Home / server / Questions / 642013
In Process
Aaron Copley
Asked: 2014-11-05 12:53:42 +0800 CST

How can I use Puppet to Enforce Local Group Membership?

  • 772

Cross posting this from Ask@PuppetLabs. (There simply isn't enough traffic there.)

I've seen a number of examples for adding users to %wheel with Augeas. These are all variations of the same thing; inserting a user node at the end.

What I need to do is also remove users that are added outside of configuration management. For Puppet to manage the group, only users defined in my Puppet class should be present and any others removed.

Seems like exec'ing a simple Sed command would be much easier, but so many people say to try to stay away from exec. Is it such a bad solution in this case?

puppet

2 Answers

  1. Defining wheel users this way causes them to be added, but if you remove jane from the class, she will not be removed from the wheel group on the next Puppet run.

    class wheel {
  augeas { "wheelgroup":
    context => "/files/etc/group/wheel",
    changes => [
      'set user[1] bob',
      'set user[2] jane',
    ]
  }
}

    The only way I have found around this is to purge the wheel group and re-add them each time. 

    class wheel {
  augeas { "wheelgroup":
    context => "/files/etc/group/wheel",
    changes => [
      'rm user',
      'set user[1] bob',
      'set user[2] jane',
    ]
  }
}

    I considered an onlyif to match my defined users to prevent this from running on each Puppet run. However, this is also the only way to remove users added outside of Puppet to ensure that %wheel is managed solely by Puppet.

    This solution also doesn't lend well to parametrization for reuse.

    • 1

  2. It might be possible to use the Group members type to specifically set the members of the group. You may need to use the forcelocal option.

    • 0