User Chef Cookbook
Description
A convenient Chef LWRP to manage user accounts and SSH keys. This is not the Opscode users cookbook.
- Website: http://fnichol.github.io/chef-user/
- Opscode Community Site: http://community.opscode.com/cookbooks/user
- Source Code: https://github.com/fnichol/chef-user
Usage
Simply include this cookbook as a dependency in metadata.rb and the user_account
resource will be available. Example:
# In your_cookbook/metadata.rb
depends 'user'
# In your_cookbook/recipes/default.rb
user_account 'hsolo' do
ssh_keygen true
end
To use recipe[user::data_bag], include it in your run_list and have a
data bag called "users" with an item like the following:
{
"id" : "hsolo",
"comment" : "Han Solo",
"home" : "/opt/hoth/hsolo",
"groups" : ["admin", "www-data"],
"ssh_keys" : ["123...", "456..."]
}
or a user to be removed:
{
"id" : "lando",
"action" : "remove"
}
If you have a username containing a period, use a dash in the data bag item
and set a username attribute:
{
"id" : "luke-skywalker",
"username" : "luke.skywalker",
"action" : ["create", "lock"]
}
The data bag recipe will iterate through a list of usernames defined in
node['users'] (by default) and attempt to pull in the user's information
from the data bag item. In other words, having:
node['users'] = ['hsolo', 'lando', 'luke.skywalker']
will set up the hsolo user information and not use the lando user
information.
Requirements
Chef
Tested on 0.10.8 but newer and older version should work just fine. File an issue if this isn't the case.
Platform
The following platforms have been tested with this cookbook, meaning that the recipes run on these platforms without error:
- ubuntu
- debian
- mac_os_x
Cookbooks
There are no external cookbook dependencies.
Installation
Depending on the situation and use case there are several ways to install this cookbook. All the methods listed below assume a tagged version release is the target, but omit the tags to get the head of development. A valid Chef repository structure like the Opscode repo is also assumed.
From the Community Site
To install this cookbook from the Community Site, use the knife command:
knife cookbook site install user
Using Berkshelf
Berkshelf is a cookbook dependency manager and development workflow assistant. To install Berkshelf:
cd chef-repo
gem install berkshelf
berks init
To use the Community Site version:
echo "cookbook 'user'" >> Berksfile
berks install
Or to reference the Git version:
repo="fnichol/chef-user"
latest_release=$(curl -s https://api.github.com/repos/$repo/git/refs/tags \
| ruby -rjson -e '
j = JSON.parse(STDIN.read);
puts j.map { |t| t["ref"].split("/").last }.sort.last
')
cat >> Berksfile <<END_OF_BERKSFILE
cookbook 'user',
:git => 'git://github.com/$repo.git', :branch => '$latest_release'
END_OF_BERKSFILE
berks install
Using Librarian-Chef
Librarian-Chef is a bundler for your Chef cookbooks. To install Librarian-Chef:
cd chef-repo
gem install librarian
librarian-chef init
To use the Opscode platform version:
echo "cookbook 'user'" >> Cheffile
librarian-chef install
Or to reference the Git version:
repo="fnichol/chef-user"
latest_release=$(curl -s https://api.github.com/repos/$repo/git/refs/tags \
| ruby -rjson -e '
j = JSON.parse(STDIN.read);
puts j.map { |t| t["ref"].split("/").last }.sort.last
')
cat >> Cheffile <<END_OF_CHEFFILE
cookbook 'user',
:git => 'git://github.com/$repo.git', :ref => '$latest_release'
END_OF_CHEFFILE
librarian-chef install
Recipes
default
This recipe is a no-op and does nothing.
data_bag
Processes a list of users with data drawn from a data bag. The default data bag
is users and the list of user accounts to create on this node is set on
node['users'].
Attributes
home_root
The default parent path of a user's home directory. Each resource can override
this value which varies by platform. Generally speaking, the default value is
"/home".
default_shell
The default user shell given to a user. Each resource can override this value
which varies by platform. Generally speaking, the default value is
"/bin/bash".
home_dir_mode
The default Unix permissions applied to a user's home directory.
The default is "2755".
manage_home
Whether of not to manage the home directory of a user by default. Each resource can override this value. The are 2 valid states:
"true",true, or"yes": will manage the user's home directory."false",false, or"no": will not manage the user's home directory.
The default is true.
non_unique
Whether of not to allow the creation of a user account with a duplicate UID. Each resource can override this value. The are 2 valid states:
"true",true, or"yes": will allow duplicate UIDs."false",false, or"no": will not allow duplicate UIDs.
The default is false.
create_group
Whether or not to to create a group with the same name as the user by default. Each resource can override this value. The are 2 valid states:
"true",true, or"yes": will create a group for the user by default."false",false, or"no": will not create a group for the user by default.
The default is true.
ssh_keygen
Whether or not to generate an SSH keypair for the user by default. Each resource can override this value. There are 2 valid states:
"true",true, or"yes": will generate an SSH keypair when the account is created."false",false, or"no": will not generate an SSH keypair when the account is created.
The default is true.
data_bag_name
The data bag name containing a group of user account information. This is used
by the data_bag recipe to use as a database of user accounts.
The default is "users".
user_array_node_attr
The node attributes containing an array of users to be managed. If a nested
hash in the node's attributes is required, then use a / between subhashes.
For example, if the users' array is stored in node['system']['accounts']),
then set node['user']['user_array_node_attr'] to "system/accounts".
The default is "users".
Resources and Providers
user_account
Note: in order to use the password attribute, you must have the
ruby-shadow gem installed. On Debian/Ubuntu you can get
this by installing the "libshadow-ruby1.8" package.
Actions
| Action | Description | Default |
|---|---|---|
| create |
Create the user, its home directory, .ssh/authorized_keys,
and .ssh/{id_rsa,id_rsa.pub}.
|
Yes |
| remove | Remove the user account. | Â |
| modify | Modify the user account. | Â |
| manage | Manage the user account. | Â |
| lock | Lock the user's password. | Â |
| unlock | Unlock the user's password. | Â |
Attributes
| Attribute | Description | Default Value |
|---|---|---|
| username | Name attribute: The name of the user. | nil |
| comment | Gecos/Comment field. | nil |
| uid | The numeric user id. | nil |
| gid | The primary group id. | nil |
| groups | Array of other groups this user should be a member of. | nil |
| home | Home directory location. | "#{node['user']['home_root']}/#{username} |
| shell | The login shell. | node['user']['default_shell'] |
| password | Shadow hash of password. | nil |
| system_user | Whether or not to create a system user. | false |
| manage_home | Whether or not to manage the home directory. | true |
| non_unique | Whether or not to allow the creation of a user account with a duplicate UID. | false |
| create_group | Whether or not to to create a group with the same name as the user. | node['user']['create_group'] |
| ssh_keys |
A String or Array of SSH public keys to populate the
user's .ssh/authorized_keys file.
If the provided String is not a vaild ssh public-key, it will try to retrieve
the public-key from the data_bag specified in ssh_pubkey_data_bag (see below)
|
[] |
| ssh_keygen | Whether or not to generate an SSH keypair for the user. | node['user']['ssh_keygen'] |
| groups | An Array of groups to which to add the user. | [] |
| ssh_pubkey_data_bag |
A String providing the name of the data_bag holding the public keys.
Expected format of the data_bag:
{
"id": "username",
"keys": [
"ssh-ed25519 AAAA...",
"ssh-rsa AAAA..."
]
}
|
'ssh_public_keys' |
Examples
Creating a User Account
user_account 'hsolo' do
comment 'Han Solo'
ssh_keys ['3dc348d9af8027df7b9c...', '2154d3734d609eb5c452...']
home '/opt/hoth/hsolo'
ssh_keypair 'id_rsa' => "-----BEGIN OPENSSH PRIVATE KEY-----\n...",
'id_rsa.pub' => 'ssh-rsa AAAA....'
end
Creating and Locking a User Account
user_account 'lando' do
action [:create, :lock]
end
Removing a User account
user_account 'obiwan' do
action :remove
end
Development
- Source hosted at GitHub
- Report issues/Questions/Feature requests on GitHub Issues
Pull requests are very welcome! Make sure your patches are well tested. Ideally create a topic branch for every separate change you make.
License and Author
Author:: [Fletcher Nichol][fnichol] ([email protected])
Copyright 2011, Fletcher Nichol
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.