Andrew Bogott has uploaded a new change for review.
https://gerrit.wikimedia.org/r/98700
Change subject: Added 'adminadd' tool to auto-generate new user entries.
......................................................................
Added 'adminadd' tool to auto-generate new user entries.
This pulls user data from ldap and modifies admins.pp.
Change-Id: Ib2ba8e083c5919690f6da96eb3a0d942c8e05744
---
A manifests/adminadd
M manifests/admins.pp
2 files changed, 145 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/00/98700/1
diff --git a/manifests/adminadd b/manifests/adminadd
new file mode 100755
index 0000000..af4bf7b
--- /dev/null
+++ b/manifests/adminadd
@@ -0,0 +1,141 @@
+#!/usr/bin/python
+
+#####################################################################
+### THIS SCRIPT IS STRANGE!
+###
+### adminadd is in the puppet repo, but it is not installed by puppet.
+### Rather, it is run in place (next to Admins.pp) and generates
+### a proposed patch which adds the specified user to Admins.pp.
+###
+#####################################################################
+
+
+import sys
+sys.path.append('../modules/ldap/files/scripts')
+import traceback
+import ldapsupportlib
+import copy
+import homedirectorymanager
+import os
+from optparse import OptionParser
+
+
+adminManifest = "admins.pp"
+insertFlag = "-- ADMINADD Insertion Point --"
+
+patchTemplate = ''' class %(name)s inherits baseaccount {
+ $username = '%(name)s'
+ $realname = '%(realname)s'
+ $uid = %(uid)s
+
+ unixaccount { $realname: username => $username, uid => $uid, gid =>
$gid }
+
+ if $manage_home {
+ Ssh_authorized_key { require => Unixaccount[$realname] }
+
+ ssh_authorized_key { '%(mail)s':
+ ensure => present,
+ user => $username,
+ type => 'ssh-rsa',
+ key => '<your production public key goes here>',
+ }
+ }
+ }
+
+'''
+
+try:
+ import ldap
+ import ldap.modlist
+except ImportError:
+ sys.stderr.write("Unable to import LDAP library.\n")
+ sys.exit(1)
+
+
+def main():
+ parser = OptionParser(conflict_handler="resolve")
+ parser.set_usage('adminadd [options] <username> \nexample: adminadd laner')
+
+ ldapSupportLib = ldapsupportlib.LDAPSupportLib()
+ ldapSupportLib.addParserOptions(parser, "user")
+
+ parser.add_option("-m", "--directorymanager", action="store_true",
dest="directorymanager", help="Use the Directory Manager's credentials, rather
than your own")
+ (options, args) = parser.parse_args()
+
+ if len(args) != 1:
+ parser.error("addadmin expects exactly one argument, unless using
--rename.")
+
+ options.authuser = 'user'
+ ldapSupportLib.setBindInfoByOptions(options, parser)
+
+ base = ldapSupportLib.getBase()
+
+ ds = ldapSupportLib.connect()
+
+ # w00t We're in!
+ try:
+ username = args[0]
+ PosixData = ds.search_s("ou=people," + base, ldap.SCOPE_SUBTREE,
"(&(objectclass=inetOrgPerson)(uid=" + username + "))")
+ if not PosixData:
+ raise ldap.NO_SUCH_OBJECT()
+ dn = PosixData[0][0]
+
+ gid = PosixData[0][1]['gidNumber'][0]
+ uid = PosixData[0][1]['uidNumber'][0]
+ mail = PosixData[0][1]['mail'][0]
+
+ if 'displayName' in PosixData[0][1]:
+ realName = PosixData[0][1]['displayName'][0]
+ else:
+ realName = PosixData[0][1]['givenName'][0]
+
+ patchString = patchTemplate % {'name': args[0],
+ 'uid': uid,
+ 'realname': realName,
+ 'mail': mail}
+ tmpfile = "%s.tmp" % adminManifest
+ f = open(adminManifest)
+ g = open(tmpfile, "w")
+
+ for line in f:
+ if insertFlag in line:
+ g.write(patchString)
+ g.write(line)
+ f.close()
+ g.close()
+
+ os.rename(tmpfile, adminManifest)
+
+ print "Done!"
+ print "To view the change, type 'git diff %s" % adminManifest
+ print "Before committing, be sure to proofread and add your public key."
+
+
+ except ldap.UNWILLING_TO_PERFORM, msg:
+ sys.stderr.write("LDAP was unwilling to create the user. Error was:
%s\n" % msg[0]["info"])
+ ds.unbind()
+ sys.exit(1)
+ except ldap.NO_SUCH_OBJECT:
+ sys.stderr.write("The user you are trying to modify doesn't exist.\n")
+ ds.unbind()
+ sys.exit(1)
+ except ldap.PROTOCOL_ERROR:
+ sys.stderr.write("There was an LDAP protocol error; see traceback.\n")
+ traceback.print_exc(file=sys.stderr)
+ ds.unbind()
+ sys.exit(1)
+ except Exception:
+ try:
+ sys.stderr.write("There was a general error, this is unexpected;
see traceback.\n")
+ traceback.print_exc(file=sys.stderr)
+ ds.unbind()
+ except Exception:
+ sys.stderr.write("Also failed to unbind.\n")
+ traceback.print_exc(file=sys.stderr)
+ sys.exit(1)
+
+ ds.unbind()
+ sys.exit(0)
+
+if __name__ == "__main__":
+ main()
diff --git a/manifests/admins.pp b/manifests/admins.pp
index 726ef8a..12e82c9 100644
--- a/manifests/admins.pp
+++ b/manifests/admins.pp
@@ -3151,6 +3151,10 @@
}
}
+ # -- ADMINADD Insertion Point --
+ # ^ That line is a marker for the 'adminadd' tool. New accounts are
inserted
+ # immediately before the insertion point.
+
# FIXME: not an admin. This is more like a system account.
class l10nupdate inherits baseaccount {
$username = "l10nupdate"
--
To view, visit https://gerrit.wikimedia.org/r/98700
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib2ba8e083c5919690f6da96eb3a0d942c8e05744
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
