2013-11-20
By Wordsmith Configuration Management, Linux, Technology

Puppeting sudoers

 Method #1 – RedHat style, wheel group

  #includedir does not work on RHEL prior to 5.5, therefore wheel is still used
  #wheel only works on RedHat only, not UNIX and other
  if ($operatingsystem == 'RedHat') {
    augeas { 'sudowheel':
      context => '/files/etc/sudoers', # target file is /etc/sudoers
      changes => [
        # allow wheel users to use sudo
        'set spec[user = "%wheel"]/user %wheel',
        'set spec[user = "%wheel"]/host_group/host ALL',
        'set spec[user = "%wheel"]/host_group/command ALL',
        'set spec[user = "%wheel"]/host_group/command/runas_user ALL',
        'set spec[user = "%wheel"]/host_group/command/tag NOPASSWD',
        ]
     }
  }
ON EACH USER:
            user { $user:
              ensure => present,
              groups => "wheel",
              password => $userhash[$user]['password'],
              managehome => true,
              comment => $userhash[$user]['fullname'],
              password_min_age => $password_min_age,
              password_max_age => $password_max_age,
            }

 Method #2 – UNIX ways – creating a file inside /etc/sudoers.d

  # on RHEL5, this sudoers.d folder does not exist by default, therefore we require to create the folder
  file { "/etc/sudoers.d":
    ensure  => directory,
    owner   => root,
    group   => root,
    mode    => 0750,
  }
  #using /etc/sudoers.d/svc-system-config-user, UNIX way
  $sudoerusers = hiera_array(users::sudoerusers)
  file { 'svc-system-config-user':
    path    => '/etc/sudoers.d/svc-system-config-user',
    ensure  => file,
    mode    => 440,
    owner   => 'root',
    group   => 'root',
    content => template('users/svc-system-config-user.erb'),
  }
The template, svc-system-config-user.erb:
# NOTE: This is puppet managed
<% @sudoerusers.each do |val| -%>
<%= val %> ALL=(ALL) NOPASSWD: ALL
<% end -%>

 Method #3 – Just edit the /etc/sudoers

ON EACH USER:
          $sudochange1 = "set spec[user = '${user}']/user ${user}"
          $sudochange2 = "set spec[user = '${user}']/host_group/host ALL"
          $sudochange3 = "set spec[user = '${user}']/host_group/command ALL"
          $sudochange4 = "set spec[user = '${user}']/host_group/command/runas_user ALL"
          $sudochange5 = "set spec[user = '${user}']/host_group/command/tag NOPASSWD"

          augeas { "sudo${user}":
            context => '/files/etc/sudoers', # target file is /etc/sudoers
            changes => [ $sudochange1,
                $sudochange2,
                $sudochange3,
                $sudochange4,
                $sudochange5,
            ]
          }

]]>