Creating local users


#1

Hi folks,

What’s the best way to create local users based on the role of the nodes?

Let say I need different users created on nodes based on their roles (WEB
Server, DB Server, etc.)

I’m using ‘users Cookbook’ to create users from a database.

Mohammad


#2

I have a base cookbook with a users recipe that I apply to all nodes.

It looks something like this:

node[‘base-cookbook’][‘users’].each do |username, enabled|
user username do
action enabled ? :create : :remove

end
end

Then in your roles or role cookbook you can just use that attribute.

default[‘base-cookbook’][‘users’][‘user_1’] = true
default[‘base-cookbook’][‘users’][‘user_2’] = true
default[‘base-cookbook’][‘users’][‘user_3’] = false

I use a hash instead of an array so you can delete a user and so you don’t
come across any situations where you were expecting to overwrite an array
and instead it was merged.

On Thu, Jul 30, 2015 at 7:15 AM, Mohammad Fattahian <
mfattahian@masterfile.com> wrote:

Hi folks,

What’s the best way to create local users based on the role of the nodes?

Let say I need different users created on nodes based on their roles (WEB
Server, DB Server, etc.)

I’m using ‘users Cookbook’ to create users from a database.

Mohammad


Yoshi Spendiff
Ops Engineer
Indochino
Mobile: +1 778 952 2025
Email: yoshi.spendiff@indochino.com


#3

Thanks for your help, but as I said I’m using ‘users cookbook’ (
https://github.com/opscode-cookbooks/users)

I’ve created a databag with all users we need on the nodes, but some nodes
does not require all the users created. I’m looking for a way to create
users based nodes.

Mohammad

From: Yoshi Spendiff [mailto:yoshi.spendiff@indochino.com]
Sent: Thursday, July 30, 2015 11:16 AM
To: chef
Subject: [chef] Re: Creating local users

I have a base cookbook with a users recipe that I apply to all nodes.

It looks something like this:

node[‘base-cookbook’][‘users’].each do |username, enabled|

user username do

action enabled ? :create : :remove

<other user options>

end

end

Then in your roles or role cookbook you can just use that attribute.

default[‘base-cookbook’][‘users’][‘user_1’] = true
default[‘base-cookbook’][‘users’][‘user_2’] = true
default[‘base-cookbook’][‘users’][‘user_3’] = false

I use a hash instead of an array so you can delete a user and so you don’t
come across any situations where you were expecting to overwrite an array
and instead it was merged.

On Thu, Jul 30, 2015 at 7:15 AM, Mohammad Fattahian <
mfattahian@masterfile.com> wrote:

Hi folks,

What’s the best way to create local users based on the role of the nodes?

Let say I need different users created on nodes based on their roles (WEB
Server, DB Server, etc.)

I’m using ‘users Cookbook’ to create users from a database.

Mohammad

Yoshi Spendiff

Ops Engineer

Indochino

Mobile: +1 778 952 2025

Email: yoshi.spendiff@indochino.com


#4

Hi Mohammad,

I suggest you add a default_attribute - a table - in the
different roles for the user that should be created on
machines that these roles are assigned.

And for every machine you should check for every one
of the users in the data bag if this user is in special
role assigned attribute too.

Regards,
Tobias

Am 30.07.2015 um 18:05 schrieb Mohammad Fattahian:

Thanks for your help, but as I said I’m using ‘users
cookbook’(https://github.com/opscode-cookbooks/users)

I’ve created a databag with all users we need on the nodes, but some
nodes does not require all the users created. I’m looking for a way to
create users based nodes.

Mohammad

*From:*Yoshi Spendiff [mailto:yoshi.spendiff@indochino.com
mailto:yoshi.spendiff@indochino.com]
Sent: Thursday, July 30, 2015 11:16 AM
To: chef
Subject: [chef] Re: Creating local users

I have a base cookbook with a users recipe that I apply to all nodes.

It looks something like this:

node[‘base-cookbook’][‘users’].each do |username, enabled|

user username do

action enabled ? :create : :remove

<other user options>

end

end

Then in your roles or role cookbook you can just use that attribute.

default[‘base-cookbook’][‘users’][‘user_1’] = true
default[‘base-cookbook’][‘users’][‘user_2’] = true
default[‘base-cookbook’][‘users’][‘user_3’] = false

I use a hash instead of an array so you can delete a user and so you
don’t come across any situations where you were expecting to overwrite
an array and instead it was merged.

On Thu, Jul 30, 2015 at 7:15 AM, Mohammad Fattahian
<mfattahian@masterfile.com mailto:mfattahian@masterfile.com> wrote:

Hi folks,

What’s the best way to create local users based on the role of the nodes?

Let say I need different users created on nodes based on their roles
(WEB Server, DB Server, etc.)

I’m using ‘users Cookbook’ to create users from a database.

Mohammad

Yoshi Spendiff

Ops Engineer

Indochino

Mobile: +1 778 952 2025

Email: yoshi.spendiff@indochino.com mailto:yoshi.spendiff@indochino.com


Tobias Unsleber
Inline Online Internet Dienste GmbH
Kaiserstr. 80
D-76133 Karlsruhe
Tel: +49-721-96682-45, Fax: +49-721-96682-11

HRB 7454, Sitz Karlsruhe, Registergericht: Karlsruhe
Geschäftsführer: Dr. Andreas Werner, Dr. Armin Zundel


#5

You could put your users in different groups, and then use the users
cookbook’s users_manage resource to look for users in a given group and
only create those users on a given node.

On Thu, Jul 30, 2015 at 12:05 PM, Mohammad Fattahian <
mfattahian@masterfile.com> wrote:

Thanks for your help, but as I said I’m using ‘users cookbook’ (
https://github.com/opscode-cookbooks/users)

I’ve created a databag with all users we need on the nodes, but some nodes
does not require all the users created. I’m looking for a way to create
users based nodes.

Mohammad

From: Yoshi Spendiff [mailto:yoshi.spendiff@indochino.com]
Sent: Thursday, July 30, 2015 11:16 AM
To: chef
Subject: [chef] Re: Creating local users

I have a base cookbook with a users recipe that I apply to all nodes.

It looks something like this:

node[‘base-cookbook’][‘users’].each do |username, enabled|

user username do

action enabled ? :create : :remove

<other user options>

end

end

Then in your roles or role cookbook you can just use that attribute.

default[‘base-cookbook’][‘users’][‘user_1’] = true
default[‘base-cookbook’][‘users’][‘user_2’] = true
default[‘base-cookbook’][‘users’][‘user_3’] = false

I use a hash instead of an array so you can delete a user and so you don’t
come across any situations where you were expecting to overwrite an array
and instead it was merged.

On Thu, Jul 30, 2015 at 7:15 AM, Mohammad Fattahian <
mfattahian@masterfile.com> wrote:

Hi folks,

What’s the best way to create local users based on the role of the nodes?

Let say I need different users created on nodes based on their roles (WEB
Server, DB Server, etc.)

I’m using ‘users Cookbook’ to create users from a database.

Mohammad

Yoshi Spendiff

Ops Engineer

Indochino

Mobile: +1 778 952 2025

Email: yoshi.spendiff@indochino.com


#6

https://github.com/poise/poise-service#poise_service_user is an easy way to handle this.

–Noah

On Jul 30, 2015, at 9:31 AM, Fabien Delpierre fabien.delpierre@gmail.com wrote:

You could put your users in different groups, and then use the users cookbook’s users_manage resource to look for users in a given group and only create those users on a given node.

On Thu, Jul 30, 2015 at 12:05 PM, Mohammad Fattahian mfattahian@masterfile.com wrote:
Thanks for your help, but as I said I’m using ‘users cookbook’ (https://github.com/opscode-cookbooks/users)

I’ve created a databag with all users we need on the nodes, but some nodes does not require all the users created. I’m looking for a way to create users based nodes.

Mohammad

From: Yoshi Spendiff [mailto:yoshi.spendiff@indochino.com]
Sent: Thursday, July 30, 2015 11:16 AM
To: chef
Subject: [chef] Re: Creating local users

I have a base cookbook with a users recipe that I apply to all nodes.

It looks something like this:

node[‘base-cookbook’][‘users’].each do |username, enabled|

user username do

action enabled ? :create : :remove

<other user options>

end

end

Then in your roles or role cookbook you can just use that attribute.

default[‘base-cookbook’][‘users’][‘user_1’] = true
default[‘base-cookbook’][‘users’][‘user_2’] = true
default[‘base-cookbook’][‘users’][‘user_3’] = false

I use a hash instead of an array so you can delete a user and so you don’t come across any situations where you were expecting to overwrite an array and instead it was merged.

On Thu, Jul 30, 2015 at 7:15 AM, Mohammad Fattahian mfattahian@masterfile.com wrote:

Hi folks,

What’s the best way to create local users based on the role of the nodes?

Let say I need different users created on nodes based on their roles (WEB Server, DB Server, etc.)

I’m using ‘users Cookbook’ to create users from a database.

Mohammad

Yoshi Spendiff

Ops Engineer

Indochino

Mobile: +1 778 952 2025

Email: yoshi.spendiff@indochino.com


#7

I create a users data bag for each role (admittedly, this gets a bit redundant, since some users are in multiple roles) and then set the default[‘users’][‘databag’] attribute in the role cookbook.

If you don’t use role cookbooks, you could set the data bag as an override attribute in the role.

I also set the groups based on role with a default[‘users’][‘groups’] attribute, so I run my users_manage resource like so:

include_recipe “users”

node[‘users’][‘groups’].each do |grp|
users_manage grp do
data_bag node[‘users’][‘data_bag’]
action [ :remove, :create ]
end
end

–fitz

From: Mohammad Fattahian [mailto:mfattahian@masterfile.com]
Sent: Thursday, July 30, 2015 10:16 AM
To: chef@lists.opscode.com
Subject: [chef] Creating local users

Hi folks,

What’s the best way to create local users based on the role of the nodes?

Let say I need different users created on nodes based on their roles (WEB Server, DB Server, etc.)

I’m using ‘users Cookbook’ to create users from a database.

Mohammad


#8

I use a role or wrapper recipe that sets a different data bag for different sets of services or environments. It’s particularly useful for “root” SSH keys, if you care to allow chef to manage those. The lack of ability in the “users” cookbook itself to set characteristics, rather than always relying on the shared contents of the “users” data bag, is an old issue.

I’ll also admit that it’s aggravated by the lack of encryption for SSH private keys configured by the “users” cookbook. The general tendency to store passwords and credentials in plaintext that is hardcoded in various cookboks, including “users”, “rsnapshot”, “postgresql”, “mysql”, “nagios”, “nrpe”, and many others, is a longstanding security problem.

Nico Kadel-Garcia
Lead DevOps Engineer
nkadel@skyhookwireless.commailto:nkadel@skyhookwireless.com

From: Mohammad Fattahian [mailto:mfattahian@masterfile.com]
Sent: Thursday, July 30, 2015 12:06 PM
To: chef@lists.opscode.com
Subject: [chef] RE: Re: Creating local users

Thanks for your help, but as I said I’m using ‘users cookbook’ (https://github.com/opscode-cookbooks/users)

I’ve created a databag with all users we need on the nodes, but some nodes does not require all the users created. I’m looking for a way to create users based nodes.

Mohammad

From: Yoshi Spendiff [mailto:yoshi.spendiff@indochino.commailto:yoshi.spendiff@indochino.com]
Sent: Thursday, July 30, 2015 11:16 AM
To: chef
Subject: [chef] Re: Creating local users

I have a base cookbook with a users recipe that I apply to all nodes.
It looks something like this:
node[‘base-cookbook’][‘users’].each do |username, enabled|
user username do
action enabled ? :create : :remove

end
end
Then in your roles or role cookbook you can just use that attribute.
default[‘base-cookbook’][‘users’][‘user_1’] = true
default[‘base-cookbook’][‘users’][‘user_2’] = true
default[‘base-cookbook’][‘users’][‘user_3’] = false
I use a hash instead of an array so you can delete a user and so you don’t come across any situations where you were expecting to overwrite an array and instead it was merged.

On Thu, Jul 30, 2015 at 7:15 AM, Mohammad Fattahian <mfattahian@masterfile.commailto:mfattahian@masterfile.com> wrote:
Hi folks,

What’s the best way to create local users based on the role of the nodes?

Let say I need different users created on nodes based on their roles (WEB Server, DB Server, etc.)

I’m using ‘users Cookbook’ to create users from a database.

Mohammad


Yoshi Spendiff
Ops Engineer
Indochino
Mobile: +1 778 952 2025
Email: yoshi.spendiff@indochino.commailto:yoshi.spendiff@indochino.com