Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x
- Puppet >= 6.1.0 < 8.0.0
- , , , , , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'ploperations-account', '2.1.0'Learn more about managing modules with a PuppetfileDocumentation
Manage user accounts
This module manages user accounts on Linux, FreeBSD, macOS, and Windows. It supports managing overlapping groups of users across many nodes.
It can (optionally) use the ploperations/ssh module to set up SSH keys for each user. (The module must be installed, but it doesn't have to be used.)
Table of Contents
Quick start
Create a centralized class (or classes) to define all of the users that might
be used on any node. Define each user as a virtual account::user resource,
and each group as a virtual group:
@group {
'users': uid => 1000;
'admins': uid => 1001;
'puppet': uid => 1002;
}
@account::user { 'luke':
uid => 1000,
group => 'users'
groups => ['admins', 'puppet'],
key => 'AAAAB3NzaC...2RxOBG+CeNcUeiLWPUQ==',
keytype => 'ssh-rsa',
}
@account::user { 'daniel':
uid => 1001,
group => 'users'
groups => ['puppet'],
key => 'AAAAC3NzaC1lZDI1NTE5AAAAII6GXwvVY2ncrtsmOmylMweuOtBSUNS7gZXyjWR37oEL',
keytype => 'ssh-ed25519',
}
To realize users on a particular node, just use a collector in a profile:
class profile::base {
Account::User <| groups == 'admins' |>
}
You can realize multiple overlapping groups:
class profile::access::puppet {
Account::User <| groups == 'admins' |>
Account::User <| groups == 'puppet' |>
}
Note that you do not need to realize the groups directly; account::user will
do that for you.
Usage
uid and gid gotchas
You may leave out the uid and gid parameters.
Either always set uid, or never set uid. If you set uids for some
users but not for others, you will inevitably get uid conflicts when you make
changes. The same is true for groups.
Note that changing a user's uid will not update the uid on all of that
user's files. In order to do that, you will need to run something like the
following on each affected node:
# find / -user 1001 -print0 | xargs -0 chown 1034
(1001 is the old uid and 1034 is the new uid.)
uid and gid are ignored on Windows.
Passwords
Passwords are handled differently on splatnix (Linux, BSD, etc.) and Windows.
On splatnix, the password must be in crypt format, and on Windows, the
password must be plain text.
For those reasons it's better to put the passwords in hiera rather than pass
them directly to the account::user resource. Here's an example of a user that
has the password “hunter2” on both Windows an Linux.
account::user:
adam:
windows_password: 'hunter2'
crypted_password: '$1$QQ8nAVHM$QvthrGVnY2BNu1bJmi7u90'
It's better yet to encrypt those values with Hiera eyaml. Using eyaml would result in something like the following:
account::user:
adam:
windows_password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCA...ghP+fdY1Wd]
crypted_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCA...SqktJ8Sk8=]
Note the accounts must have passwords on Windows. Defining account::user
without a password on Windows will cause that user to be removed.
Predefining home directory files
Some users may have custom configuration they always want in their home
directory. You can use the home_source_module parameter to accomplish that.
For example, you could add a custom .bashrc for luke by 1) adding the
home_source_module parameter:
home_source_module => 'profile/users`
Then, 2) create a luke directory with his .bashrc under the profile::users
class, e.g. site/profile/files/users/luke/.bashrc.
home_source_module does nothing on Windows.
Shared accounts
account::user provides for creating shared accounts, e.g. a deploy account
that multiple users can SSH into.
In order for this to work, you have to realize the Ssh::Authorized_keys, for
the shared account. Those resources are created with the tag
${shared_account}-keys. For example, the shared deploy account would have
keys with the tag deploy-keys.
class profile::users {
@account::user { 'gene':
uid => 1002,
group => 'users'
groups => ['admins', 'puppet'],
key => 'AAAAC3NzaC1lZDI1NTE5AAAAIEWkzdlEVmGoAcboiwE16uCuN5dg8xy5mcCPfVnsXMTq',
keytype => 'ssh-ed25519',
shared_accounts => ['deploy'],
}
@group { 'deploy': gid => 2000 }
@account::user { 'deploy':
uid => 2000,
group => 'deploy',
}
}
class profile::deploy {
realize Account::User['deploy']
Ssh::Authorized_key <| tag == "deploy-keys" |>
}
You may specify shared accounts for all users in hiera. These cannot be overidden per user.
account::common_shared_accounts:
- 'shared'
Cygwin
If you're using Cygwin, you must specify cygwin::enable: true in hiera.
account::grant and friends
account::grant is used to add users to groups conditionally. Somewhat
confusingly, it selects the users to add based on group as well. An example
will probably help.
Suppose you have a sysadmin group that should have administrative access on
all nodes. You might want to give them access to the adm group as well. You
can do like this:
account::grant::group { 'adm>sysadmin': }
This is particularly useful to grant certain users Administrators access on
only a few Windows nodes. For convenience, you can use
account::grant::administrators. For example:
@group { ['Administrators', 'puppet-agent-team']: }
account::grant::administrators { 'puppet-agent-team': }
Reference
There are more examples and specific documentation for individual parameters in REFERENCE.md. That file is generated with:
pdk bundle exec puppet strings generate --format markdown
Reference
Table of Contents
Classes
account: Parameters needed by defined types in this module
Defined types
Public Defined types
account::grant::administrators: Grant accounts Administrators access on Windowsaccount::grant::group: Grant accounts access to a specific groupaccount::grant::rdp: Grant accounts RDP access on Windowsaccount::user: Manage a user account
Private Defined types
account::user::splatnix: This is not intended to be used directly. Use account::user instead.account::user::windows: This is not intended to be used directly. Use account::user instead.
Data types
Account::Date: A date for the password expiration parameter
Classes
account
There's no need to instantiate this class; it does nothing. It's used for setting parameters in hiera that account::user and friends can access.
Parameters
The following parameters are available in the account class:
common_shared_accounts
Data type: Array[String[1]]
An array of shared accounts to which all users will have their keys added.
Default value: []
cygwin
Data type: Boolean
Whether or not to use Cygwin on Windows. This defaults to the value of
cygwin::enable in hiera, which is where you should set it. (It, in turn,
defaults to false.)
Default value: lookup('cygwin::enable', Boolean, undef, false)
Defined types
account::grant::administrators
This takes all accounts in a specified group, and adds them to the Administrators group. On splatnix this does nothing.
Examples
Give all the sysadmins administrative access
account::grant::administrators { 'sysadmin': }
Parameters
The following parameters are available in the account::grant::administrators defined type:
to_group
Data type: String[1]
The group to give administrative access to. Generally, you should just use the title.
Default value: $title
account::grant::group
This grants all accounts with access to one group, access to another group.
Examples
Add all sysadmins to the adm group
account::grant::group { 'adm>sysadmin': }
Another way to add all sysadmins to the adm group
account::grant::group { 'give sysadmins adm access':
new_group => 'adm',
to_group => 'sysadmin',
}
Parameters
The following parameters are available in the account::grant::group defined type:
new_group
Data type: String[1]
The new group. Generally, you should just use the title.
Default value: ('>')[0]
to_group
Data type: String[1]
The group that will get the new access. Generally, you should just use the title.
Default value: ('>')[1]
account::grant::rdp
This takes all accounts in a specified group, and adds them to the Remote Desktop Users group. On splatnix this does nothing.
Examples
Give all users RDP access
account::grant::rdp { 'Users': }
Parameters
The following parameters are available in the account::grant::rdp defined type:
to_group
Data type: String[1]
The group to give RDP access to. Generally, you should just use the title.
Default value: $title
account::user
Manage a user account
Parameters
The following parameters are available in the account::user defined type:
ensuregroupgroupscommentshellhomehome_source_moduleuidusekeykeykeytypeexpirepasswordshared_accounts
ensure
Data type: Enum['present', 'absent']
Whether to ensure the user is present or absent on the node.
Default value: 'present'
group
Data type: Optional[String[1]]
Primary group for the user.
Default value: undef
groups
Data type: Array[String[1]]
Secondary groups for the user. There is no distinction on Windows.
Default value: []
comment
Data type: Optional[String]
Comment field for the user. This is generally the user's name.
Default value: undef
shell
Data type: Stdlib::Unixpath
Full path to the user's preferred shell. This does nothing on Windows.
Default value: '/bin/bash'
home
Data type: Optional[Stdlib::Unixpath]
Full path to the user's home directory. This does nothing on Windows.
Default value: undef
home_source_module
Data type: Optional[String[1]]
A module that contains files to put in the user's home directory, e.g. .bashrc. By default, the home directory is just set up with a .README file that explains how to use this parameter.
The module is expected to have a directory named after the user at the top
level that contains the user's files. For example, pass profile/users,
then create a site/profile/files/luke/.bashrc file.
This does nothing on Windows.
Default value: undef
uid
Data type: Optional[Integer[1]]
User id number for the user. This does nothing on Windows.
Default value: undef
usekey
Data type: Boolean
Whether or not to manage SSH keys for the user. If this is false, then keys will not be added or removed.
You can still set up keys externally if $usekey is false.
This doesn't do anything on Windows; it is effectively always true.
Default value: true
key
Data type: Optional[Ssh::Key::String]
SSH public key. This must not contain the type or the comment — it's just the second part, after ssh-rsa or whatever your keytype is.
Default value: undef
keytype
Data type: Ssh::Key::Type
The type of your SSH key.
Default value: 'ssh-rsa'
expire
Data type: Optional[Account::Date]
When the user account expires in YYYY-MM-DD format.
Default value: undef
password
Data type: Optional[Sensitive]
A password for the user. If this is left undefined, you will simply not be able to use password authentication on splatnix (*nix: Linux, BSD, macOS, and Solaris).
You may specify this in hiera under account::user parameter. See the
Passwords section in README.md.
Windows requires passwords. If it is not specified here or in hiera, this will remove the user account.
Default value: undef
shared_accounts
Data type: Array[String[1]]
An array of shared accounts to add the user's SSH key to. To activate,
collect the Ssh::Authorized_key virtual resources in a profile, e.g:
Ssh::Authorized_key <| tag == "${shared_account}-keys" |>
See the Shared accounts section in README.md.
Default value: []
Data types
Account::Date
A date for the password expiration parameter
Alias of
Pattern[/\A\d{4}-\d{2}-\d{2}\z/]
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
2.1.0 (2023-04-04)
Added
2.0.0 (2021-09-18)
Changed
1.1.0 (2021-07-06)
Added
1.0.0 (2019-02-21)
0.9.0 (2019-01-26)
Added
- (INFC-17762) 0.9.0: Support Windows #12 (danielparks)
- Defined types to add groups to users #8 (danielparks)
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- ploperations/bash (>= 0.1 < 2.0.0)
- puppetlabs/stdlib (>= 5.0.0 < 6.0.0)
- ploperations/ssh (>= 0.10.0 < 1.0.0)
- ploperations/zsh (>= 0.1 < 2.0.0)
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.