudo::common::redhat
sudo::params
-
Puppet definitions:
sudo::alias::command
sudo::alias::host
sudo::alias::user
sudo::conf
sudo::defaults::spec
sudo::directive
All these components are configured through a set of variables you will find in
manifests/params.pp
.
Note: the various operations that can be conducted from this repository are piloted from a Rakefile
and assumes you have a running Ruby installation.
See docs/contributing.md
for more details on the steps you shall follow to have this Rakefile
working properly.
See metadata.json
. In particular, this module depends on
This is the main class defined in this module. Use it as follows:
include ' sudo'
See also tests/init.pp
The definition sudo::directive
provides a simple way to write sudo configurations parts.
If you use a sudo
version >= 1.7.2, the sudo directive part is validated via
visudo
and removed if syntax is not correct.
This definition accepts the following parameters:
$ensure
: default to 'present', can be 'absent' (BEWARE: it will remove the associated file)$content
: specify the contents of the directive as a string$source
: copy a file as the content of the directive.
Example:
sudo::directive {'admin_users':
content => "%admin ALL=(ALL) ALL\n",
}
sudo::directive {'vagrant':
content => "%vagrant ALL=(ALL) NOPASSWD: ALL\n"
}
On recent version of sudo, this will typically create a new file /etc/sudoers.d/admin_users
(or /etc/sudoers.d/vagrant
).
See also tests/directive.pp
Permits to define a command alias in the sudoers
files (directive Cmnd_Alias
)
These are groups of related commands...
This definition accepts the following parameters:
$ensure
: default to 'present', can be 'absent'$commandlist
: List of commands to add in the definition of the alias
Example:
sudo::alias::command{ 'NETWORK':
cmdlist => [ '/sbin/route', '/sbin/ifconfig', '/bin/ping', '/sbin/dhclient', '/sbin/iptables' ]
}
This will create the following entry in the sudoers files:
## Networking
Cmnd_Alias NETWORK = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /sbin/iptables
See also tests/alias/command.pp
Permits to define a user alias in the sudoers files (directive User_Alias)
These aren't often necessary, as you can use regular groups
(ie, from files, LDAP, NIS, etc) in this file - just use %groupname
rather than USERALIAS
This definition accepts the following parameters:
$ensure
: default to 'present', can be 'absent'$commandlist
: list of users to add in the definition of the alias
Example:
sudo::alias::user{ 'ADMINS':
userlist => [ 'jsmith', 'mikem' ]
}
This will create the following entry in the sudoers
files:
User_Alias ADMINS = jsmith, mikem
See also tests/alias/user.pp
Permits to define a default specifications This definition accepts the following parameters:
$ensure
: default to 'present', can be 'absent'$content
: specify the contents of the directive as a string$source
: copy a file as the content of the directive.
Examples
sudo::defaults::spec { 'env_keep':
content => "
Defaults env_reset
Defaults env_keep = \"COLORS DISPLAY HOSTNAME LS_COLORS\"
Defaults env_keep += \"MAIL PS1 PS2 USERNAME LANG LC_ADDRESS LC_CTYPE\"
Defaults env_keep += \"LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES\"
Defaults env_keep += \"LC_TIME LC_ALL LANGUAGE\"\n",
}
This will create the following entry in the sudoers files:
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE"
See also tests/defaults/spec.pp
You can of course configure the sudo module in your Puppetfile
to make it available with Librarian puppet or
r10k by adding the following entry:
# Modules from the Puppet Forge
mod "ULHPC-sudo"
or, if you prefer to work on the git version:
mod "ULHPC-sudo",
:git => 'https://github.com/ULHPC/puppet-sudo',
:ref => 'production'
You can submit bug / issues / feature request using the ULHPC-sudo Puppet Module Tracker.
If you want to contribute to the code, you shall be aware of the way this module is organized.
These elements are detailed on docs/contributing.md
.
You are more than welcome to contribute to its development by sending a pull request.
The best way to test this module in a non-intrusive way is to rely on Vagrant.
The Vagrantfile
at the root of the repository pilot the provisioning various vagrant boxes available on Vagrant cloud you can use to test this module.
See docs/vagrant.md
for more details.
Read the Docs aka RTFD hosts documentation for the open source community and the ULHPC-sudo puppet module has its documentation (see the docs/
directly) hosted on readthedocs.
See docs/rtfd.md
for more details.
This project and the sources proposed within this repository are released under the terms of the GPL-3.0 licence.