Version information
This version is compatible with:
- RedHat, CentOS, OracleLinux, Scientific, Debian, Ubuntu, SmartOS, OmniOS, FreeBSD, OpenBSD, AIX, Darwin, Gentoo, Archlinux, Amazon, Suse
Start using this module
Documentation
puppet-sudo 
https://github.com/saz/puppet-sudo
Manage sudo configuration via Puppet
Supported Puppet versions
- Puppet >= 4
- Last version supporting Puppet 3: v4.2.0
Supported OS
Some family and some specific os are supported by this module
- debian osfamily (debian, ubuntu, kali, ...)
- redhat osfamily (redhat, centos, fedora, ...)
- suse osfamily (suse, opensuse, ...)
- solaris osfamily (Solaris, OmniOS, SmartOS, ...)
- freebsd osfamily
- openbsd osfamily
- aix osfamily
- darwin osfamily
- gentoo operating system
- archlinux operating system
- amazon operating system
Gittip
Usage
WARNING
This module will purge your current sudo config
If this is not what you're expecting, set purge and/or config_file_replace to false
Install sudo with default sudoers
Purge current sudo config
class { 'sudo': }
Purge sudoers.d directory, but leave sudoers file as it is
class { 'sudo':
config_file_replace => false,
}
Leave current sudo config as it is
class { 'sudo':
purge => false,
config_file_replace => false,
}
Use LDAP along with sudo
Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include puppet portage module by Gentoo. If not present, only a notification will be shown.
class { 'sudo':
ldap_enable => true,
}
Adding sudoers configuration
Using Code
class { 'sudo': }
sudo::conf { 'web':
source => 'puppet:///files/etc/sudoers.d/web',
}
sudo::conf { 'admins':
priority => 10,
content => '%admins ALL=(ALL) NOPASSWD: ALL',
}
sudo::conf { 'joe':
priority => 60,
source => 'puppet:///files/etc/sudoers.d/users/joe',
}
Using Hiera
A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.
Examples using:
- YAML backend
- an environment called production
- a /etc/puppet/hiera.yaml hierarchy configuration:
:hierarchy:
- "%{environment}"
- "defaults"
Load module
Load the module via Puppet Code or your ENC.
include sudo
Configure Hiera YAML (defaults.yaml)
These defaults will apply to all systems.
sudo::configs:
'web':
'source' : 'puppet:///files/etc/sudoers.d/web'
'admins':
'content' : '%admins ALL=(ALL) NOPASSWD: ALL'
'priority' : 10
'joe':
'priority' : 60
'source' : 'puppet:///files/etc/sudoers.d/users/joe'
Configure Hiera YAML (production.yaml)
This will only apply to the production environment. In this example we are:
- inheriting/preserving the web configuration
- overriding the admins configuration
- removing the joe configuration
- adding the bill template
lookup_options:
sudo::configs:
merge:
strategy: deep
merge_hash_arrays: true
sudo::configs:
'admins':
'content' : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
'priority' : 10
'joe':
'ensure' : 'absent'
'source' : 'puppet:///files/etc/sudoers.d/users/joe'
'bill':
'template' : "mymodule/bill.erb"
In this example we are:
- inheriting/preserving the web configuration
- overriding the admins:content setting
- inheriting/preserving the admins:priority setting
- inheriting/preserving the joe:source and joe:priority settings
- removing the joe configuration
- adding the bill template
lookup_options:
sudo::configs:
merge:
strategy: deep
merge_hash_arrays: true
sudo::configs:
'admins':
'content' : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
'joe':
'ensure' : 'absent'
'bill':
'template' : "mymodule/bill.erb"
Set a custom name for the sudoers file
In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the sudo_file_name option to manually set the desired file name.
sudo::conf { "foreman-proxy":
ensure => "present",
source => "puppet:///modules/sudo/foreman-proxy",
sudo_file_name => "foreman-proxy",
}
sudo::conf / sudo::configs notes
- One of content or source must be set.
- Content may be an array, string will be added with return carriage after each element.
- In order to properly pass a template() use template instead of content, as hiera would run template function otherwise.
sudo class parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
| enable | boolean | true | Set this to remove or purge all sudoers configs |
| package | string | OS specific | Set package name (for unsupported platforms) |
| package_ensure | string | present | latest, absent, or a specific package version |
| package_source | string | OS specific | Set package source (for unsupported platforms) |
| purge | boolean | true | Purge unmanaged files from config_dir |
| purge_ignore | string | undef | Files excluded from purging in config_dir |
| config_file | string | OS specific | Set configfile (for unsupported platforms)_ |
| config_file_replace | boolean | true | Replace config file with module config file |
| includedirsudoers | boolean | OS specific | Add #includedir /etc/sudoers.d with augeas |
| config_dir | string | OS specific | Set configdir (for unsupported platforms)_ |
| content | string | OS specific | Alternate content file location |
| ldap_enable | boolean | false | Add support to LDAP |
| configs | hash | {} | A hash of sudo::conf's |
sudo::conf class / sudo::configs hash parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
| ensure | string | present | present or absent |
| priority | number | 10 | file name prefix |
| content | string | undef | content of configuration snippet |
| source | string | undef | source of configuration snippet |
| template | string | undef | template of configuration snippet |
| sudo_config_dir | string | OS Specific | configuration snippet directory (for unsupported platforms) |
| sudo_file_name | string | undef | custom file name for sudo file in sudoers directory |
Changelog
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[6.0.0]
Breaking changes
- Remove sudo::configs, move hiera lookups to init.pp (#228)
Fixed
- Do not ensure package, when it's undefined (#213)
- Fix regex matching rhel 5.1 to 5.4 only (#217)
- Add systemctl commands back to SERVICES alias (#224, #225)
Added
- Add Puppet 6 to travis checks
- Allow usage of sudoreplay (#231)
Changed
- Let $purge_ignore accept an array of strings (#211)
- Update Puppet version requirement to include version 6 (#230, #234)
Removed
- Drop Ruby 2.1 from travis checks
Dependencies
- puppetlabs/stdlib (>=2.6.0 < 7.0.0)
Copyright 2012 Steffen Zieger
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.