What is the best way to ignore missing groups?

asked 2015-01-30 10:58:35 -0600

Vladimir-csp gravatar image


I have a simple infrastructure with couple dozens of hosts and plain unix users/groups. Some users are allowed to use some tools, i.e. Virtualbox, so they are included in vboxusers group. But the problem is: Virtualbox is installed only on some few hosts, therefore group vboxusers in missing on all other hosts.

I have no intention to clutter hosts with useless groups, so I need to avoid failing group dependencies for users. Back in the days of Puppet 2.x I made a dirty hack by writing defined class and scripts with complex conditioning. All that stuff allowed me to declare a user with arrays of preferred groups for inclusion and exclusion along some other parameters, i.e.:

     ingroups => ['group1','group2'],
     exgroups => ['group3','group4'],

So, on every host where john_doe is declared, he would be included in group1, group2 and excluded from group3, group4. Existing non-specified membership would be left untouched, no action would be taken if everything is already done or if group is missing on the host. But this required heavy and ugly scripting.

What is the best way of implementing such mechanics today (with hiera and stuff)? I am totally not willing to confine myself to stock $groups and $membership mechanics of 'user' type. It is totally inflexible, you either get rigid membership list or loose list without ability to exclude specific groups, and just one and only plusignment ability

edit retag flag offensive close merge delete