On 5/21/14, 12:40 AM, Grant Street wrote: > > > On Wednesday, May 21, 2014 12:31:59 AM UTC+10, jcbollinger wrote: > > > > On Monday, May 19, 2014 2:39:47 AM UTC-5, Grant Street wrote: > > Hi > > First time poster to this forum. I'm in the process of doing a > pilot to convert a cfengine v2 install to puppet. > > I was wondering if any one had any ideas on the following. > > I have machines that can be in any combination(ie 0 or more) of > 10 groups, that can change. I need to create an access.conf > based on the group membership of the node. > I would like the file to be dynamically created with any > redundant lines removed. > > I have had a look at augeus but I can't see how to both add > lines based on the group as well as remove unwanted and unknown > lines. > I have also had a look at templates but unsure how that would > look like when the you have 0-10 insertion points > > > > A template is probably the way to go. The point to understand there > is that you will be templating the entire contents of the file, not > just the lines related to the 10 groups. Supposing that you have an > array of the names of the wanted groups, then, your template might > look like this: > > +:root:LOCAL > <% @wanted_groups.each do |g| -%> > +:(<%= g %>):ALL > <% end -%> > -:ALL:ALL > > > John > > Hi John > > Thanks a lot for the guidance my solution would have been a whole lot > more messy. > > I was able to massage your example so that I could use a hash to specify > the user and origin like this > +:root:LOCAL > <% pam_access.each_pair do |user,origin| -%> > +:<%= user %>:<%= origin %> > <% end -%> > -:ALL:ALL > > Now what is the best way to dynamically create the array/hash? I am > doing a hash merge at the moment is there a better/more puppet way? > > Thanks > > > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to puppet-users+unsubscr...@googlegroups.com > <mailto:puppet-users+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/75b1fcd4-4315-40b0-9924-38557eece79d%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/75b1fcd4-4315-40b0-9924-38557eece79d%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout.
Hi Grant, I have a puppet module[1] for PAM that manages access.conf. You can specify an array in Hiera with the key pam::allowed_users. Currently it uses a parameterized class which will look up the value in Hiera and stop on the first match. The code could be changed to allow for the use of the hiera_array[2] function which would return all instances found in Hiera. So if your groups are defined at multiple levels of the hierarchy, you would want that functionality. Here's an example[3] of how you might add it. I would be happy to work with you on a pull request. [1] - https://github.com/ghoneycutt/puppet-module-pam [2] - http://docs.puppetlabs.com/references/latest/function.html#hieraarray [3] - https://github.com/ghoneycutt/puppet-module-ssh/blob/master/manifests/init.pp#L534-544 Best regards, -g -- Garrett Honeycutt @learnpuppet Puppet Training with LearnPuppet.com Mobile: +1.206.414.8658 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/537C3244.2030107%40garretthoneycutt.com. For more options, visit https://groups.google.com/d/optout.
