[chef] Re: User management - what's your solution?

[Mike < >]

Steffen,

We're successfully using a conjunction of the `users` and `sudo` cookbooks.

In our environment, we assume everyone that we add as a databag user
will be able to log into a server.

Who has sudo - now that's controlled via roles and environments inheritance.

Sample from a role:

default_attributes(
  'authorization' => {
    'sudo' => {
      'users' => ["username_that_needs_sudo"]
    }
  }
)

HTH,
-M

On Wed, Jan 23, 2013 at 2:57 AM, Steffen Gebert 
<
 >
 wrote:
> Hi,
>
> as I'm about to introduce Chef at a second organization, I want to do
> one thing right from the beginning: (Linux) User management.
>
> What's your way to do that?
>
> In my first project, we
>
> * use opscode's users cookbook to bring accounts + ssh keys from
> sysadmins to all clients.
>
> * for some cookbooks, we use fnichol's user. IIRC because back then only
> there it was possible to add more than one SSH key and it looked pretty
> nice (and it still does)
>
> * still lack a clean solution for sudo management. Sysadmins are allowed
> to sudo everywhere, but here and there other users should also be able
> to. Having either a sub-entry in the user's data bag with hostnames of
> the servers with sudo permissions, or a hosts data bag listing all
> sudo-allowed users sounds convenient to me.
>
> * haven't thought about managing users with access to a particular vhost
> (we have the concept that there's a user exampleorg responsible for
> example.org and all people with access should get their SSH key deployed
> into exampleorg's authorized_keys).
>
> Having re-read user and user's README gives me the impression that after
> pretty much thinking this should be possible with opscode's user CB
> (except the sudo thing, which IMHO only works with the additional hosts
> data bag).
>
> So what's your solution? Do you rely only on opscode's user CB? Do you
> know any resources covering this topic and presenting a good solution?
>
> Thanks a lot for your feedback!
>
> Steffen
>
>