Ask Your Question
0

How can I have multiple uses of the same group resource?

asked 2016-12-29 15:28:12 -0500

OUberLord gravatar image

updated 2016-12-29 15:28:59 -0500

Background: I am making puppet modules that will handle the Windows server configuration for one of our platforms. One module handles if the server is a web server, and another handles if its an application server. These modules are intended so that they can both be ran if the resulting server should have both layers. A third module has been created for any resources that would be the same for each, and the other modules include it.

The method above has worked great for fixing true collisions where the same thing was ran in both of the main modules, as it allows me to just define it once. However, I am hitting a similar problem when it comes to establishing a means of configuring local Administrator group membership.

The web server would need User A and User B as local Administrators. Meanwhile, the application server would only need User A and User C. I previously tried the following method:

For the web module:

group { 'Local Administrators - Web':
  name            => 'Administrators',
  ensure          => present,
  members         => ['DOMAIN\\UserA','DOMAIN\\UserB'],
  auth_membership => false,
}

For the application module:

group { 'Local Administrators - Application':
  name            => 'Administrators',
  ensure          => present,
  members         => ['DOMAIN\\UserA','DOMAIN\\UserC'],
  auth_membership => false,
}

However, this collides, as both groups have the same name. I then tried (as I believe I have in the past) to use a user resource to try and get a domain user, but that does not work:

Manifest:

user {'DOMAIN\\UserA':
  ensure => present,
  groups => 'Administrators',
}

Agent output:

Error: ADSI connection error: failed to parse display name of moniker 'WinNT://DOMAIN/UserA,user'
    HRESULT error code:0x800706ba
      The RPC server is unavailable.
Wrapped exception: failed to parse display name of moniker 'WinNT://DOMAIN/UserA,user'
    HRESULT error code:0x800706ba
      The RPC server is unavailable.
Error: /Stage[main]/Abp_global/User[DOMAIN\UserA]/groups: change from to Administrators failed: ADSI connection error: failed to parse display name of moniker 'WinNT://DOMAIN/UserA,user'
    HRESULT error code:0x800706ba
      The RPC server is unavailable.

So, I'm kind of stuck. The way of being able to define a resource with a unique name (the user resource) doesn't seem to work, based on threads such as this one. The method that does work (the group resource) has collision issues since I'm calling it against the same group (Administrators) 2-3 times.

I feel like I'm reaching a point where I'm going to have to roll my own checking via the Exec resource and PowerShell, but that seems silly for something like this.

Does anyone have any ideas that I am missing?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2016-12-30 12:10:18 -0500

puser gravatar image

a couple of ways around this. The first is to create a params.pp file that takes in your parameter that defines a web server versus an application server and sets the group accordingly like so:

if $web_server == true
  $users = ['DOMAIN\\UserA','DOMAIN\\UserB']
else
  $users = ['DOMAIN\\UserA','DOMAIN\\UserC']

then in your init.pp you can do:

#It might not just be $users it might be like $params.users or somethig I am doing this from memory
group { 'Local Administrators - Application':
  name            => 'Administrators',
  ensure          => present,
  members         => $users,
  auth_membership => false,
}

You could also define a local hiera database in your manifest like:

module_name/hiera.yaml

---
version: 4
datadir: data
hierarchy:
- name: "%{::server_type}"
backend: yaml

Then have a data folder in your manifests folder (pointed to by the datadir field in hiera.yaml above) with a folder whose name keys off of "%{::server_type}"

so in <module_name>/data you would a web.yaml and an application.yaml files.

web.yaml:

---
users:
--'DOMAIN\\UserA'
--'DOMAIN\\UserB'

application.yaml

---
users:
--'DOMAIN\\UserA'
--'DOMAIN\\UserC'

Then just have one group that uses users

group { 'Local Administrators - Application':
  name            => 'Administrators',
  ensure          => present,
  members         => $users,
  auth_membership => false,
}

For the second example you would need to define on the puppet master the variable %{::server_type}" and how it gets set.

edit flag offensive delete link more

Comments

I would lean toward defining the users in hiera, and utilizing hiera_hash or hiera_array to bring all of the appropriate users together, and then instantiate them in an appropriate 'users' module

DarylW gravatar imageDarylW ( 2017-01-03 08:47:49 -0500 )edit

I'm starting to dig back into this after the holiday weekend. Your reply (and DarylW's comment) seem to have me on a good path. I've never used hiera before (still relatively new to Puppet in general) so I'm starting to do some reading. Are there any guides you've seen to get started with hiera?

OUberLord gravatar imageOUberLord ( 2017-01-03 09:41:41 -0500 )edit

I think your best bet is to find a module that has a hiera database included, once you do that you can mimic the tree structure and functionality for your needs.

puser gravatar imagepuser ( 2017-01-04 06:45:30 -0500 )edit

I've been doing some reading on Hiera and looking at some other modules, and while I think I'm understanding much of it something still eludes me. How would I combine those two in the event that a server would need to run both the app and web layers? Concat and hiera_array seem like options.

OUberLord gravatar imageOUberLord ( 2017-01-04 14:35:53 -0500 )edit

a simple way would to have a server_name.yaml file that has one or two attributes where one would be web_server = true and the other is app_server = true. Or assign a class to the server on the puppet master applies one class or two depending on if it is the app / web or both.

puser gravatar imagepuser ( 2017-01-06 06:54:32 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2016-12-29 15:28:12 -0500

Seen: 67 times

Last updated: Dec 30 '16