puppet-sudo Build Status

https://github.com/saz/puppet-sudo

Manage sudo configuration via Puppet

Supported OS

Some family and some specific os are supported by this module

  • debian osfamily (debian, ubuntu, kali, ...)
  • redhat osfamily (redhat, centos, fedora, ...)
  • suse osfamily (suse, opensuse, ...)
  • solaris osfamily (Solaris, OmniOS, SmartOS, ...)
  • freebsd osfamily
  • openbsd osfamily
  • aix osfamily
  • darwin osfamily
  • gentoo operating system
  • archlinux operating system
  • amazon operating system

Gittip

Support via Gittip

Usage

WARNING

This module will purge your current sudo config

If this is not what you're expecting, set purge and/or config_file_replace to false

Install sudo with default sudoers

Purge current sudo config

    class { 'sudo': }

Purge sudoers.d directory, but leave sudoers file as it is

    class { 'sudo':
      config_file_replace => false,
    }

Leave current sudo config as it is

    class { 'sudo':
      purge               => false,
      config_file_replace => false,
    }

Use LDAP along with sudo

Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include puppet portage module by Gentoo. If not present, only a notification will be shown.

    class { 'sudo':
      ldap_enable         => true,
    }

Adding sudoers configuration

Using Code

    class { 'sudo': }
    sudo::conf { 'web':
      source => 'puppet:///files/etc/sudoers.d/web',
    }
    sudo::conf { 'admins':
      priority => 10,
      content  => "%admins ALL=(ALL) NOPASSWD: ALL",
    }
    sudo::conf { 'joe':
      priority => 60,
      source   => 'puppet:///files/etc/sudoers.d/users/joe',
    }

Using Hiera

A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.

Examples using:

  • YAML backend
  • an environment called production
  • a /etc/puppet/hiera.yaml hierarchy configuration:
:hierarchy:
  - "%{environment}"
  - "defaults"
Load module
Using Puppet version 3+

Load the module via Puppet Code or your ENC.

    include sudo
Using Puppet version 2.7+

After Installing Hiera:

  • Load the sudo and sudo::configs modules via Puppet Code or your ENC.
    include sudo
    include sudo::configs
Configure Hiera YAML (defaults.yaml)

These defaults will apply to all systems.

sudo::configs:
    'web':
        'source'    : 'puppet:///files/etc/sudoers.d/web'
    'admins':
        'content'   : "%admins ALL=(ALL) NOPASSWD: ALL"
        'priority'  : 10
    'joe':
        'priority'  : 60
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
Configure Hiera YAML (production.yaml)

This will only apply to the production environment. In this example we are:

  • inheriting/preserving the web configuration
  • overriding the admins configuration
  • removing the joe configuration
  • adding the bill template
sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
        'priority'  : 10
    'joe':
        'ensure'    : 'absent'
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
    'bill':
        'template'  : "mymodule/bill.erb"

If you have Hiera version >= 1.2.0 and enable Hiera Deeper Merging you may conditionally override any setting.

In this example we are:

  • inheriting/preserving the web configuration
  • overriding the admins:content setting
  • inheriting/preserving the admins:priority setting
  • inheriting/preserving the joe:source and joe:priority settings
  • removing the joe configuration
  • adding the bill template
sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
    'joe':
        'ensure'    : 'absent'
    'bill':
        'template'  : "mymodule/bill.erb"
Set a custom name for the sudoers file

In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the sudo_file_name option to manually set the desired file name.

sudo::conf { "foreman-proxy":
    ensure          => "present",
    source          => "puppet:///modules/sudo/foreman-proxy",
    sudo_file_name  => "foreman-proxy",
}

sudo::conf / sudo::configs notes

  • One of content or source must be set.
  • Content may be an array, string will be added with return carriage after each element.
  • In order to properly pass a template() use template instead of content, as hiera would run template function otherwise.

sudo class parameters

Parameter Type Default Description
enable boolean true Set this to remove or purge all sudoers configs
package string OS specific Set package name (for unsupported platforms)
package_ensure string present latest, absent, or a specific package version
package_source string OS specific Set package source (for unsupported platforms)
purge boolean true Purge unmanaged files from config_dir
purge_ignore string undef Files excluded from purging in config_dir
config_file string OS specific Set config_file (for unsupported platforms)
config_file_replace boolean true Replace config file with module config file
includedirsudoers boolean OS specific Add #includedir /etc/sudoers.d with augeas
config_dir string OS specific Set config_dir (for unsupported platforms)
source string OS specific Set source (for unsupported platforms)
ldap_enable boolean false Add support to LDAP

sudo::conf class / sudo::configs hash parameters

Parameter Type Default Description
ensure string present present or absent
priority number 10 file name prefix
content string undef content of configuration snippet
source string undef source of configuration snippet
template string undef template of configuration snippet
sudo_config_dir string OS Specific configuration snippet directory (for unsupported platforms)
sudo_file_name string undef custom file name for sudo file in sudoers directory


puppet-sudo Build Status

https://github.com/saz/puppet-sudo

通过Puppet管理sudo配置

支持的操作系统

此模块支持某些系列和某些特定的操作系统

  • debian osfamily(debian,ubuntu,kali,…)
  • redhat osfamily(redhat,centos,fedora,…)
  • suse osfamily(suse,opensuse,…)
  • solaris osfamily(Solaris,OmniOS,SmartOS,…)
  • freebsd osfamily
  • openbsd osfamily
  • aix osfamily
  • darwin osfamily
  • gentoo操作系统
  • archlinux操作系统
  • 亚马逊操作系统

Gittip

经由Gittip支持

用法

警告

此模块将清除您当前的sudo配置

如果这不是您期望的,请将 purge 和/或 config_file_replace 设置为 false

使用默认sudoers安装sudo

Purge current sudo config

    class { 'sudo': }

Purge sudoers.d directory, but leave sudoers file as it is

    class { 'sudo':
      config_file_replace => false,
    }

Leave current sudo config as it is

    class { 'sudo':
      purge               => false,
      config_file_replace => false,
    }

Use LDAP along with sudo

Sudo并不总是默认包含对LDAP的支持。 在Debian和Ubuntu上,将使用一个特殊的包sudo-ldap。 在Gentoo上,还需要包括Gentoo的木偶门户模块。如果不存在,只会显示通知。

    class { 'sudo':
      ldap_enable         => true,
    }

添加sudoers配置

Using Code

    class { 'sudo': }
    sudo::conf { 'web':
      source => 'puppet:///files/etc/sudoers.d/web',
    }
    sudo::conf { 'admins':
      priority => 10,
      content  => "%admins ALL=(ALL) NOPASSWD: ALL",
    }
    sudo::conf { 'joe':
      priority => 60,
      source   => 'puppet:///files/etc/sudoers.d/users/joe',
    }

Using Hiera

可以使用hiera哈希来组合sudoers配置。 也启用了哈希合并,支持分层配置设置。

使用

的示例
  • YAML后端
  • 一个名为 production
  • 的环境
  • a /etc/puppet/hiera.yaml 层次结构配置:
:hierarchy:
  - "%{environment}"
  - "defaults"
Load module
Using Puppet version 3+

通过Puppet Code或ENC加载模块。

    include sudo
Using Puppet version 2.7+

安装Hiera 后:

  • 通过Puppet Code或ENC加载 sudo sudo :: configs 模块。
    include sudo
    include sudo::configs
Configure Hiera YAML (defaults.yaml)

这些默认值将适用于所有系统。

sudo::configs:
    'web':
        'source'    : 'puppet:///files/etc/sudoers.d/web'
    'admins':
        'content'   : "%admins ALL=(ALL) NOPASSWD: ALL"
        'priority'  : 10
    'joe':
        'priority'  : 60
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
Configure Hiera YAML (production.yaml)

这只适用于生产环境。 在这个例子中,我们是:

  • 继承/保留网络配置
  • 覆盖管理员配置
  • 删除 joe 配置
  • 添加帐单模板
sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
        'priority'  : 10
    'joe':
        'ensure'    : 'absent'
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
    'bill':
        'template'  : "mymodule/bill.erb"

如果您有Hiera版本> = 1.2.0并启用 Hiera Deeper Merging ,您可以有条件地覆盖任何设置。

在这个例子中,我们是:

  • 继承/保留网络配置
  • 覆盖管理员:内容设置
  • 继承/保存管理员:优先设置
  • 继承/保存 joe:source joe:priority 设置
  • 删除 joe 配置
  • 添加帐单模板
sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
    'joe':
        'ensure'    : 'absent'
    'bill':
        'template'  : "mymodule/bill.erb"
Set a custom name for the sudoers file

在某些边缘情况下,自动生成的sudoers文件名不足。例如,当应用程序生成具有固定文件名的sudoers文件时,启用清除选项的此类将始终删除自定义文件,并手动添加将生成具有正确内容但错误名称的文件。要解决这个问题,您可以使用 sudo_file_name 选项手动设置所需的文件名。

sudo::conf { "foreman-proxy":
    ensure          => "present",
    source          => "puppet:///modules/sudo/foreman-proxy",
    sudo_file_name  => "foreman-proxy",
}

sudo :: conf / sudo :: configs notes

  • 必须设置内容或来源之一。
  • 内容可能是一个数组,字符串将在每个元素之后添加回车。
  • 为了正确传递template()使用模板而不是内容,因为hiera将会运行模板函数。

sudo类参数

Parameter Type Default Description
enable boolean true Set this to remove or purge all sudoers configs
package string OS specific Set package name (for unsupported platforms)
package_ensure string present latest, absent, or a specific package version
package_source string OS specific Set package source (for unsupported platforms)
purge boolean true Purge unmanaged files from config_dir
purge_ignore string undef Files excluded from purging in config_dir
config_file string OS specific Set config_file (for unsupported platforms)
config_file_replace boolean true Replace config file with module config file
includedirsudoers boolean OS specific Add #includedir /etc/sudoers.d with augeas
config_dir string OS specific Set config_dir (for unsupported platforms)
source string OS specific Set source (for unsupported platforms)
ldap_enable boolean false Add support to LDAP

/ svg> sudo :: conf class / sudo :: configs哈希参数

Parameter Type Default Description
ensure string present present or absent
priority number 10 file name prefix
content string undef content of configuration snippet
source string undef source of configuration snippet
template string undef template of configuration snippet
sudo_config_dir string OS Specific configuration snippet directory (for unsupported platforms)
sudo_file_name string undef custom file name for sudo file in sudoers directory




相关问题推荐