Ottomata has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/379004 )
Change subject: [WIP] Allow admin module to ensure system user membership in managed groups ...................................................................... [WIP] Allow admin module to ensure system user membership in managed groups Bug: T174465 Change-Id: I495942b6a65db7058a6272277ada9f0286a4ba9e --- M modules/admin/README M modules/admin/data/data.yaml M modules/admin/manifests/groupmembers.pp M modules/statistics/manifests/discovery.pp 4 files changed, 32 insertions(+), 3 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/04/379004/1 diff --git a/modules/admin/README b/modules/admin/README index 89388c9..e3dc476 100644 --- a/modules/admin/README +++ b/modules/admin/README @@ -54,6 +54,15 @@ realname: Foo Bar ssh_keys: [ssh-rsa mykeyhash foobar@mac] +- Ensuring a system user is in a group: (see note below about system user group membership) + groups: + mygroup: + ensure: present + gid: 551 + members: [foo, bar] + system_members: [www-data] + + # NOTE: To choose the UID for a new user please lookup # the existing UID in (labs) LDAP and use that. # currently you do this on terbium, example: @@ -256,3 +265,15 @@ If you try to apply two groupings with the same posix names on a single node you see: Duplicate definition: Admin::Group[$POSIX_NAME] is already defined + + +System user group membership: + +Sometimes it is useful to declare that a system user should be in a group with other +human user accounts. This module will not manage any system users, but it does support +ensuring that system users are in groups that it does manage. Add system users to a group +by providing a list of system_members in your group declaration. + +Your system user *must* already exist by the time the admin module ensures group membership. +If it doesn't, the groupmembers exec will fail. + diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml index 386b3dd..694cc0a 100644 --- a/modules/admin/data/data.yaml +++ b/modules/admin/data/data.yaml @@ -252,6 +252,7 @@ flemmerich, mkroetzsch, akrausetud, filippo, pmiazga, faidon, piccardi, fdans, eevans, anomie, demon, ladsgroup, musikanimal, joewalsh, kaldari, goransm, ema, dsaez, shiladsen, rho] + system_members: [analytics-search] analytics-admins: gid: 732 description: Admin access to analytics cluster. diff --git a/modules/admin/manifests/groupmembers.pp b/modules/admin/manifests/groupmembers.pp index 4a3256a..f22bbdc 100644 --- a/modules/admin/manifests/groupmembers.pp +++ b/modules/admin/manifests/groupmembers.pp @@ -15,11 +15,16 @@ $gdata = $::admin::data['groups'][$name] $members = $gdata['members'] + $system_members = $gdata['system_members'] - if !empty($members) { - $joined_user_list = join($members,',') + # This contains all human members, as well as any system account + # members of this group. + $all_members = concat($members, $system_members) + + if !empty($all_members) { + $joined_user_list = join($all_members,',') } else { - $joined_user_list = $default_member + $joined_user_list = join($default_member) } if has_key($gdata, 'posix_name') { diff --git a/modules/statistics/manifests/discovery.pp b/modules/statistics/manifests/discovery.pp index 0310483..499fc0d 100644 --- a/modules/statistics/manifests/discovery.pp +++ b/modules/statistics/manifests/discovery.pp @@ -12,6 +12,8 @@ # Path in which the R library will reside $rlib_dir = "${dir}/r-library" + + # TODO: User the analytics-search user instead. $user = 'discovery-stats' # Setting group to 'analytics-privatedata-users' so that Discovery's Analysts # (as members of analytics-privatedata-users) have some privileges, and so -- To view, visit https://gerrit.wikimedia.org/r/379004 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I495942b6a65db7058a6272277ada9f0286a4ba9e Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Ottomata <ao...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits