A convenient Chef LWRP to manage user accounts and SSH keys
This project is maintained by fnichol
A convenient Chef LWRP to manage user accounts and SSH keys. This is not the Opscode users cookbook.
Simply include recipe[user]
in your run_list and the user_account
resource will be available.
To use recipe[user::data_bag]
, include it in your run_list and have a
data bag called "users"
with an item like the following:
{
"id" : "hsolo",
"comment" : "Han Solo",
"home" : "/opt/hoth/hsolo",
"groups" : ["admin", "www-data"],
"ssh_keys" : ["123...", "456..."]
}
or a user to be removed:
{
"id" : "lando",
"action" : "remove"
}
If you have a username containing a period, use a dash in the data bag item
and set a username
attribute:
{
"id" : "luke-skywalker",
"username" : "luke.skywalker",
"action" : ["create", "lock"]
}
The data bag recipe will iterate through a list of usernames defined in
node['users']
(by default) and attempt to pull in the user's information
from the data bag item. In other words, having:
node['users'] = ['hsolo', 'lando', 'luke.skywalker']
will set up the hsolo
user information and not use the lando
user
information.
Tested on 0.10.8 but newer and older version should work just fine. File an issue if this isn't the case.
The following platforms have been tested with this cookbook, meaning that the recipes run on these platforms without error:
There are no external cookbook dependencies.
Depending on the situation and use case there are several ways to install this cookbook. All the methods listed below assume a tagged version release is the target, but omit the tags to get the head of development. A valid Chef repository structure like the Opscode repo is also assumed.
To install this cookbook from the Community Site, use the knife command:
knife cookbook site install user
Berkshelf is a cookbook dependency manager and development workflow assistant. To install Berkshelf:
cd chef-repo
gem install berkshelf
berks init
To use the Community Site version:
echo "cookbook 'user'" >> Berksfile
berks install
Or to reference the Git version:
repo="fnichol/chef-user"
latest_release=$(curl -s https://api.github.com/repos/$repo/git/refs/tags \
| ruby -rjson -e '
j = JSON.parse(STDIN.read);
puts j.map { |t| t["ref"].split("/").last }.sort.last
')
cat >> Berksfile <<END_OF_BERKSFILE
cookbook 'user',
:git => 'git://github.com/$repo.git', :branch => '$latest_release'
END_OF_BERKSFILE
berks install
Librarian-Chef is a bundler for your Chef cookbooks. To install Librarian-Chef:
cd chef-repo
gem install librarian
librarian-chef init
To use the Opscode platform version:
echo "cookbook 'user'" >> Cheffile
librarian-chef install
Or to reference the Git version:
repo="fnichol/chef-user"
latest_release=$(curl -s https://api.github.com/repos/$repo/git/refs/tags \
| ruby -rjson -e '
j = JSON.parse(STDIN.read);
puts j.map { |t| t["ref"].split("/").last }.sort.last
')
cat >> Cheffile <<END_OF_CHEFFILE
cookbook 'user',
:git => 'git://github.com/$repo.git', :ref => '$latest_release'
END_OF_CHEFFILE
librarian-chef install
This recipe is a no-op and does nothing.
Processes a list of users with data drawn from a data bag. The default data bag
is users
and the list of user account to create on this node is set on
node['users']
.
The default parent path of a user's home directory. Each resource can override
this value which varies by platform. Generally speaking, the default value is
"/home"
.
The default user shell given to a user. Each resource can override this value
which varies by platform. Generally speaking, the default value is
"/bin/bash"
.
The default Unix permissions applied to a user's home directory.
The default is "2755"
.
Whether of not to manage the home directory of a user by default. Each resource can override this value. The are 2 valid states:
"true"
, true
, or "yes"
: will manage the user's home directory."false"
, false
, or "no"
: will not manage the user's home directory.The default is true
.
Whether of not to allow the creation of a user account with a duplicate UID. Each resource can override this value. The are 2 valid states:
"true"
, true
, or "yes"
: will allow duplicate UIDs."false"
, false
, or "no"
: will not allow duplicate UIDs.The default is false
.
Whether or not to to create a group with the same name as the user by default. Each resource can override this value. The are 2 valid states:
"true"
, true
, or "yes"
: will create a group for the user by default."false"
, false
, or "no"
: will not create a group for the user by default.The default is true
.
Whether or not to generate an SSH keypair for the user by default. Each resource can override this value. There are 2 valid states:
"true"
, true
, or "yes"
: will generate an SSH keypair when the account
is created."false"
, false
, or "no"
: will not generate an SSH keypair when the account
is created.The default is true
.
The data bag name containing a group of user account information. This is used
by the data_bag
recipe to use as a database of user accounts.
The default is "users"
.
The node attributes containing an array of users to be managed. If a nested
hash in the node's attributes is required, then use a /
between subhashes.
For example, if the users' array is stored in node['system']['accounts']
),
then set node['user']['user_array_node_attr']
to "system/accounts"
.
The default is "users"
.
Note: in order to use the password
attribute, you must have the
ruby-shadow gem installed. On Debian/Ubuntu you can get
this by installing the "libshadow-ruby1.8" package.
Action | Description | Default |
---|---|---|
create |
Create the user, its home directory, .ssh/authorized_keys ,
and .ssh/{id_dsa,id_dsa.pub} .
|
Yes |
remove | Remove the user account. | |
modify | Modiy the user account. | |
manage | Manage the user account. | |
lock | Lock the user's password. | |
unlock | Unlock the user's password. |
Attribute | Description | Default Value |
---|---|---|
username | Name attribute: The name of the user. | nil |
comment | Gecos/Comment field. | nil |
uid | The numeric user id. | nil |
gid | The primary group id. | nil |
home | Home directory location. | "#{node['user']['home_root']}/#{username} |
shell | The login shell. | node['user']['default_shell'] |
password | Shadow hash of password. | nil |
system_user | Whether or not to create a system user. | false |
manage_home | Whether or not to manage the home directory. | true |
non_unique | Whether or not to allow the creation of a user account with a duplicate UID. | false |
create_group | Whether or not to to create a group with the same name as the user. | node['user']['create_group'] |
ssh_keys |
A String or Array of SSH public keys to populate the
user's .ssh/authorized_keys file.
|
[] |
ssh_keygen | Whether or not to generate an SSH keypair for the user. | node['user']['ssh_keygen'] |
user_account 'hsolo' do
comment 'Han Solo'
ssh_keys ['3dc348d9af8027df7b9c...', '2154d3734d609eb5c452...']
home '/opt/hoth/hsolo'
end
user_account 'lando' do
action [:create, :lock]
end
user_account 'obiwan' do
action :remove
end
Pull requests are very welcome! Make sure your patches are well tested. Ideally create a topic branch for every separate change you make.
Author:: [Fletcher Nichol]fnichol
Copyright 2011, Fletcher Nichol
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.