[chef] Re: Re: How can I add/delete temporary users?

[Clif Smith < >]

Thanks for the info.  Here's what I came up, please punch holes as needed:

Created .../chef-repo/cookbooks/users/recipes/production-systems-access.rb with the following:

# Create users with the attribute production-systems-access=true

search(:users, 'production-systems-access:true') do |u|

  home_dir = "/home/#{u['id']}"

  # Create the user

  user u['id'] do

    uid u['uid']

    gid u['gid']

    shell u['shell']

    comment "Temp Prod User - #{u['comment']}"

    supports :manage_home => true

    home home_dir

    notifies :create, "ruby_block[reset group list]", :immediately

  end

  # Create the user's homedir

  directory "#{home_dir}/.ssh" do

    owner u['id']

    group u['gid'] || u['id']

    mode "0700"

  end

  # Deploy the user's ssh public key

  template "#{home_dir}/.ssh/authorized_keys" do

    source "authorized_keys.erb"

    owner u['id']

    group u['gid'] || u['id']

    mode "0600"

    variables :ssh_keys => u['ssh_keys']

  end

end

# Delete users with the attribute production-systems-access=false

search(:users, 'production-systems-access:false') do |u|

  user u['id'] do

    action :remove

    supports :manage_home => false

  end

end

So, when a user needs access to prod systems I set the production-systems-access attribute to true in that user's databag and the account is created.  When access is no longer needed it's set to false and the account is deleted (but the homedir isn't touched).

On Nov 29, 2011, at 4:16 PM, Nathen Harvey wrote:

We use a databag for each user with a disabled attribute and then lock / unlock the account based on that attribute's value.

  user u['id'] do

    if u['disabled'] then

      action :lock

    else

      action :unlock

    end

  end

-- 

Nathen Harvey

On Tuesday, November 29, 2011 at 4:49 PM, "> wrote:

I'm using the users cookbook to create users and distribute ssh keys. I've now

been tasked with automating the creation/deletion of users who only need

temporary access to servers. For example when a developer is needed to assist

with issues on a production server. For auditing purposes we're wanting to

drive it via Git -> Chef. I'm thinking I could search for local users within a

UID range, compare that with what Chef expects and delete accounts for those

that shouldn't be there.

Has anyone solved this or similar scenarios?