User Management


#1

Hello everyone,

Wondering if I can pick your collective brains…

I have a situation where users are created and deleted on a chef server using a ruby script that would add/remove encrypted databags accordingly. However I’d like a situation where the creation/deletion of users, on windows and linux boxes, is completely automated.

For example, if a user is deleted, the recipe compares the userlist on chef with the members of the sysadmin group on unix to see who is missing. Once that is determined, within the recipe, the user resource is then applied to the unix box according to the now modified userlist.

What do you think?

Thanks Angela

Sent from iCloud


#2

you can easily manage your users by group using users_manage

what I think you mean is that chef will pick up on changes manually made to
a server and mutate the data bags accordingly. updating data bags from the
script seems unnecessary, and creates a situation where there is no source
of truth. is it windows? unix? chef (databags)? ldap/AD? if you’re not
using ldap, stick to data bags. You are probably creating race conditions
and security holes that could end up in a very screwed up state… like 1
box getting rooted, my user deleted or a privileged user created, and then
you’re fubar. I’m personally more interested in the users that I didn’t
make that are not service users, those I’d like to know about and probably
purge.

If you just mean that if a user that should be there gets deleted and you
want it recreated, then that is also provided for you by users_manage out
of the box. Every chef run will check that the user exists and perform
whatever actions specified for users of the group provided to users_manage.

all you’ll need is a users databag (see examples from the readme) and to
put users into a group “users-that-should-exist”

users_manage ‘users-that-should-exist’ do
action :create
done

and if you have a list of users you want removed
users_manage 'delete-these-users’
action :remove
end

On Tue, Mar 17, 2015 at 3:46 PM, ANGELA EBIRIM aebirim@icloud.com wrote:

Hello everyone,

Wondering if I can pick your collective brains…

I have a situation where users are created and deleted on a chef server
using a ruby script that would add/remove encrypted databags accordingly.
However I’d like a situation where the creation/deletion of users, on
windows and linux boxes, is completely automated.

For example, if a user is deleted, the recipe compares the userlist on
chef with the members of the sysadmin group on unix to see who is missing.
Once that is determined, within the recipe, the user resource is then
applied to the unix box according to the now modified userlist.

What do you think?

Thanks Angela

Sent from iCloud


#3

Hi Jake,

Many thanks for this tip. It worked and saved me a lot of bother!

Regards
Sent from iCloud

On Mar 17, 2015, at 03:10 PM, Jake Plimack jake.plimack@gmail.com wrote:

you can easily manage your users by group using users_manage

what I think you mean is that chef will pick up on changes manually made to a server and mutate the data bags accordingly. updating data bags from the script seems unnecessary, and creates a situation where there is no source of truth. is it windows? unix? chef (databags)? ldap/AD? if you’re not using ldap, stick to data bags. You are probably creating race conditions and security holes that could end up in a very screwed up state… like 1 box getting rooted, my user deleted or a privileged user created, and then you’re fubar. I’m personally more interested in the users that I didn’t make that are not service users, those I’d like to know about and probably purge.

If you just mean that if a user that should be there gets deleted and you want it recreated, then that is also provided for you by users_manage out of the box. Every chef run will check that the user exists and perform whatever actions specified for users of the group provided to users_manage.

all you’ll need is a users databag (see examples from the readme) and to put users into a group “users-that-should-exist”

users_manage ‘users-that-should-exist’ do
action :create
done

and if you have a list of users you want removed
users_manage 'delete-these-users’
action :remove
end

On Tue, Mar 17, 2015 at 3:46 PM, ANGELA EBIRIM aebirim@icloud.com wrote:
Hello everyone,

Wondering if I can pick your collective brains…

I have a situation where users are created and deleted on a chef server using a ruby script that would add/remove encrypted databags accordingly. However I’d like a situation where the creation/deletion of users, on windows and linux boxes, is completely automated.

For example, if a user is deleted, the recipe compares the userlist on chef with the members of the sysadmin group on unix to see who is missing. Once that is determined, within the recipe, the user resource is then applied to the unix box according to the now modified userlist.

What do you think?

Thanks Angela

Sent from iCloud


#4

Hi,

Does anyone know how to extract the list of current users on a node?

I’ve been interrogating the OHAI attributes of a node (I’m sure it would be a node attribute) but can’t find it.

Many thanks
Sent from iCloud

On Mar 18, 2015, at 04:50 AM, ANGELA EBIRIM aebirim@icloud.com wrote:

Hi Jake,

Many thanks for this tip. It worked and saved me a lot of bother!

Regards
Sent from iCloud

On Mar 17, 2015, at 03:10 PM, Jake Plimack jake.plimack@gmail.com wrote:

you can easily manage your users by group using users_manage

what I think you mean is that chef will pick up on changes manually made to a server and mutate the data bags accordingly. updating data bags from the script seems unnecessary, and creates a situation where there is no source of truth. is it windows? unix? chef (databags)? ldap/AD? if you’re not using ldap, stick to data bags. You are probably creating race conditions and security holes that could end up in a very screwed up state… like 1 box getting rooted, my user deleted or a privileged user created, and then you’re fubar. I’m personally more interested in the users that I didn’t make that are not service users, those I’d like to know about and probably purge.

If you just mean that if a user that should be there gets deleted and you want it recreated, then that is also provided for you by users_manage out of the box. Every chef run will check that the user exists and perform whatever actions specified for users of the group provided to users_manage.

all you’ll need is a users databag (see examples from the readme) and to put users into a group “users-that-should-exist”

users_manage ‘users-that-should-exist’ do
action :create
done

and if you have a list of users you want removed
users_manage 'delete-these-users’
action :remove
end

On Tue, Mar 17, 2015 at 3:46 PM, ANGELA EBIRIM aebirim@icloud.com wrote:
Hello everyone,

Wondering if I can pick your collective brains…

I have a situation where users are created and deleted on a chef server using a ruby script that would add/remove encrypted databags accordingly. However I’d like a situation where the creation/deletion of users, on windows and linux boxes, is completely automated.

For example, if a user is deleted, the recipe compares the userlist on chef with the members of the sysadmin group on unix to see who is missing. Once that is determined, within the recipe, the user resource is then applied to the unix box according to the now modified userlist.

What do you think?

Thanks Angela

Sent from iCloud


#5

On Wednesday, March 25, 2015 at 8:02 AM, ANGELA EBIRIM wrote:

Hi,

Does anyone know how to extract the list of current users on a node?

I’ve been interrogating the OHAI attributes of a node (I’m sure it would be a node attribute) but can’t find it.

Many thanks
Ohai fetches the data as etc/passwd, i.e., it should be under node[“etc”][“passwd”].

BTW, you can just run ohai on the command line to see all the data it produces. It’s quite a lot but you can scan it to find the data you’re looking for. You can also filter the command line output by passing the path to the attributes you want if you know them, e.g., ohai etc/passwd prints just the passwd data.

HTH,


Daniel DeLeo


#6

Thanks Daniel!
Sent from iCloud

On Mar 25, 2015, at 10:22 AM, Daniel DeLeo dan@kallistec.com wrote:

On Wednesday, March 25, 2015 at 8:02 AM, ANGELA EBIRIM wrote:

Hi,

Does anyone know how to extract the list of current users on a node?

I’ve been interrogating the OHAI attributes of a node (I’m sure it would be a node attribute) but can’t find it.

Many thanks
Ohai fetches the data as etc/passwd, i.e., it should be under node[“etc”][“passwd”].

BTW, you can just run ohai on the command line to see all the data it produces. It’s quite a lot but you can scan it to find the data you’re looking for. You can also filter the command line output by passing the path to the attributes you want if you know them, e.g., ohai etc/passwd prints just the passwd data.

HTH,


Daniel DeLeo