User management - what's your solution?

Chef Infra (archive)
1

Hi,

as I’m about to introduce Chef at a second organization, I want to do
one thing right from the beginning: (Linux) User management.

What’s your way to do that?

In my first project, we

  • use opscode’s users cookbook to bring accounts + ssh keys from
    sysadmins to all clients.

  • for some cookbooks, we use fnichol’s user. IIRC because back then only
    there it was possible to add more than one SSH key and it looked pretty
    nice (and it still does)

  • still lack a clean solution for sudo management. Sysadmins are allowed
    to sudo everywhere, but here and there other users should also be able
    to. Having either a sub-entry in the user’s data bag with hostnames of
    the servers with sudo permissions, or a hosts data bag listing all
    sudo-allowed users sounds convenient to me.

  • haven’t thought about managing users with access to a particular vhost
    (we have the concept that there’s a user exampleorg responsible for
    example.org and all people with access should get their SSH key deployed
    into exampleorg’s authorized_keys).

Having re-read user and user’s README gives me the impression that after
pretty much thinking this should be possible with opscode’s user CB
(except the sudo thing, which IMHO only works with the additional hosts
data bag).

So what’s your solution? Do you rely only on opscode’s user CB? Do you
know any resources covering this topic and presenting a good solution?

Thanks a lot for your feedback!

Steffen

2

Steffen,

We're successfully using a conjunction of the users and sudo cookbooks.

In our environment, we assume everyone that we add as a databag user
will be able to log into a server.

Who has sudo - now that's controlled via roles and environments inheritance.

Sample from a role:

default_attributes(
'authorization' => {
'sudo' => {
'users' => ["username_that_needs_sudo"]
}
}
)

HTH,
-M

On Wed, Jan 23, 2013 at 2:57 AM, Steffen Gebert st+gmane@st-g.de wrote:

Hi,

as I'm about to introduce Chef at a second organization, I want to do
one thing right from the beginning: (Linux) User management.

What's your way to do that?

In my first project, we

  • use opscode's users cookbook to bring accounts + ssh keys from
    sysadmins to all clients.

  • for some cookbooks, we use fnichol's user. IIRC because back then only
    there it was possible to add more than one SSH key and it looked pretty
    nice (and it still does)

  • still lack a clean solution for sudo management. Sysadmins are allowed
    to sudo everywhere, but here and there other users should also be able
    to. Having either a sub-entry in the user's data bag with hostnames of
    the servers with sudo permissions, or a hosts data bag listing all
    sudo-allowed users sounds convenient to me.

  • haven't thought about managing users with access to a particular vhost
    (we have the concept that there's a user exampleorg responsible for
    example.org and all people with access should get their SSH key deployed
    into exampleorg's authorized_keys).

Having re-read user and user's README gives me the impression that after
pretty much thinking this should be possible with opscode's user CB
(except the sudo thing, which IMHO only works with the additional hosts
data bag).

So what's your solution? Do you rely only on opscode's user CB? Do you
know any resources covering this topic and presenting a good solution?

Thanks a lot for your feedback!

Steffen

3

We recently enhanced the users cookbook to report changes in users on the
system (report handler), lock the passwords of all accounts (for NIST
Moderate compliance), disable old accounts and restrict particular users to
subsets of environments.

As has already been mentioned, the sudo cookbook has so far not given us
much grief and is extendible with the '/etc/sudoers.d' functionality on our
platform.

I hope to bubble some of these additions back up to the community Users
cookbook, barring any major incompatibilities.

Cheers,

AJ

On 24 January 2013 10:52, Mike miketheman@gmail.com wrote:

Steffen,

We're successfully using a conjunction of the users and sudo cookbooks.

In our environment, we assume everyone that we add as a databag user
will be able to log into a server.

Who has sudo - now that's controlled via roles and environments
inheritance.

Sample from a role:

default_attributes(
'authorization' => {
'sudo' => {
'users' => ["username_that_needs_sudo"]
}
}
)

HTH,
-M

On Wed, Jan 23, 2013 at 2:57 AM, Steffen Gebert st+gmane@st-g.de wrote:

Hi,

as I'm about to introduce Chef at a second organization, I want to do
one thing right from the beginning: (Linux) User management.

What's your way to do that?

In my first project, we

  • use opscode's users cookbook to bring accounts + ssh keys from
    sysadmins to all clients.

  • for some cookbooks, we use fnichol's user. IIRC because back then only
    there it was possible to add more than one SSH key and it looked pretty
    nice (and it still does)

  • still lack a clean solution for sudo management. Sysadmins are allowed
    to sudo everywhere, but here and there other users should also be able
    to. Having either a sub-entry in the user's data bag with hostnames of
    the servers with sudo permissions, or a hosts data bag listing all
    sudo-allowed users sounds convenient to me.

  • haven't thought about managing users with access to a particular vhost
    (we have the concept that there's a user exampleorg responsible for
    example.org and all people with access should get their SSH key deployed
    into exampleorg's authorized_keys).

Having re-read user and user's README gives me the impression that after
pretty much thinking this should be possible with opscode's user CB
(except the sudo thing, which IMHO only works with the additional hosts
data bag).

So what's your solution? Do you rely only on opscode's user CB? Do you
know any resources covering this topic and presenting a good solution?

Thanks a lot for your feedback!

Steffen