Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x
- Puppet >= 5.5.0 < 8.0.0
- ,
Start using this module
Add this module to your Puppetfile:
mod 'tails-rbac', '0.1.1'Learn more about managing modules with a PuppetfileDocumentation
rbac
Table of Contents
- Description
- Setup - The basics of getting started with rbac
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
Description
This module allows for role based access control of users. It requires having all your user data in a hash in hiera, along with a hash describing which users have which role. Access to systems can be granted in your profiles based on the appropriate role. The rbac module ensures only users with the appropriate role have access, any other known users are purged.
Setup
What rbac affects
This module will purge any user in the users hash that has not explicitly been granted access.
Beginning with rbac
You need to have a rbac::users and a rbac::roles entry in your hiera. For example:
rbac::users:
user1:
userparams:
uid: 1001
shell: /bin/bash
email: user1@example.org
sshkeys:
personal:
type: ssh-rsa
key: AAAAACAB...
user2:
userparams:
uid: 1002
shell: /bin/bash
email: user2@example.org
sshkeys:
personal:
type: ssh-rsa
key: AAAA1312...
rbac::roles:
sysadmins:
- user1
webdevs:
- user1
- user2
Usage
Start by including rbac:
include ::rbac
Then, in your profiles, you can set which role is to have access to the system:
rbac::user { 'sysadmins': }
This will ensure everyone with the sysadmins role has a user on the system.
You may also want to grant users with a certain role ssh access to a (system) user:
rbac::ssh { 'webdevs-to-www-data':
user => 'www-data',
role => 'webdevs',
}
This will add the ssh keys of everyone with the webdevs role to www-data's authorized_keys. Note: it is up to you to ensure www-data's authorized_keys are managed through puppet with purge_ssh_keys set to true, else removing a user from the webdevs role may not have the desired result of revoking their access.
Finally, you may grant users membership to a POSIX group based on their role:
rbac::group { 'sysadmins-to-sudo':
group => 'sudo',
role => 'sysadmins',
Limitations
- Datasources for users and roles other than hiera are not supported.
- Homedirectories other than /home/username are not supported.
Reference
Table of Contents
Classes
rbac: A simple RBAC implementation for managing users
Defined types
Public Defined types
rbac::group: Grants membership of a posix group based on roles.rbac::ssh: Grants ssh access based on roles.rbac::user: Creates users based on their role
Private Defined types
rbac::sshto: Grants ssh access based on roles.
Classes
rbac
This class ensures that any user in the provided userlist who has not been granted access on the system through one of this module's defined types is purged from the system.
Examples
include rbac
Parameters
The following parameters are available in the rbac class.
users
Data type: Hash
A hash with user data
roles
Data type: Hash
A hash with roles and lists of users having said role
Defined types
rbac::group
Calling rbac::group will ensure that every user with the given role, as well as any user in the additional_members array, and only these users, will be members of the given group.
Examples
rbac::group { 'foo':
group => 'foo',
role => 'myrole'
}
Parameters
The following parameters are available in the rbac::group defined type.
group
Data type: String
The group users with the specified role will be member of.
role
Data type: Optional[String]
The role users must have to be member of the given group.
Default value: undef
additional_members
Data type: Array[String]
Additional users that should be member of the given group, but do not have the specified role.
Default value: []
rbac::ssh
Calling rbac::ssh will ensure that the ssh keys of everyone in the rbac::users hash with the appropriate role will be part of to the authorized_keys for the given user.
Examples
rbac::ssh { 'foo':
user => 'bar',
role => 'myrole'
}
Parameters
The following parameters are available in the rbac::ssh defined type.
user
Data type: String
The user to which ssh access will be granted.
role
Data type: String
The role users must have to have ssh access to the given user.
options
Data type: Array
An array with key options; see sshd(8) for possible values
Default value: []
rbac::user
Calling rbac::user will ensure that every user in the rbac::users hash with the given role will be present on the system and accessible using the provided ssh keys.
Examples
rbac::user { 'myrole': }
Parameters
The following parameters are available in the rbac::user defined type.
role
Data type: String
The role users must have to be present and have access to this system.
Default value: $title
ssh
Data type: Boolean
Whether or not ssh access should be managed by rbac
Default value: true
mailalias
Data type: Boolean
Whether or not mailaliases should be managed by rbac
Default value: true
Dependencies
- puppetlabs-stdlib (>= 5.0.0 <= 8.4.0)
- puppetlabs-sshkeys_core (>= 1.0.0 <= 2.3.0)
- puppetlabs-mailalias_core (>= 1.0.0 <= 1.1.0)
- puppet-groupmembership (>= 1.0.0 <= 2.0.0)