How can I add/delete temporary users?


#1

I’m using the users cookbook to create users and distribute ssh keys. I’ve now
been tasked with automating the creation/deletion of users who only need
temporary access to servers. For example when a developer is needed to assist
with issues on a production server. For auditing purposes we’re wanting to
drive it via Git -> Chef. I’m thinking I could search for local users within a
UID range, compare that with what Chef expects and delete accounts for those
that shouldn’t be there.

Has anyone solved this or similar scenarios?


#2

We use a databag for each user with a disabled attribute and then lock / unlock the account based on that attribute’s value.

user u[‘id’] do
if u[‘disabled’] then
action :lock
else
action :unlock
end
end


Nathen Harvey

On Tuesday, November 29, 2011 at 4:49 PM, clif@texicans.us wrote:

I’m using the users cookbook to create users and distribute ssh keys. I’ve now
been tasked with automating the creation/deletion of users who only need
temporary access to servers. For example when a developer is needed to assist
with issues on a production server. For auditing purposes we’re wanting to
drive it via Git -> Chef. I’m thinking I could search for local users within a
UID range, compare that with what Chef expects and delete accounts for those
that shouldn’t be there.

Has anyone solved this or similar scenarios?


#3

Thanks for the info. Here’s what I came up, please punch holes as needed:

Created …/chef-repo/cookbooks/users/recipes/production-systems-access.rb with the following:

Create users with the attribute production-systems-access=true

search(:users, ‘production-systems-access:true’) do |u|
home_dir = “/home/#{u[‘id’]}”

Create the user

user u[‘id’] do
uid u[‘uid’]
gid u[‘gid’]
shell u[‘shell’]
comment "Temp Prod User - #{u[‘comment’]}"
supports :manage_home => true
home home_dir
notifies :create, “ruby_block[reset group list]”, :immediately
end

Create the user’s homedir

directory “#{home_dir}/.ssh” do
owner u[‘id’]
group u[‘gid’] || u[‘id’]
mode "0700"
end

Deploy the user’s ssh public key

template “#{home_dir}/.ssh/authorized_keys” do
source "authorized_keys.erb"
owner u[‘id’]
group u[‘gid’] || u[‘id’]
mode "0600"
variables :ssh_keys => u[‘ssh_keys’]
end
end

Delete users with the attribute production-systems-access=false

search(:users, ‘production-systems-access:false’) do |u|
user u[‘id’] do
action :remove
supports :manage_home => false
end
end

So, when a user needs access to prod systems I set the production-systems-access attribute to true in that user’s databag and the account is created. When access is no longer needed it’s set to false and the account is deleted (but the homedir isn’t touched).

On Nov 29, 2011, at 4:16 PM, Nathen Harvey wrote:

We use a databag for each user with a disabled attribute and then lock / unlock the account based on that attribute’s value.

user u[‘id’] do
if u[‘disabled’] then
action :lock
else
action :unlock
end
end


Nathen Harvey

On Tuesday, November 29, 2011 at 4:49 PM, clif@texicans.us wrote:

I’m using the users cookbook to create users and distribute ssh keys. I’ve now
been tasked with automating the creation/deletion of users who only need
temporary access to servers. For example when a developer is needed to assist
with issues on a production server. For auditing purposes we’re wanting to
drive it via Git -> Chef. I’m thinking I could search for local users within a
UID range, compare that with what Chef expects and delete accounts for those
that shouldn’t be there.

Has anyone solved this or similar scenarios?