Puppet Class: psick::users

Defined in:
manifests/users.pp

Summary

Users management

Overview

This psick manages basic user accounts providing parameter to manage the root user and other ones which accept hashes of resources to be passed to alternative defines used to create users. These hashes are looked up via a merge lookup with – as knockout prefix.

Parameters:

  • root_pw (Optional[String[1]]) (defaults to: undef)

    The root password. If set the root user resource is managed here. Use root_params to customise other attributes of the user type for root.

  • root_params (Hash) (defaults to: {})

    An hash of valid arguments of the user type. If this or root_pw is set, the root user is managed by this class.

  • users_hash (Hash) (defaults to: {})

    An Hash passed to create resources based on the selected module. The keys of this hash have to be compatible with the selected module. The following extra keys can be used:

    - ssh_authorized_keys: An array of keys to add to the users' authorized keys
- openssh_keygen: A boolean, if true a ssh key pair is automatically
  generated for the user.
- sudo_template: The path as used by the template() fucntion of an erb
    template to use to manage the user's sudo file. Nothing is created if
    not defined.
  • module (Enum['psick','accounts','user']) (defaults to: 'psick')

    A string to define which module to use to manage users: ‘user’ to use Puppet native type ‘psick’ to use the define psick::users::managed ‘accounts’ to use accounts::user from puppetlabs-accounts module

  • delete_unmanaged (Boolean) (defaults to: false)

    If true all non system users not managed by Puppet are automatically deleted.

  • skel_dir_source (Optional[String]) (defaults to: undef)

    The source from where to sync files to place on /etc/skel The contents of this directly are copied (when managehome parameter is true) to the home dir of each new user created on the system

  • available_users_hash (Hash) (defaults to: {})
  • available_users_to_add (Array) (defaults to: []) 


30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
 
# File 'manifests/users.pp', line 30

class psick::users (
  Optional[String[1]] $root_pw  = undef,
  Hash $root_params             = {},
  Hash $users_hash              = {},
  Hash $available_users_hash    = {},
  Array $available_users_to_add = [],
  Enum['psick','accounts','user'] $module = 'psick',
  Boolean $delete_unmanaged     = false,
  Optional[String] $skel_dir_source = undef,
) {

  if $skel_dir_source {
    file { '/etc/skel':
      ensure  => directory,
      source  => $skel_dir_source,
      recurse => true,
    }
    File['/etc/skel'] -> User<||>
  }

  if $root_pw or $root_params != {}  {
    user { 'root':
      password => $root_pw,
      *        => $root_params,
    }
  }

  $added_users = $available_users_hash.filter | $username , $key | {
    $username in $available_users_to_add
  }
  $all_users = $added_users + $users_hash
  if $all_users != {} {
    $all_users.each |$u,$rv| {
      $v = delete($rv, ['ssh_authorized_keys','openssh_keygen','sudo_template'])
      # Find home
      if $v['home'] {
        $home_real = $v['home']
      } elsif $u == 'root' {
        $home_real = $::osfamily ? {
          'Solaris' => '/',
          default   => '/root',
        }
      } else {
        $home_real = $::osfamily ? {
          'Solaris' => "/export/home/${u}",
          default   => "/home/${u}",
        }
      }

      case $module {
        'psick': {
          psick::users::managed { $u:
            ensure           => $v['ensure'],
            comment          => $v['comment'],
            gid              => $v['gid'],
            groups           => $v['groups'],
            home             => $home_real,
            password         => $v['password'],
            password_max_age => $v['password_max_age'],
            password_min_age => $v['password_min_age'],
            shell            => $v['shell'],
            uid              => $v['uid'],
            managehome       => $v['managehome'],
            homedir_source   => $v['homedir_source'],
            *                => pick($v['extra_params'],{}),
          }
        }
        'accounts': {
          accounts::user { $u:
            ensure   => $v['ensure'],
            comment  => $v['comment'],
            gid      => $v['gid'],
            groups   => $v['groups'],
            home     => $v['home'],
            password => $v['password'],
            shell    => $v['shell'],
            uid      => $v['uid'],
            sshkeys  => $v['sshkeys'],
            *        => pick_default($v['extra_params'],{}),
          }
        }
        default: {
          user { $u:
            ensure           => $v['ensure'],
            comment          => $v['comment'],
            gid              => $v['gid'],
            groups           => $v['groups'],
            home             => $home_real,
            password         => $v['password'],
            password_max_age => $v['password_max_age'],
            password_min_age => $v['password_min_age'],
            shell            => $v['shell'],
            uid              => $v['uid'],
            managehome       => $v['managehome'],
            *                => pick_default($v['extra_params'],{}),
          }
        }
      }
      if has_key($rv,'ssh_authorized_keys') and $module != 'accounts' {
        $rv['ssh_authorized_keys'].each |$key| {
          $key_array   = split($key, ' ')
          ssh_authorized_key { "${u}_${key}":
            ensure => present,
            user   => $u,
            name   => $key_array[2],
            key    => $key_array[1],
            type   => $key_array[0],
            target => "${home_real}/.ssh/authorized_keys",
          }
        }
      }
      if has_key($rv,'openssh_keygen') {
        $rv['openssh_keygen'].each |$u,$vv| {
          psick::openssh::keygen { $u:
            * => $vv,
          }
        }
      }
      if has_key($rv,'sudo_template') {
        psick::sudo::directive { $u:
          template => $rv['sudo_template'],
        }
      }
    }
  }
  if $delete_unmanaged {
    resources { 'user':
      purge              => true,
      unless_system_user => true,
    }
  }
}