Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x
- Puppet >= 6.1.0 < 8.0.0
- , , , , , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'ploperations-account', '2.0.0'
Learn more about managing modules with a PuppetfileDocumentation
Manage user accounts
This module manages user accounts on Linux, FreeBSD, macOS, and Windows. It supports managing overlapping groups of users across many nodes.
It can (optionally) use the ploperations/ssh module to set up SSH keys for each user. (The module must be installed, but it doesn't have to be used.)
Table of Contents
Quick start
Create a centralized class (or classes) to define all of the users that might
be used on any node. Define each user as a virtual account::user
resource,
and each group as a virtual group
:
@group {
'users': uid => 1000;
'admins': uid => 1001;
'puppet': uid => 1002;
}
@account::user { 'luke':
uid => 1000,
group => 'users'
groups => ['admins', 'puppet'],
key => 'AAAAB3NzaC...2RxOBG+CeNcUeiLWPUQ==',
keytype => 'ssh-rsa',
}
@account::user { 'daniel':
uid => 1001,
group => 'users'
groups => ['puppet'],
key => 'AAAAC3NzaC1lZDI1NTE5AAAAII6GXwvVY2ncrtsmOmylMweuOtBSUNS7gZXyjWR37oEL',
keytype => 'ssh-ed25519',
}
To realize users on a particular node, just use a collector in a profile:
class profile::base {
Account::User <| groups == 'admins' |>
}
You can realize multiple overlapping groups:
class profile::access::puppet {
Account::User <| groups == 'admins' |>
Account::User <| groups == 'puppet' |>
}
Note that you do not need to realize the groups directly; account::user
will
do that for you.
Usage
uid
and gid
gotchas
You may leave out the uid
and gid
parameters.
Either always set uid
, or never set uid
. If you set uid
s for some
users but not for others, you will inevitably get uid conflicts when you make
changes. The same is true for groups.
Note that changing a user's uid
will not update the uid
on all of that
user's files. In order to do that, you will need to run something like the
following on each affected node:
# find / -user 1001 -print0 | xargs -0 chown 1034
(1001 is the old uid
and 1034 is the new uid
.)
uid
and gid
are ignored on Windows.
Passwords
Passwords are handled differently on splatnix (Linux, BSD, etc.) and Windows.
On splatnix, the password must be in crypt
format, and on Windows, the
password must be plain text.
For those reasons it's better to put the passwords in hiera rather than pass
them directly to the account::user
resource. Here's an example of a user that
has the password “hunter2” on both Windows an Linux.
account::user:
adam:
windows_password: 'hunter2'
crypted_password: '$1$QQ8nAVHM$QvthrGVnY2BNu1bJmi7u90'
It's better yet to encrypt those values with Hiera eyaml. Using eyaml would result in something like the following:
account::user:
adam:
windows_password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCA...ghP+fdY1Wd]
crypted_password: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCA...SqktJ8Sk8=]
Note the accounts must have passwords on Windows. Defining account::user
without a password on Windows will cause that user to be removed.
Predefining home directory files
Some users may have custom configuration they always want in their home
directory. You can use the home_source_module
parameter to accomplish that.
For example, you could add a custom .bashrc
for luke
by 1) adding the
home_source_module
parameter:
home_source_module => 'profile/users`
Then, 2) create a luke
directory with his .bashrc
under the profile::users
class, e.g. site/profile/files/users/luke/.bashrc
.
home_source_module
does nothing on Windows.
Shared accounts
account::user
provides for creating shared accounts, e.g. a deploy
account
that multiple users can SSH into.
In order for this to work, you have to realize the Ssh::Authorized_key
s, for
the shared account. Those resources are created with the tag
${shared_account}-keys
. For example, the shared deploy
account would have
keys with the tag deploy-keys
.
class profile::users {
@account::user { 'gene':
uid => 1002,
group => 'users'
groups => ['admins', 'puppet'],
key => 'AAAAC3NzaC1lZDI1NTE5AAAAIEWkzdlEVmGoAcboiwE16uCuN5dg8xy5mcCPfVnsXMTq',
keytype => 'ssh-ed25519',
shared_accounts => ['deploy'],
}
@group { 'deploy': gid => 2000 }
@account::user { 'deploy':
uid => 2000,
group => 'deploy',
}
}
class profile::deploy {
realize Account::User['deploy']
Ssh::Authorized_key <| tag == "deploy-keys" |>
}
You may specify shared accounts for all users in hiera. These cannot be overidden per user.
account::common_shared_accounts:
- 'shared'
Cygwin
If you're using Cygwin, you must specify cygwin::enable: true
in hiera.
account::grant
and friends
account::grant
is used to add users to groups conditionally. Somewhat
confusingly, it selects the users to add based on group as well. An example
will probably help.
Suppose you have a sysadmin
group that should have administrative access on
all nodes. You might want to give them access to the adm
group as well. You
can do like this:
account::grant::group { 'adm>sysadmin': }
This is particularly useful to grant certain users Administrators access on
only a few Windows nodes. For convenience, you can use
account::grant::administrators
. For example:
@group { ['Administrators', 'puppet-agent-team']: }
account::grant::administrators { 'puppet-agent-team': }
Reference
There are more examples and specific documentation for individual parameters in REFERENCE.md. That file is generated with:
pdk bundle exec puppet strings generate --format markdown
Reference
Table of Contents
Classes
account
: Parameters needed by defined types in this module
Defined types
Public Defined types
account::grant::administrators
: Grant accounts Administrators access on Windowsaccount::grant::group
: Grant accounts access to a specific groupaccount::grant::rdp
: Grant accounts RDP access on Windowsaccount::user
: Manage a user account
Private Defined types
account::user::splatnix
: This is not intended to be used directly. Use account::user instead.account::user::windows
: This is not intended to be used directly. Use account::user instead.
Data types
Account::Date
: A date for the password expiration parameter
Classes
account
There's no need to instantiate this class; it does nothing. It's used for setting parameters in hiera that account::user and friends can access.
Parameters
The following parameters are available in the account
class:
common_shared_accounts
Data type: Array[String[1]]
An array of shared accounts to which all users will have their keys added.
Default value: []
cygwin
Data type: Boolean
Whether or not to use Cygwin on Windows. This defaults to the value of
cygwin::enable
in hiera, which is where you should set it. (It, in turn,
defaults to false
.)
Default value: lookup('cygwin::enable', Boolean, undef, false)
Defined types
account::grant::administrators
This takes all accounts in a specified group, and adds them to the Administrators group. On splatnix this does nothing.
Examples
Give all the sysadmins administrative access
account::grant::administrators { 'sysadmin': }
Parameters
The following parameters are available in the account::grant::administrators
defined type:
to_group
Data type: String[1]
The group to give administrative access to. Generally, you should just use the title.
Default value: $title
account::grant::group
This grants all accounts with access to one group, access to another group.
Examples
Add all sysadmins to the adm group
account::grant::group { 'adm>sysadmin': }
Another way to add all sysadmins to the adm group
account::grant::group { 'give sysadmins adm access':
new_group => 'adm',
to_group => 'sysadmin',
}
Parameters
The following parameters are available in the account::grant::group
defined type:
new_group
Data type: String[1]
The new group. Generally, you should just use the title.
Default value: ('>')[0]
to_group
Data type: String[1]
The group that will get the new access. Generally, you should just use the title.
Default value: ('>')[1]
account::grant::rdp
This takes all accounts in a specified group, and adds them to the Remote Desktop Users group. On splatnix this does nothing.
Examples
Give all users RDP access
account::grant::rdp { 'Users': }
Parameters
The following parameters are available in the account::grant::rdp
defined type:
to_group
Data type: String[1]
The group to give RDP access to. Generally, you should just use the title.
Default value: $title
account::user
Manage a user account
Parameters
The following parameters are available in the account::user
defined type:
ensure
group
groups
comment
shell
home
home_source_module
uid
usekey
key
keytype
expire
password
shared_accounts
ensure
Data type: Enum['present', 'absent']
Whether to ensure the user is present or absent on the node.
Default value: 'present'
group
Data type: Optional[String[1]]
Primary group for the user.
Default value: undef
groups
Data type: Array[String[1]]
Secondary groups for the user. There is no distinction on Windows.
Default value: []
comment
Data type: Optional[String]
Comment field for the user. This is generally the user's name.
Default value: undef
shell
Data type: Stdlib::Unixpath
Full path to the user's preferred shell. This does nothing on Windows.
Default value: '/bin/bash'
home
Data type: Optional[Stdlib::Unixpath]
Full path to the user's home directory. This does nothing on Windows.
Default value: undef
home_source_module
Data type: Optional[String[1]]
A module that contains files to put in the user's home directory, e.g. .bashrc. By default, the home directory is just set up with a .README file that explains how to use this parameter.
The module is expected to have a directory named after the user at the top
level that contains the user's files. For example, pass profile/users
,
then create a site/profile/files/luke/.bashrc
file.
This does nothing on Windows.
Default value: undef
uid
Data type: Optional[Integer[1]]
User id number for the user. This does nothing on Windows.
Default value: undef
usekey
Data type: Boolean
Whether or not to manage SSH keys for the user. If this is false, then keys will not be added or removed.
You can still set up keys externally if $usekey
is false.
This doesn't do anything on Windows; it is effectively always true.
Default value: true
key
Data type: Optional[Ssh::Key::String]
SSH public key. This must not contain the type or the comment — it's just the second part, after ssh-rsa or whatever your keytype is.
Default value: undef
keytype
Data type: Ssh::Key::Type
The type of your SSH key.
Default value: 'ssh-rsa'
expire
Data type: Optional[Account::Date]
When the user account expires in YYYY-MM-DD format.
Default value: undef
password
Data type: Optional[Sensitive]
A password for the user. If this is left undefined, you will simply not be able to use password authentication on splatnix (*nix: Linux, BSD, macOS, and Solaris).
You may specify this in hiera under account::user
parameter. See the
Passwords section in README.md.
Windows requires passwords. If it is not specified here or in hiera, this will remove the user account.
Default value: undef
shared_accounts
Data type: Array[String[1]]
An array of shared accounts to add the user's SSH key to. To activate,
collect the Ssh::Authorized_key
virtual resources in a profile, e.g:
Ssh::Authorized_key <| tag == "${shared_account}-keys" |>
See the Shared accounts section in README.md.
Default value: []
Data types
Account::Date
A date for the password expiration parameter
Alias of
Pattern[/\A\d{4}-\d{2}-\d{2}\z/]
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
2.0.0 (2021-09-18)
Changed
1.1.0 (2021-07-06)
Added
1.0.0 (2019-02-21)
0.9.0 (2019-01-26)
Added
- (INFC-17762) 0.9.0: Support Windows #12 (danielparks)
- Defined types to add groups to users #8 (danielparks)
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- ploperations/bash (>= 0.1 < 2.0.0)
- puppetlabs/stdlib (>= 5.0.0 < 6.0.0)
- ploperations/ssh (>= 0.10.0 < 1.0.0)
- ploperations/zsh (>= 0.1 < 2.0.0)
Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.