After having put in no small amount of time in to trying to coerce
Puppet into managing some decentralized users, I'm starting to wonder
if it's even possible. I have a network in which some user attributes
vary from node to node, such as UID, GID, and groups. However, short
of a truckload of inheritance (something that obviously doesn't
scale), this doesn't really seem to be something Puppet is capable
of. The inheritance I'm talking about is something like:
class node1users inherits virt_users {
# override UID's/GID's/groups/etc. specific to node1
}
class node2users inherits virt_users {
# override UID's/GID's/groups/etc. specific to node2
}
As you can see, this gets quite cumbersome as your node count
increases. Certainly, an already centralized directory service like
LDAP is preferred, or at the very least uniform attributes across
nodes. But, when neither is the case, you work with what you've got.
Alas, I think I may have found a somewhat elegant workaround - if it
works. But, testing it is a bit tough at the moment, so I'm hoping
some prying eyes might give it the vote of confidence. If this works,
I'm happy to submit it as a Puppet recipe. My idea is essentially to
have a custom fact that returns either the user's UID/GID on that
particular node, or undef (in which case the next available UID/GID
will be assigned). Consider the following code snippets:
This custom fact will return the user's current UID and pGID, or a
group's GID. Or, it will return undef in the case that the user does
not exist, in which case the user will be assigned the next available
UID/GID:
File.open("/etc/passwd").each do |line|
gecos = line.split(/:/)
Facter.add("#{gecos[0]}_uid") do
setcode { gecos[2] }
end
Facter.add("#{gecos[0]}_pgid") do
setcode { gecos[3] }
end
end
File.open("/etc/group").each do |line|
gecos = line.split(/:/)
Facter.add("#{gecos[0]}_gid") do
setcode { gecos[2] }
end
end
I then need a way to look up the custom facts, which take on the form
"jsmith_uid", "jsmith_pgid", and "jsmith_gid". This yields the
following function:
module Puppet::Parser::Functions
newfunction(:lookupvar, :type => :rvalue) do |args|
return args[0] if args[0]
end
end
Finally, the glue that puts it all together is the user declaration.
The UID and GID are never re-declared in the config; it's always set
to return the value of the custom fact:
define account ( ensure, groups, shell, comment, provider =
directoryservice, unixpw ) {
...snip...
@user { $name:
ensure => $ensure,
uid => lookupvar("${name}_uid"),
gid => lookupvar("${name}_pgid"),
groups => $supp_groups,
comment => $comment,
shell => $user_shell,
provider => $provider,
password => $unixpw;
}
...snip...
}
Is this a viable workaround to inconsistent user attributes in a
cluster? Votes for or against this?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
