On Thu, Oct 5, 2017 at 10:35 AM, James Perry <jjperr...@gmail.com> wrote:
> I'm using the saz/sudoers as well and it removes, say ERPM10-20, when I
> remove the user from the host, exactly as expected.
>
> What doesn't happen is the user ERPM10-20 isn't removed from the server.
>
> Let me try to see if I can put it another way to make it clearer.
>
> Say I have ERPM01-01, ERPM01-22 and ERPM02-09 defined. Here is a scenario.
>
> Server Mapping:
> ERPM01-01: servera, serverb, serverc
> ERPM01-22: servera, serverc
> ERPM02-09: serverb, serverc
>
> ERPM User mapping to ERPM accounts based on AD credentials to access
> ERPM.
>
> ERPM01-01: Foo
> ERPM01-22: Bar
> ERPM02-09: Baz
>
> So to get access to servera, serverb or serverc, Foo logs into ERPM with
> AD credentials. Then ERPM's hosting server then handles providing the
> username (ERPM01-01) to the host and the password. Foo never knows the
> password so they can't ever access the account outside of ERPM.
>
> Now Baz was supporting a DB on serverc, but is moved to another team. We
> get a request to remove ERPM02-09 from serverc.
>
> In Foreman we go to the host, pull that class off serverc. Since Baz is
> still on serverb, we can't set ensure => absent on the Puppet user block in
> class ERPM02-09 as that will lock him out of serverb. When Puppet runs on
> serverc the sudoers module removes the sudoers.d/erpm02-09.conf file.
>
> Unfortunately the user ERPM02-09 is still on the host.
>
> What I wanted to code up would be to iterate through the ERPMXX-YY classes
> to see if any of the classes are absent. If so it then calls a user block
> to do ensure => absent for ERPM02-09 on serverc and servera while serverb
> will still have the user and sudoers definitions.
>
>
If you're managing all the non-system users with puppet, you can use the
resources type with purge, something like
resources { 'user':
purge => true,
unless_system_user => true,
}
See https://docs.puppet.com/puppet/latest/types/resources.html
> What I don't know how to do is to find where I can access the Puppet state
> for classes which are absent.
>
>
You can't, at least not safely or reliably. If you can't use the resources
type with purge, the other option would be to have an "ensure" parameter on
the class which propagates down to the underlying user resource and instead
of removing the class, set that parameter to absent.
> I hope this is a better explanation of what I'm trying to do here.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/puppet-dev/bac6a93f-c2b8-4ad7-b8c4-c8fda5383df3%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-dev/bac6a93f-c2b8-4ad7-b8c4-c8fda5383df3%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CAHTHiAES38mR_nbredDrbQBgLBXmzrcypcMGepk1z18fYAMSHg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
