Skip to content

cantierecreativo/users-cookbook

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
 
 
 
 
 
 
 
 

Repository files navigation

users-cookbook

Creates system users based on attributes in data bags.

Setup

Add

gem 'knife-solo_data_bag'

to your Gemfile.

Attributes

The default attributes are:

create

create indicates which of the users in your data bags should actually be created. The default is the special value '*', which means all.

Note: if create is set to an empty array, no users will be created.

default['users']['create'] = '*'

accessed_by

default['users']['accessed_by'] = {}

Each user can be configured to accept ssh access with the private keys of other users (see below). Individual users' 'accessed_by' arrays can be overriden via the 'accessed_by' attribute on a node, which maps users to a list of other users who can access them.

Overriding users' accessed_by attribute:

node['users']['accessed_by'] = {'fred' => ["bob"]}

sudo_groups

default['users']['sudo_groups'] = %w(sudo admin)

Editing User Data

In the root of your kitchen:

Create a data bag

mkdir data_bags
knife solo data bag create users USERNAME

Export data

The following command will give you a JSON string that, when wrapped in single quotes can be re-imported into a data bag:

knife solo data bag show users USERNAME -F json > JSON_FILE

Import data

Create a new data bag with data exported via the previous step:

knife solo data bag create users USERNAME --json-file JSON_FILE

Data structure

An example of the expected data bag structure is as follows:

{
  "id": "USER_NAME",
  "password": "...",
  "home": "...",
  "attributes": {
    "admin": false
  },
  "groups": ["fred"],
  "public_keys": [
    "ssh-rsa ..."
  ],
  "accessed_by": [
    "OTHER USER NAME"
  ],
  "files": [
    {
      "path": "FILE NAME RELATIVE TO USER'S HOME",
      "mode": "0644",
      "content": "THE FILE CONTENT"
    }
  ],
  "directories": [
    {
      "path": "bin",
      "mode": "0770"
    }
  ]
}
  • id - (required) the user name
  • password - encoded password (see below)
  • home - home directory (default to "/home/username" or "/root")
  • attributes:
    • admin - when truthy, adds the user to sudoers
  • groups - a list of extra groups to add the user to,
  • files - install user files, You can specify the following:
    • path - (required) the name of the file relative to the user's home,
    • mode - file permissions, default: "0644",
    • content - (required) the text to put inside the file.
  • directories - create directories, You can specify the following:
    • path - (required) the name of the directory relative to the user's home,
    • mode - file permissions, default: "0700".
  • accessed_by - an array of other users. This user's public keys will be copied to the other user's authorized_keys files allowing this user to log on as them.

Make an encoded password: This requires the program 'mkpasswd' which, on Debian systems, is part of the 'whois' package.

$ mkpasswd --method=sha-512

root

root is treated as special:

  • no home created/managed,
  • no sudo access configured,
  • accessed_by is ignored.

Remember to add the chef deploy key to root's public keys.

About

Creates system users based on attributes in data bags

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages