Creates system users based on attributes in data bags.
Add
gem 'knife-solo_data_bag'
to your Gemfile.
The default attributes are:
create
indicates which of the users in your data bags should actually be created.
The default is the special value '*', which means all.
Note: if create
is set to an empty array, no users will be created.
default['users']['create'] = '*'
default['users']['accessed_by'] = {}
Each user can be configured to accept ssh access with the private keys of other users (see below). Individual users' 'accessed_by' arrays can be overriden via the 'accessed_by' attribute on a node, which maps users to a list of other users who can access them.
Overriding users' accessed_by attribute:
node['users']['accessed_by'] = {'fred' => ["bob"]}
default['users']['sudo_groups'] = %w(sudo admin)
In the root of your kitchen:
mkdir data_bags
knife solo data bag create users USERNAME
The following command will give you a JSON string that, when wrapped in single quotes can be re-imported into a data bag:
knife solo data bag show users USERNAME -F json > JSON_FILE
Create a new data bag with data exported via the previous step:
knife solo data bag create users USERNAME --json-file JSON_FILE
An example of the expected data bag structure is as follows:
{
"id": "USER_NAME",
"password": "...",
"home": "...",
"attributes": {
"admin": false
},
"groups": ["fred"],
"public_keys": [
"ssh-rsa ..."
],
"accessed_by": [
"OTHER USER NAME"
],
"files": [
{
"path": "FILE NAME RELATIVE TO USER'S HOME",
"mode": "0644",
"content": "THE FILE CONTENT"
}
],
"directories": [
{
"path": "bin",
"mode": "0770"
}
]
}
id
- (required) the user namepassword
- encoded password (see below)home
- home directory (default to "/home/username" or "/root")attributes
:admin
- when truthy, adds the user to sudoers
groups
- a list of extra groups to add the user to,files
- install user files, You can specify the following:- path - (required) the name of the file relative to the user's home,
- mode - file permissions, default: "0644",
- content - (required) the text to put inside the file.
directories
- create directories, You can specify the following:- path - (required) the name of the directory relative to the user's home,
- mode - file permissions, default: "0700".
accessed_by
- an array of other users. This user's public keys will be copied to the other user'sauthorized_keys
files allowing this user to log on as them.
Make an encoded password: This requires the program 'mkpasswd' which, on Debian systems, is part of the 'whois' package.
$ mkpasswd --method=sha-512
root is treated as special:
- no home created/managed,
- no sudo access configured,
accessed_by
is ignored.
Remember to add the chef deploy key to root's public keys.