Ottomata has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/379004 )
Change subject: [WIP] Allow admin module to ensure system user membership in
managed groups
......................................................................
[WIP] Allow admin module to ensure system user membership in managed groups
Bug: T174465
Change-Id: I495942b6a65db7058a6272277ada9f0286a4ba9e
---
M modules/admin/README
M modules/admin/data/data.yaml
M modules/admin/manifests/groupmembers.pp
M modules/statistics/manifests/discovery.pp
4 files changed, 32 insertions(+), 3 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/04/379004/1
diff --git a/modules/admin/README b/modules/admin/README
index 89388c9..e3dc476 100644
--- a/modules/admin/README
+++ b/modules/admin/README
@@ -54,6 +54,15 @@
realname: Foo Bar
ssh_keys: [ssh-rsa mykeyhash foobar@mac]
+- Ensuring a system user is in a group: (see note below about system user
group membership)
+ groups:
+ mygroup:
+ ensure: present
+ gid: 551
+ members: [foo, bar]
+ system_members: [www-data]
+
+
# NOTE: To choose the UID for a new user please lookup
# the existing UID in (labs) LDAP and use that.
# currently you do this on terbium, example:
@@ -256,3 +265,15 @@
If you try to apply two groupings with the same posix names on a single node
you see:
Duplicate definition: Admin::Group[$POSIX_NAME] is already defined
+
+
+System user group membership:
+
+Sometimes it is useful to declare that a system user should be in a group with
other
+human user accounts. This module will not manage any system users, but it
does support
+ensuring that system users are in groups that it does manage. Add system
users to a group
+by providing a list of system_members in your group declaration.
+
+Your system user *must* already exist by the time the admin module ensures
group membership.
+If it doesn't, the groupmembers exec will fail.
+
diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml
index 386b3dd..694cc0a 100644
--- a/modules/admin/data/data.yaml
+++ b/modules/admin/data/data.yaml
@@ -252,6 +252,7 @@
flemmerich, mkroetzsch, akrausetud, filippo, pmiazga, faidon,
piccardi, fdans, eevans, anomie, demon, ladsgroup, musikanimal,
joewalsh,
kaldari, goransm, ema, dsaez, shiladsen, rho]
+ system_members: [analytics-search]
analytics-admins:
gid: 732
description: Admin access to analytics cluster.
diff --git a/modules/admin/manifests/groupmembers.pp
b/modules/admin/manifests/groupmembers.pp
index 4a3256a..f22bbdc 100644
--- a/modules/admin/manifests/groupmembers.pp
+++ b/modules/admin/manifests/groupmembers.pp
@@ -15,11 +15,16 @@
$gdata = $::admin::data['groups'][$name]
$members = $gdata['members']
+ $system_members = $gdata['system_members']
- if !empty($members) {
- $joined_user_list = join($members,',')
+ # This contains all human members, as well as any system account
+ # members of this group.
+ $all_members = concat($members, $system_members)
+
+ if !empty($all_members) {
+ $joined_user_list = join($all_members,',')
} else {
- $joined_user_list = $default_member
+ $joined_user_list = join($default_member)
}
if has_key($gdata, 'posix_name') {
diff --git a/modules/statistics/manifests/discovery.pp
b/modules/statistics/manifests/discovery.pp
index 0310483..499fc0d 100644
--- a/modules/statistics/manifests/discovery.pp
+++ b/modules/statistics/manifests/discovery.pp
@@ -12,6 +12,8 @@
# Path in which the R library will reside
$rlib_dir = "${dir}/r-library"
+
+ # TODO: User the analytics-search user instead.
$user = 'discovery-stats'
# Setting group to 'analytics-privatedata-users' so that Discovery's
Analysts
# (as members of analytics-privatedata-users) have some privileges, and so
--
To view, visit https://gerrit.wikimedia.org/r/379004
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I495942b6a65db7058a6272277ada9f0286a4ba9e
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ottomata <ao...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
