Multipe user roles with one single virtual resource in Puppet

0
votes

For managing users on different nodes, I use a similar/customized module in Puppet, as seen here:

puppet_users_with_virtual_resources

In the example, there are two roles. If one roles has been assigned to a user, it cannot assign an additional role to the user (because the virtual resource has already been created).

In my case, I have different roles (like sudo, web-dev, mysql) and every role assign specific groups to the user.

But as already mentioned, I'm only able to assign one single role to the user. If I add another role to the user, the user will still only have one role (because the user with the groups from one role has already been assigned to the user and the resource has been created).

How can I fix this so I can assign unlimited roles to one user?

1
puppethiera
Why do you need a virtual resource to collect user roles? - Matt Schuchard
Becase when I need a user in e.g. webserver and mysql, I would need to create the user for both (not possible because resource can be specified only one). And with the virtual resource, I can define this user in different "places". Do you have a better idea on how to solve my issue? - Studentus

1 Answers

0
votes

I usually tackle this by defining virtual users in a centralized place (e.g. profile::users) and storing user/group information in Hiera. Then each place in the code that needs the users can realize them by the corresponding tag. This assumes though that the requisite groups exist on all of the servers that you care about.

Here's a minimal example.

Their data is defined in Hiera:

# common.yaml
---
profile::users::users:
  auser:
    groups: ['webserver', 'mysql']
    tags:   ['users::webserver', 'users::mysql']
  anotheruser:
    groups: ['webserver']
    tags:   ['users::webserver']

They are declared in a common profile:

class profile::users (
  $users,
) {
  $users.each |$username, $info| {
    @user { $username:
      ensure => present,
      groups => $info['groups'],
      tags   => $info['tags'],
    }
  }
}

They are realized where they are needed:

class role::webserver {
  include profile::base
  include profile::webserver

  User <| tag == 'users::webserver' |>
}

You could also do a lot of that programmatically, e.g. defining tags based on group membership.