The pe_accounts Class

A newer version is available; see the version menu above for details.

This class is part of pe_accounts, a pre-built Puppet module included with Puppet Enterprise.

windows-only NOTE: pe_accounts is not yet supported on Windows nodes.

The pe_accounts class can do any or all of the following:

  • Create and manage a set of pe_accounts::user resources
  • Create and manage a set of shared group resources
  • Maintain a pair of rules in the sudoers file to grant privileges to the sudo and sudonopw groups

This class is designed for cases where your account data is maintained separately from your Puppet manifests. This usually means one of the following is true:

  • The data is being read from a non-Puppet directory service or CMDB, probably with a custom function.
  • The data is being maintained manually by a user who does not write Puppet code.
  • The data is being generated by an out-of-band process.

If your site’s account data will be maintained manually by a sysadmin able to write Puppet code, it will make more sense to maintain it as a normal set of pe_accounts::user and group resources, although you may still wish to use the pe_accounts class to maintain sudoers rules.

To manage users and groups with the pe_accounts class, you must prepare a data store and configure the class for the data store when you declare it.

Note: In Puppet Enterprise 1.2, this class was called accounts; it was renamed in PE 2 to avoid namespace conflicts. If you are upgrading and wish to continue using the older name, the upgrader can install a wrapper module to enable it. See the chapter on upgrading for more details.

Note: In Puppet Enterprise 2.0 and higher, this class is assigned to the console’s default group with no parameters, which will prevent it from being redeclared with any configuration. To use the class, you must:

  • Unassign it from the default group in the console
  • Create a wrapper module that declares this class with the necessary parameters
  • Re-assign the wrapper class to whichever nodes need it

Usage Example

To use YAML files as a data store:

    class {'pe_accounts':
      data_store => yaml,
    }

To use a Puppet class as a data store (and manage sudoers rules):

    class {'pe_accounts':
      data_store     => namespace,
      data_namespace => 'site::pe_accounts::data',
      manage_sudoers => true,
    }

To manage sudoers rules without managing any users or groups:

    class {'pe_accounts':
      manage_users   => false,
      manage_groups  => false,
      manage_sudoers => true,
    }

Data Stores

Account data can come from one of two sources: a Puppet class that declares three variables, or a set of three YAML files stored in /etc/puppetlabs/puppet/data.

Using a Puppet Class as a Data Store

This option is most useful if you are able to generate or import your user data with a custom function, which may be querying from an LDAP directory or some other data source.

The Puppet class containing the data must have a name ending in ::data. (We recommend site::pe_accounts::data.) This class must declare the following variables:

  • $users_hash should be a hash in which each key is the title of a pe_accounts::user resource and each value is a hash containing that resource’s attributes and values.
  • $groups_hash should be a hash in which each key is the title of a group and each value is a hash containing that resource’s attributes and values.

See below for examples of the data formats used in these variables.

When declaring the pe_accounts class to use data in a Puppet class, use the following attributes:

data_store     => namespace,
data_namespace => {name of class},

Using YAML Files as a Data Store

This option is most useful if your user data is being generated by an out-of-band process or is being maintained by a user who does not write Puppet manifests.

When storing data in YAML, the following valid YAML files must exist in /etc/puppetlabs/puppet/data:

  • pe_accounts_users_hash.yaml, which should contain an anonymous hash in which each key is the title of a pe_accounts::user resource and each value is a hash containing that resource’s attributes and values.
  • pe_accounts_groups_hash.yaml, which should contain an anonymous hash in which each key is the title of a group and each value is a hash containing that resource’s attributes and values.

See below for examples of the data formats used in these variables.

When declaring the pe_accounts class to use data in YAML files, use the following attribute:

data_store => yaml,

Data Formats

This class uses three hashes of data to construct the pe_accounts::user and group resources it manages.

The Users Hash

The users hash represents a set of pe_accounts::user resources. Each key should be the title of a pe_accounts::user resource, and each value should be another hash containing that resource’s attributes and values.

Puppet Example
    $users_hash = {
      sysop => {
        locked  => false,
        comment => 'System Operator',
        uid     => '700',
        gid     => '700',
        groups  => ['admin', 'sudonopw'],
        sshkeys => ['ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwLBhQefRiXHSbVNZYKu2o8VWJjZJ/B4LqICXuxhiiNSCmL8j+5zE/VLPIMeDqNQt8LjKJVOQGZtNutW4OhsLKxdgjzlYnfTsQHp8+JMAOFE3BD1spVnGdmJ33JdMsQ/fjrVMacaHyHK0jW4pHDeUU3kRgaGHtX4TnC0A175BNTH9yJliDvddRzdKR4WtokNzqJU3VPtHaGmJfXEYSfun/wFfc46+hP6u0WcSS7jZ2WElBZ7gNO4u2Z+eJjFWS9rjQ/gNE8HHlvmN0IUuvdpKdBlJjzSiKZR+r/Bo9ujQmGY4cmvlvgmcdajM/X1TqP6p3OuouAk5QSPUlDRV91oEHw== sysop+moduledevkey@puppetlabs.com'],
      },
      villain => {
        locked  => true,
        comment => 'Test Locked Account',
        uid     => '701',
        gid     => '701',
        groups  => ['admin', 'sudonopw'],
        sshkeys => ['ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwLBhQefRiXHSbVNZYKu2o8VWJjZJ/B4LqICXuxhiiNSCmL8j+5zE/VLPIMeDqNQt8LjKJVOQGZtNutW4OhsLKxdgjzlYnfTsQHp8+JMAOFE3BD1spVnGdmJ33JdMsQ/fjrVMacaHyHK0jW4pHDeUU3kRgaGHtX4TnC0A175BNTH9yJliDvddRzdKR4WtokNzqJU3VPtHaGmJfXEYSfun/wFfc46+hP6u0WcSS7jZ2WElBZ7gNO4u2Z+eJjFWS9rjQ/gNE8HHlvmN0IUuvdpKdBlJjzSiKZR+r/Bo9ujQmGY4cmvlvgmcdajM/X1TqP6p3OuouAk5QSPUlDRV91oEHw== villain+moduledevkey@puppetlabs.com'],
      },
    }
YAML Example
--- 
sysop:
  locked: false
  comment: System Operator
  uid: '700'
  gid: '700'
  groups:
  - admin
  - sudonopw
  sshkeys:
  - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwLBhQefRiXHSbVNZYKu2o8VWJjZJ/B4LqICXuxhiiNSCmL8j+5zE/VLPIMeDqNQt8LjKJVOQGZtNutW4OhsLKxdgjzlYnfTsQHp8+JMAOFE3BD1spVnGdmJ33JdMsQ/fjrVMacaHyHK0jW4pHDeUU3kRgaGHtX4TnC0A175BNTH9yJliDvddRzdKR4WtokNzqJU3VPtHaGmJfXEYSfun/wFfc46+hP6u0WcSS7jZ2WElBZ7gNO4u2Z+eJjFWS9rjQ/gNE8HHlvmN0IUuvdpKdBlJjzSiKZR+r/Bo9ujQmGY4cmvlvgmcdajM/X1TqP6p3OuouAk5QSPUlDRV91oEHw== sysop+moduledevkey@puppetlabs.com
villain:
  locked: true
  comment: Test Locked Account
  uid: '701'
  gid: '701'
  groups:
  - admin
  - sudonopw
  sshkeys:
  - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwLBhQefRiXHSbVNZYKu2o8VWJjZJ/B4LqICXuxhiiNSCmL8j+5zE/VLPIMeDqNQt8LjKJVOQGZtNutW4OhsLKxdgjzlYnfTsQHp8+JMAOFE3BD1spVnGdmJ33JdMsQ/fjrVMacaHyHK0jW4pHDeUU3kRgaGHtX4TnC0A175BNTH9yJliDvddRzdKR4WtokNzqJU3VPtHaGmJfXEYSfun/wFfc46+hP6u0WcSS7jZ2WElBZ7gNO4u2Z+eJjFWS9rjQ/gNE8HHlvmN0IUuvdpKdBlJjzSiKZR+r/Bo9ujQmGY4cmvlvgmcdajM/X1TqP6p3OuouAk5QSPUlDRV91oEHw== villain+moduledevkey@puppetlabs.com

The Groups Hash

The groups hash represents a set of shared group resources. Each key should be the title of a group resource, and each value should be another hash containing that resource’s attributes and values.

Puppet Example
    $groups_hash = {
      developer => {
        gid    => 3003,
        ensure => present,
      },
      sudonopw => {
        gid    => 3002,
        ensure => present,
      },
      sudo     => {
        gid    => 3001,
        ensure => present,
      },
      admin    => {
        gid    => 3000,
        ensure => present,
      },
    }
YAML Example
---
developer:
 gid: "3003"
 ensure: "present"
sudonopw:
 gid: "3002"
 ensure: "present"
sudo:
 gid: "3001"
 ensure: "present"
admin:
 gid: "3000"
 ensure: "present"

Parameters

manage_groups

Specifies whether or not to manage a set of shared groups, which can be used by all pe_accounts::user resources. If true, your data store must define these groups in the $groups_hash variable or the pe_accounts_groups_hash.yaml file. Allowed values are true and false; defaults to true.

manage_users

Specifies whether or not to manage a set of pe_accounts::user resources. If true, your data store must define these users in the $users_hash variable or the pe_accounts_users_hash.yaml file. Allowed values are true and false; defaults to true.

manage_sudoers

Specifies whether or not to add sudo rules to the node’s sudoers file. If true, the class will add %sudo and %sudonopw groups to the sudoers file and give them full sudo and passwordless sudo privileges respectively. You will need to make sure that the sudo and sudonopw groups exist in the groups hash, and that your chosen users have those groups in their groups arrays. Managing sudoers is not supported on Solaris.

Allowed values are true and false; defaults to false.

data_store

Specifies the data store to use for accounts and groups.

When set to namespace, data will be read from the puppet class specified in the data_namespace parameter. When set to yaml, data will be read from specially-named YAML files in the /etc/puppetlabs/puppet/data directory. (If you have changed your $confdir, it will look in $confdir/data.) Example YAML files are provided in the ext/data/ directory of this module.

Allowed values are yaml and namespace; defaults to namespace.

data_namespace

Specifies the Puppet namespace from which to read data. This must be the name of a Puppet class, and must end with ::data (we recommend using site::pe_accounts::data); the class will automatically be declared by the pe_accounts class. The class cannot have any parameters, and must declare variables named:

  • $users_hash
  • $groups_hash

See the pe_accounts::data class included in this module (in manifests/data.pp) for an example; see the data formats section for information on each hash’s data structure.

Defaults to pe_accounts::data.

sudoers_path

Specifies the path to the sudoers file on this system. Defaults to /etc/sudoers.


↑ Back to top