Classifying nodes and assigning user permissions quick start guide
A newer version is available; see the version menu above for details.
The Puppet Enterprise (PE) console enables you to manage nodes groups and users. You can create node groups and then assign classes to nodes through those node groups. You can connect with an external directory, such as Active Directory or OpenLDAP, and import users and groups, rather than creating and maintaining users and groups in multiple locations. You can also create user roles, and assign users to those roles. Roles are granted permissions, such as permission to act on node groups. When you assign roles to users or user groups, you are granting users permissions in a more organized way.
In this exercise, you’ll create a new node group, apply rules to the group to define the nodes it includes, and add classes to the group. You’ll also create a new user role and give the role view permissions on your node group. Finally, you’ll create a new local user, and assign a user role to that user. This exercise doesn’t cover connecting with an OpenLDAP or Active Directory. For more information about that, see Connecting PE with external directory services.
Note: Roles are deletable by API, not in the console. Therefore, we recommend that you try out these steps on a virtual machine.
Create a new node group
- In the PE console, click Nodes > Classification, then click Add group.
- Specify options for the new node group:
- Parent name – Select All Nodes.
- Group name – Enter a name that describes the role of this environment node group, for example, web_app_servers.
- Environment – Select production.
- Environment group – Do not select this option.
- Click Add.
Add nodes to the new node group
To add nodes to a node group, you create rules that define which nodes should be included in the group.
- On the Classification page, click the web_app_servers node group to open it.
- On the Rules tab, in the Fact field, type or select osfamily.
From the Operator drop-down list, select = (is), and in the Value field, type RedHat or Windows, depending on your agent’s OS.
As you type in the rule, the number in the Node matches column changes to indicate how many nodes this rule affects.
- Click Add rule, and then click the commit button.
Add classes to the node group
Now that you’ve created a node group, you’ll add classes to give the matching nodes purpose.
- On your web_app_servers page, click the Classes tab.
- In the Add new class field, on *nix, select
apache. If you’re on Windows, select
- Click Add class.
In the Parameter box, click Parameter name and choose the parameter you’d like to edit. For this example, choose
logroot. In the Value field, enter
Note: The grey text that appears as values for some parameters is the default value, which can be either a literal value or a Puppet variable. You can restore this value by selecting Discard changes after you have added the parameter.
- Click Add parameter, and then click the commit button.
You can check these changes by clicking Nodes > Inventory, then clicking one of the nodes from your node group. In the Classification page, you’ll see the
apache class with the Source group
Create a new user role
Add a user role so you can manage permissions for groups of users at once.
- In the console, click Access control and then click User Roles.
- For Name, type Web developers, and then for Description, type a description for the Web developers role, such as web developers.
- Click Add role.
Create a new user and add the user to your new role
These steps demonstrate how to create a new local user. See Adding LDAP users to PE for information about adding existing users from your directory service.
- On the Access Control page, click Users.
- In the Full name field, type in a user name.
- In the Login field, type the user’s login information.
Click Add local user.
Note: When you create new local users, you need to send them a login token, as described in the following section.
- Click User Roles and then click Web developers.
- On the Member users tab, on the User name list, select the new user you created, and then click Add user and click the commit button.
Enable a user to log in
When you create new local users, you need to send them a password reset token so that they can log in for the first time.
- Click the new local user in the Users list. The new user’s page opens.
- On the upper-right of the page, click Generate password reset. A Password reset link message box opens.
- Copy the link provided in the message and send it to the new user. Then you can close the message.
Give your new role access to the node group you created
- From the User roles page, select Web developers, and then click the Permissions tab.
- In the Type box, select Node groups.
- In the Permission box, select View.
- In the Object box, select web-app_servers.
- Click Add permission, and then click the commit button.
Now, you have given members of the
Web developersrole permission to view the