puppet user资源
通过下面命令查看帮助信息:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
|
[root@sh-proxy2 ~]
# puppet describe user
user
====
Manage
users
. This
type
is mostly built to manage system
users
, so it is lacking some features useful
for
managing normal
users
.
This resource
type
uses the prescribed native tools
for
creating
groups
and generally uses POSIX APIs
for
retrieving information
about them. It does not directly modify `
/etc/passwd
` or anything.
**Autorequires:** If Puppet is managing the user's primary group (as
provided
in
the `gid` attribute), the user resource will autorequire
that group. If Puppet is managing any role accounts corresponding to the
user's roles, the user resource will autorequire those role accounts.
Parameters
----------
- **allowdupe**
Whether to allow duplicate UIDs. Defaults to `
false
`.
Valid values are `
true
`, `
false
`, `
yes
`, `no`.
- **attribute_membership**
Whether specified attribute value pairs should be treated as the
**complete list** (`inclusive`) or the **minimum list** (`minimum`) of
attribute
/value
pairs
for
the user. Defaults to `minimum`.
Valid values are `inclusive`, `minimum`.
- **attributes**
Specify AIX attributes
for
the user
in
an array of attribute = value
pairs.
Requires features manages_aix_lam.
- **auth_membership**
Whether specified auths should be considered the **complete list**
(`inclusive`) or the **minimum list** (`minimum`) of auths the user
has. Defaults to `minimum`.
Valid values are `inclusive`, `minimum`.
- **auths**
The auths the user has. Multiple auths should be
specified as an array.
Requires features manages_solaris_rbac.
- **comment**
A description of the user. Generally the user's full name.
- **ensure**
The basic state that the object should be
in
.
Valid values are `present`, `absent`, `role`.
- **expiry**
The expiry
date
for
this user. Must be provided
in
a zero-padded YYYY-MM-DD
format
--- e.g. 2010-02-19.
If you want to
make
sure the user account does never
expire, you can pass the special value `absent`.
Valid values are `absent`. Values can match `/^\d{4}-\d{2}-\d{2}$/`.
Requires features manages_expiry.
- **forcelocal**
Forces the management of
local
accounts when accounts are also
being managed by some other NSS
Valid values are `
true
`, `
false
`, `
yes
`, `no`.
Requires features libuser.
- **gid**
The user's primary group. Can be specified numerically or by name.
This attribute is not supported on Windows systems; use the `
groups
`
attribute instead. (On Windows, designating a primary group is only
meaningful
for
domain accounts,
which
Puppet does not currently manage.)
- **
groups
**
The
groups
to
which
the user belongs. The primary group should
not be listed, and
groups
should be identified by name rather than by
GID. Multiple
groups
should be specified as an array.
- **home**
The home directory of the user. The directory must be created
separately and is not currently checked
for
existence.
- **ia_load_module**
The name of the I&A module to use to manage this user.
Requires features manages_aix_lam.
- **iterations**
This is the number of iterations of a chained computation of the
password
hash
(http:
//en
.wikipedia.org
/wiki/PBKDF2
). This parameter
is used
in
OS X. This field is required
for
managing passwords on OS X
>= 10.8.
Requires features manages_password_salt.
- **key_membership**
Whether specified key
/value
pairs should be considered the
**complete list** (`inclusive`) or the **minimum list** (`minimum`) of
the user's attributes. Defaults to `minimum`.
Valid values are `inclusive`, `minimum`.
- **keys**
Specify user attributes
in
an array of key = value pairs.
Requires features manages_solaris_rbac.
- **managehome**
Whether to manage the home directory when managing the user.
This will create the home directory when `ensure => present`, and
delete the home directory when `ensure => absent`. Defaults to `
false
`.
Valid values are `
true
`, `
false
`, `
yes
`, `no`.
- **membership**
Whether specified
groups
should be considered the **complete list**
(`inclusive`) or the **minimum list** (`minimum`) of
groups
to
which
the user belongs. Defaults to `minimum`.
Valid values are `inclusive`, `minimum`.
- **name**
The user name. While naming limitations vary by operating system,
it is advisable to restrict names to the lowest common denominator,
which
is a maximum of 8 characters beginning with a letter.
Note that Puppet considers user names to be
case
-sensitive, regardless
of the platform's own rules; be sure to always use the same
case
when
referring to a given user.
- **password**
The user's password,
in
whatever encrypted
format
the
local
system requires.
* Most modern Unix-like systems use salted SHA1 password hashes. You can
use
Puppet's built-
in
`sha1`
function
to generate a
hash
from a password.
* Mac OS X 10.5 and 10.6 also use salted SHA1 hashes.
* Mac OS X 10.7 (Lion) uses salted SHA512 hashes. The Puppet Labs
[stdlib][]
module contains a `str2saltedsha512`
function
which
can generate
password
hashes
for
Lion.
* Mac OS X 10.8 and higher use salted SHA512 PBKDF2 hashes. When
managing passwords on these systems the salt and iterations properties
need to be specified as well as the password.
* Windows passwords can only be managed
in
cleartext, as there is no
Windows API
for
setting the password
hash
.
[stdlib]: https:
//github
.com
/puppetlabs/puppetlabs-stdlib/
Be sure to enclose any value that includes a dollar sign ($)
in
single
quotes (') to avoid accidental variable interpolation.
Requires features manages_passwords.
- **password_max_age**
The maximum number of days a password may be used before it must be
changed.
Requires features manages_password_age.
- **password_min_age**
The minimum number of days a password must be used before it may be
changed.
Requires features manages_password_age.
- **profile_membership**
Whether specified roles should be treated as the **complete list**
(`inclusive`) or the **minimum list** (`minimum`) of roles
of
which
the user is a member. Defaults to `minimum`.
Valid values are `inclusive`, `minimum`.
- **profiles**
The profiles the user has. Multiple profiles should be
specified as an array.
Requires features manages_solaris_rbac.
- **project**
The name of the project associated with a user.
Requires features manages_solaris_rbac.
- **purge_ssh_keys**
Whether to purge authorized SSH keys
for
this user
if
they are not
managed
with the `ssh_authorized_key` resource
type
. Allowed values are:
* `
false
` (default) --- don't purge SSH keys
for
this user.
* `
true
` ---
look
for
keys
in
the `.
ssh
/authorized_keys
`
file
in
the
user's
home directory. Purge any keys that aren't managed as
`ssh_authorized_key`
resources.
* An array of
file
paths ---
look
for
keys
in
all of the files listed.
Purge
any keys that aren't managed as `ssh_authorized_key` resources. If any
of
these paths starts with `~` or `%h`, that token will be replaced with
the user's home directory.
Valid values are `
true
`, `
false
`.
- **role_membership**
Whether specified roles should be considered the **complete list**
(`inclusive`) or the **minimum list** (`minimum`) of roles the user
has. Defaults to `minimum`.
Valid values are `inclusive`, `minimum`.
- **roles**
The roles the user has. Multiple roles should be
specified as an array.
Requires features manages_solaris_rbac.
- **salt**
This is the 32 byte salt used to generate the PBKDF2 password used
in
OS X. This field is required
for
managing passwords on OS X >= 10.8.
Requires features manages_password_salt.
- **shell**
The user's login shell. The shell must exist and be
executable.
This attribute cannot be managed on Windows systems.
Requires features manages_shell.
- **system**
Whether the user is a system user, according to the OS's criteria;
on most platforms, a UID
less
than or equal to 500 indicates a system
user. This parameter is only used when the resource is created and will
not affect the UID when the user is present. Defaults to `
false
`.
Valid values are `
true
`, `
false
`, `
yes
`, `no`.
- **uid**
The user ID; must be specified numerically. If no user ID is
specified when creating a new user,
then
one will be chosen
automatically. This will likely result
in
the same user having
different UIDs on different systems,
which
is not recommended. This is
especially noteworthy when managing the same user on both Darwin and
other platforms, since Puppet does UID generation on Darwin, but
the underlying tools
do
so on other platforms.
On Windows, this property is
read
-only and will
return
the user's
security identifier (SID).
Providers
---------
aix, directoryservice, hpuxuseradd, ldap, pw, user_role_add,
useradd
,
windows_adsi
|
user资源
主要用来管理操作系统的账号,如账号的删除、增加、账号uid、gid等管理,shell解释器、宿主目录的设置和账号的密码设置.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
user {
"资源标题"
:
name
ensure
allowdupe
comment
uid
gid
groups
home
managehome
manages_expiry
password
manages_password_max_age
manages_password_min_age
shell
provider
}
|
name:创建的系统账户名,这里建议账户名长度小于8个字符,并以字母开头.
ensure:设置账户的增加或者删除,可以设置的值present为增加,absent为删除.
allowdupe:是否允许系统存在同样账户的uid,设置为false表示不可以设置相同的uid,设置为true表示可以设置相同的uid.默认值为false.
comment:对该账户的描述,通常为账户全名.
uid:系统账户的uid必须设置为数字,如果不设置此属性系统将会默认自动分配.
gid:系统账户的gid可以用数字或者组名字.
groups:指定该系统账户属于哪些组的成员,主组不必在这里列出,多个组用数组列出,如["groupq","group2"]。
home:系统账户的宿主目录。注意:这个目录需要提前通过mkdir系统命令创建.
managehome:管理用户的时候是否管理用户的home目录,可以设置的值是true、false、yes和no,默认值为false。
manage_expiry:管理用户的过期时间.
password:系统账户的密码,具体用什么加密方式由操作系统决定,需要manages_password特性,如果密码里面含有$符号,需要单引号引起来.
manage_password_max_age:设置密码的过期时间,此属性为修改密码的最大时间.
manage_password_min_age:设置密码的过期时间,此属性为修改密码的最小时间.
shell:用户的shell,即系统用户的命令解释器.
provider:系统支持添加用户的指令.redhat(useradd)/freebsd(pw)等等.
示例:
通过下面命令生产加密的密码:
注意:-1 是数字1,不是键盘上的l.
|
1
2
3
4
|
[root@sh-proxy2 ~]
# openssl passwd -1
Password:
Verifying - Password:
$1$8uIp9cmO$vljG2YGQr
/aojG/ts8ZiI
.
|
#使用resource生成系统用户创建的puppet 代码示例,赋值粘贴改改就好了.
|
1
|
[root@sh-proxy2 ~]
# puppet resource user
|
|
1
2
3
4
5
6
7
8
9
10
|
[root@sh-proxy2 ~]
# cat test.pp
user {
'test99'
:
ensure =>
'present'
,
home =>
'/home/test99'
,
password =>
'$1$8uIp9cmO$vljG2YGQr/aojG/ts8ZiI.'
,
password_max_age =>
'99999'
,
password_min_age =>
'0'
,
shell =>
'/bin/bash'
,
uid =>
'577'
,
}
|
注释:创建用户如果含有gid,要先创建用户组再添加用户,和puppet代码的书写顺序也没关系.
示例:
如果含有gid,事先没有创建用户组就会报错,手动添加完用户组在运行puppet代码就正常添加.
|
1
2
3
4
5
6
7
8
9
10
11
|
[root@sh-proxy2 ~]
# cat test.pp
user {
'test100'
:
ensure =>
'present'
,
home =>
'/home/test100'
,
password =>
'$1$8uIp9cmO$vljG2YGQr/aojG/ts8ZiI.'
,
password_max_age =>
'99999'
,
password_min_age =>
'0'
,
shell =>
'/bin/bash'
,
uid =>
'578'
,
gid =>
'578'
,
}
|
报错信息:
|
1
2
3
4
5
|
[root@sh-proxy2 ~]
# puppet apply test.pp
Notice: Compiled catalog
for
sh-proxy2.localdomain
in
environment production
in
0.12 seconds
Error: Could not create user test100: Execution of
'/usr/sbin/useradd -g 578 -d /home/test100 -p $1$8uIp9cmO$vljG2YGQr/aojG/ts8ZiI. -s /bin/bash -u 578 -M test100'
returned 6:
useradd
: group
'578'
does not exist
Error:
/Stage
[main]
/Main/User
[test100]
/ensure
: change from absent to present failed: Could not create user test100: Execution of
'/usr/sbin/useradd -g 578 -d /home/test100 -p $1$8uIp9cmO$vljG2YGQr/aojG/ts8ZiI. -s /bin/bash -u 578 -M test100'
returned 6:
useradd
: group
'578'
does not exist
Notice: Finished catalog run
in
0.03 seconds
|
创建玩group更新成功:
|
1
2
3
4
5
|
[root@sh-proxy2 ~]
# groupadd test100
[root@sh-proxy2 ~]
# puppet apply test.pp
Notice: Compiled catalog
for
sh-proxy2.localdomain
in
environment production
in
0.12 seconds
Notice:
/Stage
[main]
/Main/User
[test100]
/ensure
: created
Notice: Finished catalog run
in
0.07 seconds
|
注意:password属性的值用来设置账户的密码,通常用单引号(''),将加密引起来,因为值包含一些特殊符号,如果("")会导致一些错误发生;
3.8版本的puppet已经不需要手动创建家目录了,创建用户时会主动添加家目录.
本文转自青衫解衣 51CTO博客,原文链接:http://blog.51cto.com/215687833/1972064
