Forge Home

access

Configure /etc/security/access.conf

1,284 downloads

1,284 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 4.0.1+forge (latest)
released Aug 10th 2020
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
  • Puppet >= 4.10.0 < 7.0.0
  • , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'infrabellinuxteam-access', '4.0.1+forge'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add infrabellinuxteam-access
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install infrabellinuxteam-access --version 4.0.1+forge

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

infrabellinuxteam/access — version 4.0.1+forge Aug 10th 2020

access

Table of Contents

  1. Module Description
  2. Setup
  3. Usage
  4. Limitations
  5. Development

Module description

Configure entries in access.conf.

Setup

What access affects

By default, the module will purge all unmanaged rules (this includes comments). If you do not want this to happen, set the $purge parameter to false.

Comments are considered as rules, so the resulting file will not have any comments.

Beginning with access

Including the main access class is recommended but is not required.

include access

Rules are generated with accessrule.

accessrule {'400 ALLOW ADMINS':
    permission => '+',
    who        => [
        '@ADMINS'
    ],
    origin     => [
        'ALL'
    ],
}

Usage

If you wish to purge all non-managed access rules, you have to include the access class. Otherwise, this is optional (but you must set $purge to false to prevent purging of unmaaged rules).

Each accessrule resource must have a name like number description. The number determines the order in the access.conf file. Lower numbers go first, and pam_access uses the first matching line to decide whether or not to give access.

Comments are always removed, even when $purge is set to false.

Without purging

class {'access':
    purge => false
}

All existing rules are converted to 9999 <hash of the rule>. If your access rules must come before that, give them a name with a lower number. Otherwise, a higher one. It is not possible to insert them inbetween.

accessrule {'10000 DENY ALL':
    permission => '-',
    who        => [
        'ALL'
    ],
    origin     => [
        'ALL'
    ],
}

With purging

include access

The number in the name of the resource determines the order in which they appear in the file. Between resources with the same number, the order can't be guaranteed. If two resources must be in a specific order, it is recommended to give them a different number.

accessrule {'200 ALLOW ADMINS':
    permission => '+',
    who        => [
        '@Admins'
    ],
    origin     => [
        'jumpserver1',
        'jumpserver2'
    ]
}

accessrule {'999 DENY ALL':
    permission => '-',
    who        => [
        'ALL'
    ],
    origin     => [
        'ALL'
    ],
}

Limitations

This module can't handle comments; they are removed if they are encountered, even if you set $purge to false.

The order of rules with the same number is not guaranteed (but usually does not change).

Development

Submit pull requests for new features or bugfixes on our Github repository.