Re: [Puppet Users] Re: How to dynamically change sudoers

2017-04-26 Thread James Perry
Thanks. I will look at that as we move forward.  

To your NFS issue, that was one of the design decisions we made. I have 3 
GIT repos (Dev, Stage, Prod). The Stage and Prod are on the same server. On 
dev I have every OS we support connected to it to run through all code 
before we push to Stage.  With Foreman it is easy enough to move a host 
from PROD to Stage and then test the changes. We move hosts to Stage so we 
test across the board. Once all testing details are clean and the team  / 
customer approves, we do a change to push into PROD. 

Our old setup was on a single environment with Puppet 0.25 and a monolithic 
build. We had a lot of admins hacking the code with no version management. 
many with no understanding of puppet or even checking their syntax. 

As for Foreman we chose it to keep the first level admins from actually 
messing with code / configs. They trashed a lot of setups when we let them 
do that on the old config. 

On Wednesday, April 26, 2017 at 11:54:24 AM UTC-4, Rob Nelson wrote:
>
>
> On Wed, Apr 26, 2017 at 10:45 AM James Perry  > wrote:
>
>> Since all of our Puppet code is in a source code repo and requires a 
>> change control to push to PROD, I don;t want to have to manually create a 
>> per host entry, either via the* case* statement or a *node.yaml* file as 
>> that requires a full regression test and verification before it moves to 
>> PROD. 
>>
>> Via Foreman I can add puppet classes for *userX *and *userQ* to a 
>> specific server. As long as *sudo::sudoers::userX *and *sudo::sudoers::userQ 
>> *are defined in the Puppet code, then no change to modify code or custom 
>> hiera yaml files is required. This takes the sudo setups from having to be 
>> done per node in code to a point and click for the team that handles the 
>> tickets for the host definitions in Foreman. 
>>
>
> This is a complete aside to sudo, but I think your controls here do not 
> operate as you expect them to. Foreman, like hiera, is just separating your 
> data from your code, which is great. But changing data in either system can 
> have adverse effects in production. For example, I once changed the value 
> for an nfs exports list from an array to a string. That ... did not go 
> well! If only an integration test had been used to catch that, I could have 
> avoided a small outage and a remediation change. 
>
> Personally, I prefer hiera to foreman or the PE Console classifier because 
> it's integrated with version control of the control repo and into my test 
> setup. But the point is, we use the same controls on data as code because 
> they have similar potentials for impacts in production. You may want to 
> revisit your controls, even if it's just to acknowledge the risk. 
>
>> -- 
> Rob Nelson 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7531f867-71b2-4782-b0fe-46c363d806b1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [Puppet Users] Re: How to dynamically change sudoers

2017-04-26 Thread Rob Nelson
On Wed, Apr 26, 2017 at 10:45 AM James Perry  wrote:

> Since all of our Puppet code is in a source code repo and requires a
> change control to push to PROD, I don;t want to have to manually create a
> per host entry, either via the* case* statement or a *node.yaml* file as
> that requires a full regression test and verification before it moves to
> PROD.
>
> Via Foreman I can add puppet classes for *userX *and *userQ* to a
> specific server. As long as *sudo::sudoers::userX *and *sudo::sudoers::userQ
> *are defined in the Puppet code, then no change to modify code or custom
> hiera yaml files is required. This takes the sudo setups from having to be
> done per node in code to a point and click for the team that handles the
> tickets for the host definitions in Foreman.
>

This is a complete aside to sudo, but I think your controls here do not
operate as you expect them to. Foreman, like hiera, is just separating your
data from your code, which is great. But changing data in either system can
have adverse effects in production. For example, I once changed the value
for an nfs exports list from an array to a string. That ... did not go
well! If only an integration test had been used to catch that, I could have
avoided a small outage and a remediation change.

Personally, I prefer hiera to foreman or the PE Console classifier because
it's integrated with version control of the control repo and into my test
setup. But the point is, we use the same controls on data as code because
they have similar potentials for impacts in production. You may want to
revisit your controls, even if it's just to acknowledge the risk.

> --
Rob Nelson

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAC76iT8QUSLY5aip_j1JG%3D%2BuzDDT6yoVM0oAxQWgDrXjBwt9ng%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.