Forge Home

rbac

Role based access control of POSIX users.

314 downloads

168 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.1 (latest)
  • 0.1.0
released Aug 23rd 2023
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x
  • Puppet >= 5.5.0 < 8.0.0
  • ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'tails-rbac', '0.1.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add tails-rbac
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install tails-rbac --version 0.1.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

tails/rbac — version 0.1.1 Aug 23rd 2023

rbac

Table of Contents

  1. Description
  2. Setup - The basics of getting started with rbac
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.

Description

This module allows for role based access control of users. It requires having all your user data in a hash in hiera, along with a hash describing which users have which role. Access to systems can be granted in your profiles based on the appropriate role. The rbac module ensures only users with the appropriate role have access, any other known users are purged.

Setup

What rbac affects

This module will purge any user in the users hash that has not explicitly been granted access.

Beginning with rbac

You need to have a rbac::users and a rbac::roles entry in your hiera. For example:

rbac::users:
  user1:
    userparams:
      uid: 1001
      shell: /bin/bash
    email: user1@example.org
    sshkeys:
      personal:
        type: ssh-rsa
        key: AAAAACAB...
  user2:
    userparams:
      uid: 1002
      shell: /bin/bash
    email: user2@example.org
    sshkeys:
      personal:
        type: ssh-rsa
        key: AAAA1312...
rbac::roles:
  sysadmins:
    - user1
  webdevs:
    - user1
    - user2

Usage

Start by including rbac:

include ::rbac

Then, in your profiles, you can set which role is to have access to the system:

  rbac::user { 'sysadmins': }

This will ensure everyone with the sysadmins role has a user on the system.

You may also want to grant users with a certain role ssh access to a (system) user:

  rbac::ssh { 'webdevs-to-www-data':
    user => 'www-data',
    role => 'webdevs',
  }

This will add the ssh keys of everyone with the webdevs role to www-data's authorized_keys. Note: it is up to you to ensure www-data's authorized_keys are managed through puppet with purge_ssh_keys set to true, else removing a user from the webdevs role may not have the desired result of revoking their access.

Finally, you may grant users membership to a POSIX group based on their role:

  rbac::group { 'sysadmins-to-sudo':
    group => 'sudo',
    role  => 'sysadmins',

Limitations

  • Datasources for users and roles other than hiera are not supported.
  • Homedirectories other than /home/username are not supported.