puppet系列之sudo模块
需求:每台服务器上都创建dev组,专门给开发人员,给特定的开发人员建账号,并加入dev组;运维人员也将创建各自的用户,并加入wheel组,通过sudo来对组里成员做权限设置。
架构如下:
http://blog.51cto.com/attachment/201304/210228339.jpg
manfests里面的文件内容如下:
[*]1,init.pp
[*]class sudo {
[*]case $::osfamily {
[*] 'RedHat': {
[*] include "sudo::conf"
[*] import 'sudoers.pp'
[*] }
[*] default: {
[*] fail("$::osfamily not yet supported by the 'sudo' module!")
[*] }
[*]}
[*]}
[*]
[*]2,conf.pp
[*]class sudo::conf {
[*]package { "sudo":
[*] ensure => present,
[*]}
[*]
[*]# Source the sudoers file from the Puppet Master
[*]file { "/etc/sudoers":
[*] ensure=> present,
[*] owner => 'root',
[*] group => 'root',
[*] mode => 0440,
[*] source=> "puppet:///modules/sudo/sudoers",
[*] require => Package["sudo"],
[*]}
[*]
[*]# Source a new 'su' file for PAM (caution: this may be platform-specific)
[*]file { "/etc/pam.d/su":
[*] ensure => present,
[*] owner=> 'root',
[*] group=> 'root',
[*] mode => 0644,
[*] source => "puppet:///modules/sudo/pam_su_el6"
[*]}
[*]
[*]# Clear any config in sudoers.d
[*]file { "/etc/sudoers.d":
[*] ensure=> directory,
[*] owner => 'root',
[*] group => 'root',
[*] mode => '0750',
[*] recurse => true,
[*] purge => true,
[*] require => Package["sudo"],
[*]}
[*]}
[*]
[*]3,sudoers.pp
[*]define sudo::sudoers (
[*]$sudo_sudoers ,
[*]$sudo_sysadmins ,
[*] # $admins = split($sudo_sysadmins, ','),
[*] # $sudoers= split($sudo_sudoers, ','),
[*])
[*]{
[*]user { [ $sudo_sysadmins ]:
[*] ensure=> present,
[*] groups=> ['wheel'],
[*] require => Group['wheel'],
[*]}
[*]
[*]user { [ $sudo_sudoers ]:
[*] ensure=> present,
[*] groups=> ['dev'],
[*] require => Group['dev'],
[*]}
[*]
[*]group { "wheel":
[*] ensure => present,
[*]}
[*]
[*]group { "dev":
[*] ensure => present,
[*]}
[*]}
files目录文件内容如下:
[*]1,pam_su_el6
[*]#%PAM-1.0
[*]# This file is managed by Puppet.
[*]#
[*]auth sufficientpam_rootok.so
[*]# Uncomment the following line to implicitly trust users in the "wheel" group.
[*]#auth sufficientpam_wheel.so trust use_uid
[*]# Uncomment the following line to require a user to be in the "wheel" group.
[*]auth required pam_wheel.so use_uid
[*]auth include system-auth
[*]account sufficientpam_succeed_if.so uid = 0 use_uid quiet
[*]account include system-auth
[*]password include system-auth
[*]session include system-auth
[*]session optional pam_xauth.so
[*]
[*]2,sudoers
[*]
[*]## Sudoers allows particular users to run various commands as
[*]## the root user, without needing the root password.
[*]##
[*]## Examples are provided at the bottom of the file for collections
[*]## of related commands, which can then be delegated out to particular
[*]## users or groups.
[*]##
[*]## This file must be edited with the 'visudo' command.
[*]
[*]## Host Aliases
[*]## Groups of machines. You may prefer to use hostnames (perhap using
[*]## wildcards for entire domains) or IP addresses instead.
[*]# Host_Alias FILESERVERS = fs1, fs2
[*]# Host_Alias MAILSERVERS = smtp, smtp2
[*]
[*]## User Aliases
[*]## These aren't often necessary, as you can use regular groups
[*]## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
[*]## rather than USERALIAS
[*]# User_Alias ADMINS = jsmith, mikem
[*]
[*]
[*]## Command Aliases
[*]## These are groups of related commands...
[*]
[*]## Networking
[*]#Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
[*]
[*]## Installation and management of software
[*]Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
[*]
[*]## Services
[*]#Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
[*]
[*]## Updating the locate database
[*]#Cmnd_Alias LOCATE = /usr/bin/updatedb
[*]
[*]## Storage
[*]Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
[*]
[*]## Delegating permissions
[*]#Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
[*]
[*]## Processes
[*]#Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
[*]
[*]## Drivers
[*]#Cmnd_Alias DRIVERS = /sbin/modprobe
[*]
[*]## Denied commands for dev
[*]Cmnd_Alias DEV_DENIED = /bin/su, /usr/sbin/visudo, /bin/chgrp, /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /usr/sbin/passwd, /sbin/shutdown, /sbin/init, /sbin/reboot, /usr/bin/reboot
[*]
[*]# Defaults specification
[*]
[*]#
[*]# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
[*]# You have to run "ssh -t hostname sudo <cmd>".
[*]#
[*]Defaults requiretty
[*]
[*]#
[*]# Refuse to run if unable to disable echo on the tty. This setting should also be
[*]# changed in order to be able to use sudo without a tty. See requiretty above.
[*]#
[*]Defaults !visiblepw
[*]
[*]Defaults env_reset
[*]Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
[*] LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
[*] LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
[*] LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
[*] LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
[*] _XKB_CHARSET XAUTHORITY"
[*]
[*]## Next comes the main part: which users can run what software on
[*]## which machines (the sudoers file can be shared between multiple
[*]## systems).
[*]## Syntax:
[*]##
[*]##user MACHINE=COMMANDS
[*]##
[*]## The COMMANDS section may have other options added to it.
[*]##
[*]## Allow root to run any commands anywhere
[*]root ALL=(ALL) ALL
[*]
[*]## Allows members of the 'sys' group to run networking, software,
[*]## service management apps and more.
[*]# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
[*]
[*]## Allows people in group wheel to run all commands
[*]%wheelALL=(ALL) ALL
[*]
[*]## Same thing without a password
[*]# %wheel ALL=(ALL) NOPASSWD: ALL
[*]
[*]## Allows members of the users group to mount and unmount the
[*]## cdrom as root
[*]# %usersALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
[*]
[*]## Allows members of the users group to shutdown this system
[*]# %userslocalhost=/sbin/shutdown -h now
[*]
[*]## Denied DEV_DENIED and STORAGE commands for dev group
[*]%dev ALL=(ALL) ALL, !DEV_DENIED, !STORAGE
使用方法如下:
[*]include sudo
[*]sudo::sudoers { "example":
[*]sudo_sysadmins => ['test-wheel-1','test-wheel-2'],
[*]sudo_sudoers => ['test-sudo-1'],
[*]}
github地址如下:https://github.com/vTNT/puppet-sudo
页:
[1]