Version information
This version is compatible with:
- Puppet Enterprise >= 2015.3.0 < 2015.4.0
- Puppet >= 4.0.0 < 5.0.0
- , , , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'puppetlabs-accounts', '1.0.0'
Learn more about managing modules with a PuppetfileDocumentation
accounts
Table of Contents
- Description
- Setup - The basics of getting started with accounts
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Description
The accounts module manages resources related to login and service accounts. This module replaces Puppet Enterprise's built-in pe_accounts module, which was removed from PE 2015.3 and later.
This module works on many UNIX/Linux operating systems. It does not support configuring accounts on Microsoft Windows platforms.
Setup
Beginning with accounts
Declare the accounts
class in a Puppet-managed node's manifest:
node default {
accounts::user { 'dan': }
accounts::user { 'morgan': }
}
The above example creates accounts, home directories, and groups for Dan and Morgan.
Usage
Declare user accounts
accounts::user { 'bob':
uid => 4001,
gid => 4001,
shell => '/bin/bash',
password => '!!',
sshkeys => "ssh-rsa AAAA...",
locked => false,
}
Customize the home directory
A simple bashrc and bash_profile rc file is managed by Puppet for each account. These rc files add some simple aliases, update the prompt, add ~/bin to the path, and source the following files (which are not managed by this module) in the following order:
/etc/bashrc
/etc/bashrc.puppet
~/.bashrc.custom
Account holders can customize their shells by managing their bashrc.custom files. In addition, the system administrator can make profile changes that affect all accounts with a bash shell by managing the /etc/bashrc.puppet
file.
Lock accounts
Lock accounts by setting the locked
parameter of an account to true.
For example:
accounts::user { 'villain':
comment => 'Bad Person',
locked => true
}
The accounts module sets the account to an invalid shell appropriate for the system Puppet is managing and displays the following message if a user tries to access the account:
$ ssh villain@centos56
This account is currently not available.
Connection to 172.16.214.129 closed.
Manage SSH keys
Manage SSH keys with the sshkeys
attribute of the accounts::user
define. This
parameter accepts an array of public key contents as strings.
Example:
accounts::user { 'jeff':
comment => 'Jeff McCune',
groups => [
'admin',
'sudonopw',
],
uid => '1112',
gid => '1112',
sshkeys => [
'ssh-rsa AAAAB3Nza...== jeff@puppetlabs.com',
'ssh-dss AAAAB3Nza...== jeff@metamachine.net',
],
}
Reference
Define: accounts::user
This resource manages the user, group, .vim/, .ssh/, .bash_profile, .bashrc, homedir, .ssh/authorized_keys files and directories.
bashrc_content
The content to place in the user's ~/.bashrc file. Default: undef
bash_profile_content
The content to place in the user's ~/.bash_profile file. Default: undef
comment
A comment describing or regarding the user. Accepts a string. Default to $name
.
ensure
Specifies whether the user, its primary group, homedir, and ssh keys should exist. Valid values are present and absent. Defaults to present. Note that when a user is created, a group with the same name as the user is also created. Default 'present'.
gid
Specifies the gid of the user's primary group. Must be specified numerically. Default undef.
groups
Specifies the user's group memberships. Valid values: an array. Default: an empty array.
home
Specifies the path to the user's home directory. Default: /home/$name
on linux and /export/home/$name
on Solaris for non-root users, and /root
on linux and /
on Solaris for the root user.
home_mode
Manages the user's home directory permission mode. Valid values are in octal notation, specified as a string. Defaults to '0700', which gives the owner full read, write, and execute permissions, while group and other have no permissions.
locked
Whether the account should be locked and the user prevented from logging in. Set to true for users whose login privileges have been revoked. Valid values: true, false. Default: false.
managehome
Whether the user's home directory should be managed by puppet. In addition to the usual user resource managehome qualities, this attribute also purges the user's homedir if ensure
is set to absent and managehome
is set to true. Default: true.
membership
Whether specified groups should be considered the complete list (inclusive) or the minimum list (minimum) of groups to which the user belongs. Valid values: 'inclusive', 'minimum'. Default: 'minimum'.
password
The user's password, in whatever encrypted format the local machine requires. Defaults to '!!', which prevents the user from logging in with a password.
shell
Manages the user shell. Default: '/bin/bash'.
sshkeys
An array of SSH public keys associated with the user. These should be complete public key strings that include the type and name of the key, exactly as the key would appear in its id_rsa.pub or id_dsa.pub file. Must be an array. Defaults to an empty array.
uid
Specifies the user's uid number. Must be specified numerically. Default: undef.
Limitations
This module works with Puppet Enterprise 2015.3 and later.
Changes from pe_accounts
The accounts module is designed to take the place of the pe_accounts module that shipped with PE 2015.2 and earlier. Some of the changes include the removal of the base class, improving the validation, and allowing more flexibility for which files should or should not be managed in a user's home directory. For example, the .bashrc and .bash_profile files are not managed by default but allow custom content to be passed in using the bashrc_content
and bash_profile_content
parameters. The content for these two files as managed by pe_accounts may continue to be used by passing bashrc_content => file('accounts/shell/bashrc')
and bash_profile_content => file('accounts/shell/bash_profile')
to the accounts::user
type.
Development
If you run into an issue with this module, or if you would like to request a feature, please file a ticket.
If you have problems getting this module up and running, please contact Support.
Change log
All notable changes to this project will be documented in this file.
Supported Release 1.0.0
Summary:
This is the initial release of the rewrite of puppetlabs-pe_accounts for a more general usage.
Differences from the pe_accounts module is that the data model is gone, and thus the base class that accepts hashes (ie, from hiera). Instead, the module is designed around the use of the accounts::user
defined resource.
To regain the old hiera behavior, use the create_resources()
function in combination with accounts::user
; eg: create_resources('accounts::user', hiera_hash('accounts::users'))
Dependencies
- puppetlabs/stdlib (>= 3.4.0 < 5.0.0)
Copyright (C) 2012 Puppet Labs Inc Puppet Labs can be contacted at: info@puppetlabs.com Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.