When you are hosting application on cloud like AWS, you don’t want to use your companies LDAP which contain companies privacy information because of security reason and also you don’t want to run on hardware you don’t own.
So I have to come with new way of user management on cloud and I decided to go with puppet.
We are going to manage passwordless user using key and cert through puppet.
First we will define a virtual user using puppet.
Suppose my module name is accounts.
My init.pp file should look something like following.
# init.pp file
define accounts::virtual ($uid,$realname,$pass,$sshkeytype,$sshkey) {
include accounts::params
include accounts::params
# Pull in values from accounts::params
$homepath = $accounts::params::homepath
$shell = $accounts::params::shell
$homepath = $accounts::params::homepath
$shell = $accounts::params::shell
# Create the user
user { $title:
ensure => ‘present’,
uid => $uid,
gid => $title,
shell => $shell,
home => “${homepath}/${title}”,
comment => $realname,
password => $pass,
managehome => true,
require => Group[$title],
}
user { $title:
ensure => ‘present’,
uid => $uid,
gid => $title,
shell => $shell,
home => “${homepath}/${title}”,
comment => $realname,
password => $pass,
managehome => true,
require => Group[$title],
}
# Create a matching group
group { $title:
gid => $uid,
}
group { $title:
gid => $uid,
}
# Ensure the home directory exists with the right permissions
file { “${homepath}/${title}”:
ensure => directory,
owner => $title,
group => $title,
mode => ’0700′,
require => [ User[$title], Group[$title] ],
}
file { “${homepath}/${title}”:
ensure => directory,
owner => $title,
group => $title,
mode => ’0700′,
require => [ User[$title], Group[$title] ],
}
# Ensure the .ssh directory exists with the right permissions
file { “${homepath}/${title}/.ssh”:
ensure => directory,
owner => $title,
group => $title,
mode => ’0700′,
require => File["${homepath}/${title}"],
}
file { “${homepath}/${title}/.ssh”:
ensure => directory,
owner => $title,
group => $title,
mode => ’0700′,
require => File["${homepath}/${title}"],
}
# Ensure the .bashrc file exists with the right permissions
file { “${homepath}/${title}/.bashrc”:
ensure => present,
mode => 0644,
owner => $title, group => “$title”,
source => “puppet:///modules/accounts/.bashrc”,
require => File["${homepath}/${title}"],
}
file { “${homepath}/${title}/.bashrc”:
ensure => present,
mode => 0644,
owner => $title, group => “$title”,
source => “puppet:///modules/accounts/.bashrc”,
require => File["${homepath}/${title}"],
}
# Ensure the .bash_profile file exists with the right permissions
file { “${homepath}/${title}/.bash_profile”:
ensure => present,
mode => 0644,
owner => $title, group => “$title”,
source => “puppet:///modules/accounts/.bash_profile”,
require => File["${homepath}/${title}"],
}
file { “${homepath}/${title}/.bash_profile”:
ensure => present,
mode => 0644,
owner => $title, group => “$title”,
source => “puppet:///modules/accounts/.bash_profile”,
require => File["${homepath}/${title}"],
}
# Ensure the .bash_logout file exists with the right permissions
file { “${homepath}/${title}/.bash_logout”:
ensure => present,
mode => 0644,
owner => $title, group => “$title”,
source => “puppet:///modules/accounts/.bash_logout”,
require => File["${homepath}/${title}"],
}
file { “${homepath}/${title}/.bash_logout”:
ensure => present,
mode => 0644,
owner => $title, group => “$title”,
source => “puppet:///modules/accounts/.bash_logout”,
require => File["${homepath}/${title}"],
}
# Add user’s SSH key
if ($sshkey != ”) {
ssh_authorized_key {$title:
ensure => present,
name => $title,
user => $title,
type => $sshkeytype,
key => $sshkey,
}
}
}
if ($sshkey != ”) {
ssh_authorized_key {$title:
ensure => present,
name => $title,
user => $title,
type => $sshkeytype,
key => $sshkey,
}
}
}
In above puppet config, .bashrc, .bash_logout and .bash_profile are optional if you don’t want to manage those files using puppet.
Next, if you want to add users to host name agent, then create a file named agent.pp inside manifests directory and add the required user to the file what we call on puppet is realize user.
# agent.pp file
class accounts::agent {
accounts::virtual { ‘keshab’:
uid => 501,
realname => ‘Keshab Budhathoky’,
pass => ”,
sshkeytype => ‘rsa’,
sshkey => ‘AAAAB3NzaC1yc2EAAAABIwAAAQEAukGeSEZJSn5GqN17oEkU95MPa+5KInJNx018LK3eeNDWhaixBJKEp9leFYZjATEMpPODt3L5whgcNuh4sNyRAQm0kEPhjtUC8n/dJK8ZJcfTVDK3gymhvzbe4LZpFOw+6l4AM8uhSzilk8Nq9bDhvmyOTGyR1NfPLjKnP9o9LWfSowRNMlU60SvLukQhqLkcqQX2ojKds+u0jT7LLZyFRjGeju6RQNHIMCX3ZVMHRfsFYIpSJuNttZAY8MBhk93ccgwCALQ0F+icQQ+jgyL3OeQ9Q7FNI/oOzUtJRNktgOZc9IqiBg6pJcIOrEWiS2iGweAQHJSgNIy/Miq234sgdf24tw34dew==’,
}
}
accounts::virtual { ‘keshab’:
uid => 501,
realname => ‘Keshab Budhathoky’,
pass => ”,
sshkeytype => ‘rsa’,
sshkey => ‘AAAAB3NzaC1yc2EAAAABIwAAAQEAukGeSEZJSn5GqN17oEkU95MPa+5KInJNx018LK3eeNDWhaixBJKEp9leFYZjATEMpPODt3L5whgcNuh4sNyRAQm0kEPhjtUC8n/dJK8ZJcfTVDK3gymhvzbe4LZpFOw+6l4AM8uhSzilk8Nq9bDhvmyOTGyR1NfPLjKnP9o9LWfSowRNMlU60SvLukQhqLkcqQX2ojKds+u0jT7LLZyFRjGeju6RQNHIMCX3ZVMHRfsFYIpSJuNttZAY8MBhk93ccgwCALQ0F+icQQ+jgyL3OeQ9Q7FNI/oOzUtJRNktgOZc9IqiBg6pJcIOrEWiS2iGweAQHJSgNIy/Miq234sgdf24tw34dew==’,
}
}
Add accounts class to the node agent.
# nodes.pp file
node “agent.example.com” { class { ‘accounts::agent’: } }
Run puppet agent on client
# puppet agent –test
you can use –noop option for dry run and –verbose for details output on console
Once puppet agent run is successful, you should see user added on /etc/passwd, home directory created at /home/keshab and rsa key at /home/keshab/.ssh/authorized_keys.
Once all the above process is successful, you should be able to login from any other host without password if you have private key with you.
No comments:
Post a Comment