On 5/21/14, 12:40 AM, Grant Street wrote: > > > On Wednesday, May 21, 2014 12:31:59 AM UTC+10, jcbollinger wrote: > > > > On Monday, May 19, 2014 2:39:47 AM UTC-5, Grant Street wrote: > > Hi > > First time poster to this forum. I'm in the process of doing a > pilot to convert a cfengine v2 install to puppet. > > I was wondering if any one had any ideas on the following. > > I have machines that can be in any combination(ie 0 or more) of > 10 groups, that can change. I need to create an access.conf > based on the group membership of the node. > I would like the file to be dynamically created with any > redundant lines removed. > > I have had a look at augeus but I can't see how to both add > lines based on the group as well as remove unwanted and unknown > lines. > I have also had a look at templates but unsure how that would > look like when the you have 0-10 insertion points > > > > A template is probably the way to go. The point to understand there > is that you will be templating the entire contents of the file, not > just the lines related to the 10 groups. Supposing that you have an > array of the names of the wanted groups, then, your template might > look like this: > > +:root:LOCAL > <% @wanted_groups.each do |g| -%> > +:(<%= g %>):ALL > <% end -%> > -:ALL:ALL > > > John > > Hi John > > Thanks a lot for the guidance my solution would have been a whole lot > more messy. > > I was able to massage your example so that I could use a hash to specify > the user and origin like this > +:root:LOCAL > <% pam_access.each_pair do |user,origin| -%> > +:<%= user %>:<%= origin %> > <% end -%> > -:ALL:ALL > > Now what is the best way to dynamically create the array/hash? I am > doing a hash merge at the moment is there a better/more puppet way? > > Thanks > > > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/75b1fcd4-4315-40b0-9924-38557eece79d%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/75b1fcd4-4315-40b0-9924-38557eece79d%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout.
Hi Grant, I have a puppet module[1] for PAM that manages access.conf. You can specify an array in Hiera with the key pam::allowed_users. Currently it uses a parameterized class which will look up the value in Hiera and stop on the first match. The code could be changed to allow for the use of the hiera_array[2] function which would return all instances found in Hiera. So if your groups are defined at multiple levels of the hierarchy, you would want that functionality. Here's an example[3] of how you might add it. I would be happy to work with you on a pull request. [1] - https://github.com/ghoneycutt/puppet-module-pam [2] - http://docs.puppetlabs.com/references/latest/function.html#hieraarray [3] - https://github.com/ghoneycutt/puppet-module-ssh/blob/master/manifests/init.pp#L534-544 Best regards, -g -- Garrett Honeycutt @learnpuppet Puppet Training with LearnPuppet.com Mobile: +1.206.414.8658 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/537C3244.2030107%40garretthoneycutt.com. For more options, visit https://groups.google.com/d/optout.
