[chef] sudo cookbook and lwrp -- feedback needed

[Bryan Berry < >]

dear chefs,

I have added an lwrp to the sudo cookbook. Msf (Matthieu St. F?),
hailing from lovely Osaka, made some important contributions to it

At its most basic, it wraps around an existing erb template, sets the
proper permissions, and fails noisily _before_ a invalid fragment can
frag your sudo configuration

At the more advanced level, it uses generalized "patterns" of sudo
configurations. read for

This works for me, but as Atomic-penguin says, "A great chef creates
solutions that work for others, not just him/herself." feed back would
be most appreciated

https://github.com/bryanwb/cookbooks/tree/master/sudo

sudo LWRP
=============

This is a fairly complex LWRP for managing sudoers fragment files in
/etc/sudoers.d. It has many different options. Regardless
of which options you use, this lwrp will 1) make sure the permissions
on any sudoers fragment file are correct 2) fail the chef-client run
before trying to place an invalid fragment file in /etc/sudoers.d/ .
#2 ensures that your existing sudoers configuration will not be corrupted.


This LWRP operates in two modes, "template" and "pattern"

The simplest mode is template mode

    sudo "nagios"
      template "nagios_sudoers.erb"
      variables( :cmds => [ "check_init_service",  "check_hpasm" ] )
    end

This generates the file /etc/sudoers.d/nagios

    # this file was generated by chef
    nagios ALL=NOPASSWD: /usr/local/nagios/plugins/check_init_service
    nagios ALL=NOPASSWD: /usr/local/nagios/plugins/check_hpasm


This mode essentially wraps around a the template resource to ensure
the resulting configuration is valid.

The template attribute sources the "nagios_sudoers.erb" file from the
calling cookbook, not the sudo cookbook. The variables attribute works
just like the variables attribute of the template resource.

Pattern mode is more complex. The purpose of pattern mode is to
abstract common "patterns" of sudo use so that the calling cookbook
doesn't have to supply them at all, the current patterns are:

* super - full sudo access, essentially root access
* app - The members of an application group can act as the same user
that the application runs under and manage the application using the
service command
* act_as_all - user/group can execute the supplied commands as any user

These patterns use templates in this cookbook, templates/default/#{pattern}

Example using a pattern

    sudo "tomcat" do
      user "tomcat"
      pattern "app"
    end

This generates the following

     # This file is generated by Chef, all manual changes will be overriden
     %geo     ALL=(geo) NOPASSWD:ALL
     %geo     ALL=(root)  NOPASSWD: /sbin/service geo [a-zA-Z]*


Description of all attributes

* :user -- user to provide sudo privileges to
* :group -- group to provide sudo privileges to
* :service -- specific to the "app" pattern, used when the service to
be manipulated has an different name than the user it runs as
* :cmds -- an array of commands that the user/group can execute using
sudo, must use the full path
* :passwordless -- whether or not a password must be supplied when
invoking sudo
* :pattern -- use a template built into the sudo cookbook, the default
is "act_as_all"
* :template -- a template file in the current cookbook (not the sudo
cookbook), currently must be an erb template
* :variables -- variables to use with the template