I use a role or wrapper recipe that sets a different data bag for different sets of services or environments. It’s particularly useful for “root” SSH keys, if you care to allow chef to manage those. The lack of ability in the “users” cookbook itself to set characteristics, rather than always relying on the shared contents of the “users” data bag, is an old issue.
I’ll also admit that it’s aggravated by the lack of encryption for SSH private keys configured by the “users” cookbook. The general tendency to store passwords and credentials in plaintext that is hardcoded in various cookboks, including “users”, “rsnapshot”, “postgresql”, “mysql”, “nagios”, “nrpe”, and many others, is a longstanding security problem.
Lead DevOps Engineer
From: Mohammad Fattahian [mailto:email@example.com]
Sent: Thursday, July 30, 2015 12:06 PM
Subject: [chef] RE: Re: Creating local users
Thanks for your help, but as I said I’m using ‘users cookbook’ (https://github.com/opscode-cookbooks/users)
I’ve created a databag with all users we need on the nodes, but some nodes does not require all the users created. I’m looking for a way to create users based nodes.
From: Yoshi Spendiff [mailto:firstname.lastname@example.org:email@example.com]
Sent: Thursday, July 30, 2015 11:16 AM
Subject: [chef] Re: Creating local users
I have a base cookbook with a users recipe that I apply to all nodes.
It looks something like this:
node[‘base-cookbook’][‘users’].each do |username, enabled|
user username do
action enabled ? :create : :remove
Then in your roles or role cookbook you can just use that attribute.
default[‘base-cookbook’][‘users’][‘user_1’] = true
default[‘base-cookbook’][‘users’][‘user_2’] = true
default[‘base-cookbook’][‘users’][‘user_3’] = false
I use a hash instead of an array so you can delete a user and so you don’t come across any situations where you were expecting to overwrite an array and instead it was merged.
On Thu, Jul 30, 2015 at 7:15 AM, Mohammad Fattahian <firstname.lastname@example.org:email@example.com> wrote:
What’s the best way to create local users based on the role of the nodes?
Let say I need different users created on nodes based on their roles (WEB Server, DB Server, etc.)
I’m using ‘users Cookbook’ to create users from a database.
Mobile: +1 778 952 2025