Last active
November 18, 2016 00:14
-
-
Save vinyar/4a772b6aa256cfcac3c016586f3ce0ef to your computer and use it in GitHub Desktop.
rewrite of the users cookbook
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"id": "212477770", | |
"comment": "212477770", | |
"home": "/home/212477770", | |
"action": "remove", | |
"shell": "/bin/bash", | |
"ssh_keys": [ | |
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDHn3gAaYLt23e8mZcb2XZ3rXSxqD+1w+44lAM+hpZV7T34CFz7EhPNlno+QLFHk8CE5pTPzYNQmfjxkCSe3D93tIEV2XkOV/sCdT/XuCZa0tZf4k1JKcky+Z/fsTJp7ML+BjvPpFj00ZccRAUX9OWuXP02dl3K6bTgstWJKys6El05PuwJZQk14XkJ9TWUnFwdFar4yfapa4xcMmF0XDqs8SYmxHedvxl1+hCV1PCcJ1c9RxX9Qfomwyx2QTlbirEyw9FzE/rMRujj3dEZS+ExHY0Gy4yAjM8N3tq6gqoYe5jWQUekbujuu+txUKQcUmnB55x5NZHgqEG6S+p30QVhFri8Vgh+Gc4J0CZc3Wl1qe+eyAtB3X+wdFDuEIamsZfEAXmgxAecEMmbqw4unk4sDcjeiQ7cveghGEBkXk09vbRigyhLqNsfUSm6KYm0KkolQHmLAqH2SZ5oETKsXv9wi8Gt0RjrVWD9XHZ8E4QFKTYHrXMuEeK3HEbw2BC3AiagcfHggxIZ3ScHVDVgB/LqW2G+/BYy3mEt3EBrUz/OozuU2tmE/Oug6XkxadwQj8aIjURVGIw+aOoH1XFmAJxfzJMh+Iv94rmy2z3v/RxVan8WDI8dFbEiidI6oyQ4hB9MA57t7zDWMlGkSvxhlRNtyaKYyPyU1Qki+8YVDqEipw== 212477770@SFO1212477770M" | |
], | |
"groups": [ | |
"ic-admins" | |
], | |
"access_to_regions": ["US", "EU", "APAC", "kitchen"] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Cookbook Name:: svops_exportc_usermgmt_linux | |
# Recipe:: default | |
# | |
# Copyright 2016, YOUR_COMPANY_NAME | |
# | |
# All rights reserved - Do Not Redistribute | |
# | |
# loading ge_chef-vault recipe - may not be necessary. | |
include_recipe 'geip_chef_vault' | |
users_db_name = 'users' | |
users_vault_name = 'users_secrets' | |
db = data_bag(users_db_name) | |
# not using the users cookbook because it's a mess of a cookbook. | |
db.each do |username| | |
user = data_bag_item(users_db_name, username) | |
# skip user if he hasnt been granted access to environment, he'll fail decrypting the vault anyway | |
next unless user['access_to_regions'].include?(node['region']) | |
# If user does not have access to the Region, he will not/should not have access to the Vault | |
user_secrets = get_vault_item(users_vault_name, username) | |
# Set home to location in data bag, | |
# or a reasonable default ($home_basedir/$user). | |
home_basedir = '/home' | |
# home_dir = (user['home'] ? user['home'] : "#{home_basedir}/#{username}") #if defined?(user['home']) | |
home_dir = defined?(user['home']) ? user['home'] : "#{home_basedir}/#{username}" #if defined?(user['home']) | |
# Not currently in use - no edgecase for this (yet) | |
# check whether home dir is null | |
# manage_home = (home_dir == '/dev/null' ? false : true) | |
# not necessary | |
# creating or deleting group | |
# group username do | |
# gid user['gid'] if user['gid'] | |
# action user['action'] | |
# end | |
# creating or deleting users | |
user "managing user per data_bag - #{username} - #{user['action']}" do | |
username username | |
action user['action'] | |
## other parameters on create | |
uid user['uid'] if user['uid'] | |
gid user['gid'] if user['gid'] | |
shell user['shell'] if user['shell'] | |
comment user['comment'] if user['comment'] | |
password user_secrets['secrets']['linux_shadow_password'] if user_secrets['secrets']['linux_shadow_password'] && user_secrets['console_access'] == true | |
salt user['salt'] if user['salt'] | |
manage_home user['manage_home'] if user['manage_home'] | |
home user['home'] if user['home'] | |
end | |
# creating or cleaning up user folder structure | |
directory "#{home_dir}/.ssh" do | |
recursive true | |
owner user['uid'] # ? validate_id(u['uid']) : u['username'] | |
group user['gid'] if user['gid'] | |
mode '0700' | |
only_if { user['ssh_keys'] || user['ssh_private_key'] || user['ssh_public_key'] } | |
end | |
template "#{home_dir}/.ssh/authorized_keys" do | |
source 'authorized_keys.erb' | |
# cookbook new_resource.cookbook | |
owner user['uid'] # ? validate_id(u['uid']) : u['username'] # i dont understand the benefit of this method | |
group user['gid'] #validate_id(u['gid']) if u['gid'] # i dont understand the benefit of this method | |
mode '0600' | |
variables ssh_keys: user['ssh_keys'] | |
# only_if { defined?(user['ssh_keys']) } # not sure which implementation is best | |
only_if { user['ssh_keys'] } | |
end | |
# not implemented because public keys shouldnt be sent as unencrypted data | |
if user['ssh_private_key'] | |
raise "public keys should not be transmitted as clear text" | |
end | |
# u['ssh_public_key'] # not implemented | |
user['groups'].each do |group| | |
group "managing user for group - #{group} - #{user['action']}" do | |
group_name group | |
members username if user['action'] != 'delete' | |
# action username['action'] == 'delete' ? :delete : :manage # use whatever's in the databag | |
action :manage | |
excluded_members username if user['action'] == 'delete' | |
append true | |
end | |
end | |
end | |
#sudo -E /opt/chef/bin/chef-client --local-mode --config /tmp/kitchen/client.rb --log_level auto --force-formatter --no-color --json-attributes /tmp/kitchen/dna.json --chef-zero-port 8889 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"id": "212477770", | |
"secrets":{ | |
"linux_shadow_password": "$1$WvaIpOFs$7xf3o6wupY.Vpo1unUI9Y0", | |
"windows_clearpass": "Password123", | |
"console_access": true | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment