Ask Your Question
6

Best way to deal with temporary state changes?

asked 2013-02-11 12:36:32 -0500

llowder gravatar image

I've got a situation where I need to have one aspect of the state of the server change periodically, but only temporarily.

The specific case has to do with likewise rules that control who has the rights to login to a server, as well as a related set of sudoers rules.

Under normal circumstances, developers are not allowed to log in to production boxes. However, there are times when they need to be granted access and given access to a set of commands they can run using sudo.

When this access is granted, it is for one night only ... (more)

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
4

answered 2013-02-11 18:55:40 -0500

Stefan gravatar image

updated 2013-02-11 18:56:03 -0500

That is a really good question and I'm curious what others might answer here. Right now I can only think of three options:

  • disable puppet on the node and make the change by hand. If you monitor you puppet agents you will be notified in case you forget to reenable puppet again (probably the worst option)
  • if the hiera data is in git you could set the flag and commit the change and then set up an at job that will revert the commit at the specified time
  • if you currently have a simple developer_access yes/no flag you ...
(more)
edit flag offensive delete link more

Comments

Option 2 sounds interesting, I'll have to research that. I've not yet had a reason to write a custom function, but I have been looking for one. I ...(more)

llowder gravatar imagellowder ( 2013-02-12 09:08:10 -0500 )edit
1

I've implemented option 3 of this answer - using a custom function. It was a bit annoying due to ruby's date/time handling, but it'll work. Will still ...(more)

llowder gravatar imagellowder ( 2013-02-12 14:46:35 -0500 )edit
1

answered 2013-02-15 10:52:53 -0500

binford2k gravatar image

Our initial implementation will be to have one of the admins set a flag in our hiera data that will enable the access. We then have to remember to clear this the next morning so that access is revoked.

This doesn't seem to be a bad approach, though I'd make it a timestamp instead. Then your manifest could check to see if that timestamp has expired and automatically revoke permissions.

edit flag offensive delete link more

Comments

I wound up using a flag + 2 date-time strings with a custom function, to give us the greatest flexibility (ie, enable part of the system while preventing devs from having ...(more)

llowder gravatar imagellowder ( 2013-02-15 10:56:09 -0500 )edit
1

answered 2013-02-11 18:52:03 -0500

ashp gravatar image

This might not be exactly what you're looking for but it be possible to do this in mcollective. If you use the puppetral plugin you could execute a small manifest to allow the developers access and then use the puppet plugin to block further puppet runs. When the developers access expires you would trigger mcollective to unlock puppet and let it reset things to normal.

edit flag offensive delete link more

Comments

This is actually pretty close to my original idea, but I'd be using cron and puppet apply on the master as I don't yet have MCO installed (it ...(more)

llowder gravatar imagellowder ( 2013-02-12 09:06:43 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2013-02-11 12:36:32 -0500

Seen: 7,501 times

Last updated: Feb 15 '13