Steffen,
We're successfully using a conjunction of the `users` and `sudo` cookbooks.
In our environment, we assume everyone that we add as a databag user
will be able to log into a server.
Who has sudo - now that's controlled via roles and environments inheritance.
Sample from a role:
default_attributes(
'authorization' => {
'sudo' => {
'users' => ["username_that_needs_sudo"]
}
}
)
HTH,
-M
On Wed, Jan 23, 2013 at 2:57 AM, Steffen Gebert < "> > wrote:
> Hi,
>
> as I'm about to introduce Chef at a second organization, I want to do
> one thing right from the beginning: (Linux) User management.
>
> What's your way to do that?
>
> In my first project, we
>
> * use opscode's users cookbook to bring accounts + ssh keys from
> sysadmins to all clients.
>
> * for some cookbooks, we use fnichol's user. IIRC because back then only
> there it was possible to add more than one SSH key and it looked pretty
> nice (and it still does)
>
> * still lack a clean solution for sudo management. Sysadmins are allowed
> to sudo everywhere, but here and there other users should also be able
> to. Having either a sub-entry in the user's data bag with hostnames of
> the servers with sudo permissions, or a hosts data bag listing all
> sudo-allowed users sounds convenient to me.
>
> * haven't thought about managing users with access to a particular vhost
> (we have the concept that there's a user exampleorg responsible for
> example.org and all people with access should get their SSH key deployed
> into exampleorg's authorized_keys).
>
> Having re-read user and user's README gives me the impression that after
> pretty much thinking this should be possible with opscode's user CB
> (except the sudo thing, which IMHO only works with the additional hosts
> data bag).
>
> So what's your solution? Do you rely only on opscode's user CB? Do you
> know any resources covering this topic and presenting a good solution?
>
> Thanks a lot for your feedback!
>
> Steffen
>
>
Archive powered by MHonArc 2.6.16.