Manages OS groups and users using data bags.
This cookbook is based on and compatible with Users cookbook. However, this implementation only has a single default
recipe and allows to create arbitrary groups and users without resoring to wrapper cookbooks and recipes. It does not use LWRP with confusing actions.
- Create a group
- Create a user with SSH keys and add it to groups
- Store user data in encrypted data bags
- Ability to create users in specified environments only
- Chef 11+
- Data bags populated with user and group items
- Platforms
- Ubuntu
- Debian
- Centos
- RedHat
- Amazon Linux
default['opsline-users']['users_databag_name']
- name of the data bag that will hold usersdefault['opsline-users']['groups_databag_name']
- name of the data bag that will hold groupsdefault['opsline-users']['home_base_directory']
- directory where home directories will be created
This cookbook provides a single default
recipe. It will create or remove groups and users defined in data bags. Simply add default
recipe to the runlist to create user.
The following resources will be created for each user:
- home directory (if not disabled)
- password in shadow file (if provided)
.ssh/authorized_keys
file (if provided)- RSA or DSA private SSH key (if provided)
- RSA or DSA public SSH key (if provided)
Data bag can be either encrypted or not.
A sample group data bag item:
{
"id": "sysadmin",
"action": "create",
"groupname": "sysadmin",
"gid": "1000",
"environments": [
"production"
]
}
id
- group name, or simply data bag item name ifgroupname
providedaction
- eithercreate
orremove
(to create or remove a group respectively)gid
- group ID to be assigned to the group
groupname
- if provided, it has a precedence overid
environments
- array of environments where the user will be created
Setting action
field to remove
will delete the group from the system. Users are not affected.
A sample user data bag item:
{
"id": "some_user",
"action": "create",
"username": "some_user",
"uid": "1001",
"git": "1001",
"password": "$1$salt$hash",
"ssh_keys": [
"ssh-rsa AAAA... comment1",
"ssh-rsa AAAA... comment2",
],
"ssh_private_key": "-----BEGIN RSA PRIVATE KEY-----\n...\n",
"ssh_public_key": "ssh-rsa AAAA... comment3",
"groups": [
"sysadmin"
],
"environments": [
"production"
],
"shell": "/bin/bash",
"home": "/home/some_user",
"comment": "Some User"
}
id
- user name, or simply data bag item name ifusername
providedaction
- eithercreate
orremove
(to create or remove a group respectively)shell
- shell to be configured for the usercomment
- real name of comment
username
- if provided, it has a precedence overid
uid
- user ID for the usergid
- group ID for the primary user grouppassword
- hashed user password that will go into shadow filessh_keys
- array of SSH public keys that will be added toauthorized_keys
filessh_private_key
- RSA or DSA private key - must be a single line string (new lines replaced with\n
)ssh_public_key
- RDS or DSA public keygroups
- array of group names that user will be added toenvironments
- array of environments where the user will be createdhome
- home directory (not created if/dev/null
provided)
Setting action
field to remove
will delete the user from the system. Home directory with its entire content will be also deleted (along with all SSH keys).
User passwords hashes can be generated with the following commands.
# SHA-512 (preferred - command available on Linux)
mkpasswd -m sha-512
# MD5 (when mkpasswd tool is not available)
openssl passwd -1 "plaintextpassword"
- Author:: Radek Wierzbicki
Copyright 2016, OpsLine, LLC.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.