cookbook 'ugid-management', '= 1.0.0'
ugid-management (6) Versions 1.0.0 Follow0
Library cookbook to manage user and group ids
cookbook 'ugid-management', '= 1.0.0', :supermarket
knife supermarket install ugid-management
knife supermarket download ugid-management
UGId Management
Description
Library cookbook to manage user and group ids. More specifically, it can
apply and check that all listed uids and gids are synchronized between servers.
Requirements
Cookbooks and gems
Declared in [metadata.rb](metadata.rb) and in [Gemfile](Gemfile).
Platforms
- RHEL Family 7, tested on Centos
Note: it should work on any Linux system but it is only tested on Centos 7.
Usage
Quick Start
Basically, this cookbook need two data bags:
- one for specifying uids and gids (grouped under the name ugid) named ugids
- one to override user creation in packages named packages
You can find example of theses data bags in
[test/data_bags/ugids](test/data_bags/ugids) directory.
ugids
So in ugids, you can find the list of forced ugids. It has a simple format:
{ "id": "ugids", "ugids": { "a_given_username": "its_uid:its_gid", "examble": "123:234", "an_integer_is_also_accepted_for_specifying_both": 234, "if_you_only_want_a_gid": ":234" } }
Each time a Chef resource user or group is used, it got extended with these
uids and gids. If no ugid are defined, an exception is thrown, failing the
Chef run.
packages
The role of packages is to override the user creations performed in
distribution packages (like deb/rpm). Its format is:
{ "id": "packages", "packages": { "package_name": { "username": "username", "user_opts": { "extra_key": "extra_value" }, "group_opts": { "extra_key": "extra_value" } }, "example": { "username": "username_to_create", "user_opts": { "home": "/var/lib/specific_home", "shell": "/sbin/typically-nologin" }, "group_opts": { "append": true } } } }
Warning: if a package does not have an user defined in this package, it is
untouched by Chef. This could lead to uncontrolled users. That is why you can
activate the verification (active in default recipe).
Verification
check recipe uses ugids data bag to verify if each user/group with a
uid/gid greater than 200 (non system-reserved) has the correct uid/gid.
By default, all users/groups must have an ugid defined but it is possible to
deactivate this behavior with node[cookbook_name]['enforce']
attribute. It is also possible to defined a whitelist (like for systemd users)
with node[cookbook_name]['whitelist']
(applicable for both users and groups).
logindefs
This cookbook can also configure /etc/login.defs
with values defined from
attributes.
Test
This cookbook is fully tested through the installation of a working node in
docker.
For more information, see [.kitchen.yml](.kitchen.yml) and [test](test)
directory.
Attributes
Configuration is done by overriding default attributes. All configuration keys
have a default defined in [attributes/default.rb](attributes/default.rb).
Please read it to have a comprehensive view of what and how you can configure
this cookbook behavior.
Recipes
default
Include logindefs, manage_before, manage_after and check (only if
check is activated) in this order.
logindefs
Manage /etc/login.defs
with values defined in attributes.
manage_before and manage_after
Manage users (extending user/group resources with defined ugids) and
packages (creating package user/group before the package to control their
attributes).
The difference between manage_before and manage_after is that
manage_before manages all resources which are executed before in the Chef
run while manage_after managers the resources after. Combining them, like
in default recipe, allows you to manage all resources independently of
their positions in the run list.
check
Check if all users and groups are correctly defined on the system. Raise an
exception and fail the Chef run if it is not the case.
Resources/Providers
None.
Libraries
default
Define all methods needed for user management.
Changelog
Available in [CHANGELOG.md](CHANGELOG.md).
Contributing
Please read carefully [CONTRIBUTING.md](CONTRIBUTING.md) before making a merge
request.
License and Author
- Author:: Samuel Bernard (samuel.bernard@s4m.io)
Copyright (c) 2016 Sam4Mobile Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
There are no cookbooks that are contingent upon this one.
Changelog
1.0.0
- Initial version, tested on Centos 7
Collaborator Number Metric
1.0.0 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Foodcritic Metric
1.0.0 passed this metric
1.0.0 failed this metric
1.0.0 passed this metric