Puppet user資源介紹(二十二)
puppet user資源
通過下面命令查看幫助信息:
[[email protected] ~]# puppet describe user user ==== Manage users. This type is mostly built to manage system users, so it is lacking some features useful for managing normal users. This resource type uses the prescribed native tools for creating groups and generally uses POSIX APIs for retrieving information about them. It does not directly modify `/etc/passwd` or anything. **Autorequires:** If Puppet is managing the user‘s primary group (as provided in the `gid` attribute), the user resource will autorequire that group. If Puppet is managing any role accounts corresponding to the user‘s roles, the user resource will autorequire those role accounts. Parameters ---------- - **allowdupe** Whether to allow duplicate UIDs. Defaults to `false`. Valid values are `true`, `false`, `yes`, `no`. - **attribute_membership** Whether specified attribute value pairs should be treated as the **complete list** (`inclusive`) or the **minimum list** (`minimum`) of attribute/value pairs for the user. Defaults to `minimum`. Valid values are `inclusive`, `minimum`. - **attributes** Specify AIX attributes for the user in an array of attribute = value pairs. Requires features manages_aix_lam. - **auth_membership** Whether specified auths should be considered the **complete list** (`inclusive`) or the **minimum list** (`minimum`) of auths the user has. Defaults to `minimum`. Valid values are `inclusive`, `minimum`. - **auths** The auths the user has. Multiple auths should be specified as an array. Requires features manages_solaris_rbac. - **comment** A description of the user. Generally the user‘s full name. - **ensure** The basic state that the object should be in. Valid values are `present`, `absent`, `role`. - **expiry** The expiry date for this user. Must be provided in a zero-padded YYYY-MM-DD format --- e.g. 2010-02-19. If you want to make sure the user account does never expire, you can pass the special value `absent`. Valid values are `absent`. Values can match `/^\d{4}-\d{2}-\d{2}$/`. Requires features manages_expiry. - **forcelocal** Forces the management of local accounts when accounts are also being managed by some other NSS Valid values are `true`, `false`, `yes`, `no`. Requires features libuser. - **gid** The user‘s primary group. Can be specified numerically or by name. This attribute is not supported on Windows systems; use the `groups` attribute instead. (On Windows, designating a primary group is only meaningful for domain accounts, which Puppet does not currently manage.) - **groups** The groups to which the user belongs. The primary group should not be listed, and groups should be identified by name rather than by GID. Multiple groups should be specified as an array. - **home** The home directory of the user. The directory must be created separately and is not currently checked for existence. - **ia_load_module** The name of the I&A module to use to manage this user. Requires features manages_aix_lam. - **iterations** This is the number of iterations of a chained computation of the password hash (http://en.wikipedia.org/wiki/PBKDF2). This parameter is used in OS X. This field is required for managing passwords on OS X >= 10.8. Requires features manages_password_salt. - **key_membership** Whether specified key/value pairs should be considered the **complete list** (`inclusive`) or the **minimum list** (`minimum`) of the user‘s attributes. Defaults to `minimum`. Valid values are `inclusive`, `minimum`. - **keys** Specify user attributes in an array of key = value pairs. Requires features manages_solaris_rbac. - **managehome** Whether to manage the home directory when managing the user. This will create the home directory when `ensure => present`, and delete the home directory when `ensure => absent`. Defaults to `false`. Valid values are `true`, `false`, `yes`, `no`. - **membership** Whether specified groups should be considered the **complete list** (`inclusive`) or the **minimum list** (`minimum`) of groups to which the user belongs. Defaults to `minimum`. Valid values are `inclusive`, `minimum`. - **name** The user name. While naming limitations vary by operating system, it is advisable to restrict names to the lowest common denominator, which is a maximum of 8 characters beginning with a letter. Note that Puppet considers user names to be case-sensitive, regardless of the platform‘s own rules; be sure to always use the same case when referring to a given user. - **password** The user‘s password, in whatever encrypted format the local system requires. * Most modern Unix-like systems use salted SHA1 password hashes. You can use Puppet‘s built-in `sha1` function to generate a hash from a password. * Mac OS X 10.5 and 10.6 also use salted SHA1 hashes. * Mac OS X 10.7 (Lion) uses salted SHA512 hashes. The Puppet Labs [stdlib][] module contains a `str2saltedsha512` function which can generate password hashes for Lion. * Mac OS X 10.8 and higher use salted SHA512 PBKDF2 hashes. When managing passwords on these systems the salt and iterations properties need to be specified as well as the password. * Windows passwords can only be managed in cleartext, as there is no Windows API for setting the password hash. [stdlib]: https://github.com/puppetlabs/puppetlabs-stdlib/ Be sure to enclose any value that includes a dollar sign ($) in single quotes (‘) to avoid accidental variable interpolation. Requires features manages_passwords. - **password_max_age** The maximum number of days a password may be used before it must be changed. Requires features manages_password_age. - **password_min_age** The minimum number of days a password must be used before it may be changed. Requires features manages_password_age. - **profile_membership** Whether specified roles should be treated as the **complete list** (`inclusive`) or the **minimum list** (`minimum`) of roles of which the user is a member. Defaults to `minimum`. Valid values are `inclusive`, `minimum`. - **profiles** The profiles the user has. Multiple profiles should be specified as an array. Requires features manages_solaris_rbac. - **project** The name of the project associated with a user. Requires features manages_solaris_rbac. - **purge_ssh_keys** Whether to purge authorized SSH keys for this user if they are not managed with the `ssh_authorized_key` resource type. Allowed values are: * `false` (default) --- don‘t purge SSH keys for this user. * `true` --- look for keys in the `.ssh/authorized_keys` file in the user‘s home directory. Purge any keys that aren‘t managed as `ssh_authorized_key` resources. * An array of file paths --- look for keys in all of the files listed. Purge any keys that aren‘t managed as `ssh_authorized_key` resources. If any of these paths starts with `~` or `%h`, that token will be replaced with the user‘s home directory. Valid values are `true`, `false`. - **role_membership** Whether specified roles should be considered the **complete list** (`inclusive`) or the **minimum list** (`minimum`) of roles the user has. Defaults to `minimum`. Valid values are `inclusive`, `minimum`. - **roles** The roles the user has. Multiple roles should be specified as an array. Requires features manages_solaris_rbac. - **salt** This is the 32 byte salt used to generate the PBKDF2 password used in OS X. This field is required for managing passwords on OS X >= 10.8. Requires features manages_password_salt. - **shell** The user‘s login shell. The shell must exist and be executable. This attribute cannot be managed on Windows systems. Requires features manages_shell. - **system** Whether the user is a system user, according to the OS‘s criteria; on most platforms, a UID less than or equal to 500 indicates a system user. This parameter is only used when the resource is created and will not affect the UID when the user is present. Defaults to `false`. Valid values are `true`, `false`, `yes`, `no`. - **uid** The user ID; must be specified numerically. If no user ID is specified when creating a new user, then one will be chosen automatically. This will likely result in the same user having different UIDs on different systems, which is not recommended. This is especially noteworthy when managing the same user on both Darwin and other platforms, since Puppet does UID generation on Darwin, but the underlying tools do so on other platforms. On Windows, this property is read-only and will return the user‘s security identifier (SID). Providers --------- aix, directoryservice, hpuxuseradd, ldap, pw, user_role_add, useradd, windows_adsi
user資源
主要用來管理操作系統的賬號,如賬號的刪除、增加、賬號uid、gid等管理,shell解釋器、宿主目錄的設置和賬號的密碼設置.
user {"資源標題": name ensure allowdupe comment uid gid groups home managehome manages_expiry password manages_password_max_age manages_password_min_age shell provider }
name:創建的系統賬戶名,這裏建議賬戶名長度小於8個字符,並以字母開頭.
ensure:設置賬戶的增加或者刪除,可以設置的值present為增加,absent為刪除.
allowdupe:是否允許系統存在同樣賬戶的uid,設置為false表示不可以設置相同的uid,設置為true表示可以設置相同的uid.默認值為false.
comment:對該賬戶的描述,通常為賬戶全名.
uid:系統賬戶的uid必須設置為數字,如果不設置此屬性系統將會默認自動分配.
gid:系統賬戶的gid可以用數字或者組名字.
groups:指定該系統賬戶屬於哪些組的成員,主組不必在這裏列出,多個組用數組列出,如["groupq","group2"]。
home:系統賬戶的宿主目錄。註意:這個目錄需要提前通過mkdir系統命令創建.
managehome:管理用戶的時候是否管理用戶的home目錄,可以設置的值是true、false、yes和no,默認值為false。
manage_expiry:管理用戶的過期時間.
password:系統賬戶的密碼,具體用什麽加密方式由操作系統決定,需要manages_password特性,如果密碼裏面含有$符號,需要單引號引起來.
manage_password_max_age:設置密碼的過期時間,此屬性為修改密碼的最大時間.
manage_password_min_age:設置密碼的過期時間,此屬性為修改密碼的最小時間.
shell:用戶的shell,即系統用戶的命令解釋器.
provider:系統支持添加用戶的指令.redhat(useradd)/freebsd(pw)等等.
示例:
通過下面命令生產加密的密碼:
註意:-1 是數字1,不是鍵盤上的l.
[[email protected] ~]# openssl passwd -1 Password: Verifying - Password: $1$8uIp9cmO$vljG2YGQr/aojG/ts8ZiI.
#使用resource生成系統用戶創建的puppet 代碼示例,賦值粘貼改改就好了.
[[email protected] ~]# puppet resource user
[[email protected] ~]# cat test.pp user { ‘test99‘: ensure => ‘present‘, home => ‘/home/test99‘, password => ‘$1$8uIp9cmO$vljG2YGQr/aojG/ts8ZiI.‘, password_max_age => ‘99999‘, password_min_age => ‘0‘, shell => ‘/bin/bash‘, uid => ‘577‘, }
註釋:創建用戶如果含有gid,要先創建用戶組再添加用戶,和puppet代碼的書寫順序也沒關系.
示例:
如果含有gid,事先沒有創建用戶組就會報錯,手動添加完用戶組在運行puppet代碼就正常添加.
[[email protected] ~]# cat test.pp user { ‘test100‘: ensure => ‘present‘, home => ‘/home/test100‘, password => ‘$1$8uIp9cmO$vljG2YGQr/aojG/ts8ZiI.‘, password_max_age => ‘99999‘, password_min_age => ‘0‘, shell => ‘/bin/bash‘, uid => ‘578‘, gid => ‘578‘, }
報錯信息:
[[email protected] ~]# puppet apply test.pp Notice: Compiled catalog for sh-proxy2.localdomain in environment production in 0.12 seconds Error: Could not create user test100: Execution of ‘/usr/sbin/useradd -g 578 -d /home/test100 -p $1$8uIp9cmO$vljG2YGQr/aojG/ts8ZiI. -s /bin/bash -u 578 -M test100‘ returned 6: useradd: group ‘578‘ does not exist Error: /Stage[main]/Main/User[test100]/ensure: change from absent to present failed: Could not create user test100: Execution of ‘/usr/sbin/useradd -g 578 -d /home/test100 -p $1$8uIp9cmO$vljG2YGQr/aojG/ts8ZiI. -s /bin/bash -u 578 -M test100‘ returned 6: useradd: group ‘578‘ does not exist Notice: Finished catalog run in 0.03 seconds
創建玩group更新成功:
[[email protected] ~]# groupadd test100 [[email protected] ~]# puppet apply test.pp Notice: Compiled catalog for sh-proxy2.localdomain in environment production in 0.12 seconds Notice: /Stage[main]/Main/User[test100]/ensure: created Notice: Finished catalog run in 0.07 seconds
註意:password屬性的值用來設置賬戶的密碼,通常用單引號(‘‘),將加密引起來,因為值包含一些特殊符號,如果("")會導致一些錯誤發生;
3.8版本的puppet已經不需要手動創建家目錄了,創建用戶時會主動添加家目錄.
本文出自 “青衫解衣” 博客,請務必保留此出處http://215687833.blog.51cto.com/6724358/1972064
Puppet user資源介紹(二十二)