Ask Your Question
1

How can I use Puppet to Enforce Group Membership?

asked 2014-10-29 14:23:42 -0500

Aaron Copley gravatar image

updated 2014-10-29 15:58:22 -0500

I've seen a number of examples for adding users to %wheel. These are all variations of the same thing; inserting a user node at the end.

What I need to do is also remove users that are added outside of configuration management. For Puppet to manage the group, only users defined in my Puppet class should be present and any others removed.

Seems like exec'ing a simple Sed command would be much easier, but so many people say to try to stay away from exec.

Of course, I tried referencing the documentation for stock lens 'Group', but the page 404s.

edit retag flag offensive close merge delete

Comments

In case anyone else struggles with this, note that on Linux, Puppet's 'group' type cannot manage group members. The feature request is here: https://tickets.puppetlabs.com/browse/PUP-1298

stefanlasiewski gravatar imagestefanlasiewski ( 2015-11-25 14:46:41 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted
2

answered 2014-10-29 15:55:36 -0500

Aaron Copley gravatar image

Defining wheel users this way causes them to be added, but if you remove jane from the class, she will not be removed from the wheel group on the next Puppet run.

class wheel {
  augeas { "wheelgroup":
    context => "/files/etc/group/wheel",
    changes => [
      'set user[1] bob',
      'set user[2] jane',
    ]
  }
}

The only way I have found around this is to purge the wheel group and re-add them each time.

class wheel {
  augeas { "wheelgroup":
    context => "/files/etc/group/wheel",
    changes => [
      'rm user',
      'set user[1] bob',
      'set user[2] jane',
    ]
  }
}

I considered an onlyif to match my defined users to prevent this from running on each Puppet run. However, this is also the only way to remove users added outside of Puppet to ensure that %wheel is solely managed by Puppet.

If there are better alternatives, I am open to suggestions and will leave this question open.

edit flag offensive delete link more

Comments

I think removing the group and then re-adding in unfortunately the 'best' current way to solve this issue.

smbambling gravatar imagesmbambling ( 2014-10-30 09:26:23 -0500 )edit

Is it possible to parametrize this sort of class with an indeterminate number of users? Or leverage Hiera? I'm afraid I don't know how to abstract the data from the code in this case. (Leading me back to using Sed...)

Aaron Copley gravatar imageAaron Copley ( 2014-10-30 17:08:16 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2014-10-29 14:09:56 -0500

Seen: 622 times

Last updated: Oct 29 '14