Giuseppe Lavagetto has submitted this change and it was merged.
Change subject: admin: add all-users group
......................................................................
admin: add all-users group
It might sometimes be useful to group all users with a shell in a single
unprivileged group.
Change-Id: I315cb201108470c6b4fbc4c1dc9e3446254194cd
---
M modules/admin/data/data.yaml
A modules/admin/lib/puppet/parser/functions/add_all_users.rb
M modules/admin/manifests/init.pp
3 files changed, 21 insertions(+), 2 deletions(-)
Approvals:
Rush: Looks good to me, but someone else must approve
Giuseppe Lavagetto: Verified; Looks good to me, approved
diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml
index a13e114..22b0257 100644
--- a/modules/admin/data/data.yaml
+++ b/modules/admin/data/data.yaml
@@ -9,6 +9,11 @@
gid: 500
description: container group for primary user groups.
members: []
+ all-users:
+ description: Global group that includes all users
+ gid: 600
+ members: [] # members get populated automagically
+ privileges: [] # NO privileges to this group!
ops:
gid: 700
description: include everywhere ops folks
@@ -496,7 +501,6 @@
gid: 779
members: [mobrovac]
privileges: ['ALL = NOPASSWD: /usr/bin/puppet agent *']
-
users:
rush:
ensure: present
diff --git a/modules/admin/lib/puppet/parser/functions/add_all_users.rb
b/modules/admin/lib/puppet/parser/functions/add_all_users.rb
new file mode 100644
index 0000000..d044842
--- /dev/null
+++ b/modules/admin/lib/puppet/parser/functions/add_all_users.rb
@@ -0,0 +1,11 @@
+module Puppet::Parser::Functions
+ newfunction(:add_all_users, :type => :rvalue) do |args|
+ myhash = args[0]
+ users = []
+ myhash['users'].each do |name, data|
+ users.push name if data['ensure'] == 'present'
+ end
+ myhash['groups']['all-users']['members'] = users
+ return myhash
+ end
+end
diff --git a/modules/admin/manifests/init.pp b/modules/admin/manifests/init.pp
index d38abab..a22de06 100644
--- a/modules/admin/manifests/init.pp
+++ b/modules/admin/manifests/init.pp
@@ -17,7 +17,10 @@
include sudo
$module_path = get_module_path($module_name)
- $data = loadyaml("${module_path}/data/data.yaml")
+ $base_data = loadyaml("${module_path}/data/data.yaml")
+ # Fill the all-users group with all active users
+ $data = add_all_users($base_data)
+
$uinfo = $data['users']
$users = keys($uinfo)
@@ -27,6 +30,7 @@
#this custom function eliminates the need for virtual users
$user_set = unique_users($data, $all_groups)
+
file { '/usr/local/sbin/enforce-users-groups':
ensure => file,
mode => '0555',
--
To view, visit https://gerrit.wikimedia.org/r/288957
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I315cb201108470c6b4fbc4c1dc9e3446254194cd
Gerrit-PatchSet: 9
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: Alex Monk <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Chasemp <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: Rush <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
