Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F2647588
all groups access to bastions
No One
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Krenair
Sep 30 2015, 11:47 PM
2015-09-30 23:47:38 (UTC+0)
Size
3 KB
Referenced Files
None
Subscribers
None
all groups access to bastions
View Options
diff --git a/manifests/role/bastionhost.pp b/manifests/role/bastionhost.pp
index 8d141d3..b07b2b5 100644
--- a/manifests/role/bastionhost.pp
+++ b/manifests/role/bastionhost.pp
@@ -8,6 +8,14 @@ class role::bastionhost::general {
include base::firewall
include role::backup::host
+ class { 'standard': has_admin => false }
+ $admin_module_path = get_module_path('admin')
+ $admin_data = loadyaml("${admin_module_path}/data/data.yaml")
+ class { 'admin':
+ groups => keys($admin_data['groups']),
+ sudo_groups => ['ops']
+ }
+
backup::set {'home': }
ferm::service { 'ssh':
diff --git a/manifests/site.pp b/manifests/site.pp
index 74e046c..2ef0409 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -236,7 +236,6 @@ node 'bast1001.wikimedia.org' {
$ganglia_aggregator = true
role bastionhost::general
- include standard
include dsh
}
@@ -246,7 +245,6 @@ node 'bast2001.wikimedia.org' {
interface => 'eth0',
}
role bastionhost::general
- include standard
}
@@ -257,7 +255,6 @@ node 'bast4001.wikimedia.org' {
}
role bastionhost::general
- include standard
include role::ipmi
include role::installserver::tftp-server
@@ -1109,7 +1106,6 @@ node 'hooft.esams.wikimedia.org' {
}
role bastionhost::general
- include standard
include role::installserver::tftp-server
class { 'ganglia::monitor::aggregator':
diff --git a/modules/admin/manifests/hashgroup.pp b/modules/admin/manifests/hashgroup.pp
index 560cd10..3ee5a9c 100644
--- a/modules/admin/manifests/hashgroup.pp
+++ b/modules/admin/manifests/hashgroup.pp
@@ -7,9 +7,13 @@
#
# [*phash*]
# Hash that contains valid group data
+#
+# [*sudo_groups*]
+# If set, privileges will only be given if the group is in the given array.
define admin::hashgroup(
$phash={},
+ $sudo_groups={}
)
{
@@ -26,9 +30,16 @@ define admin::hashgroup(
$group_name = $name
}
- admin::group { $group_name:
- ensure => $gdata['ensure'],
- gid => $gdata['gid'],
- privileges => $gdata['privileges'],
+ if inline_template("<%= !@sudo_groups || @sudo_groups.include?(@name) %>") == "true" {
+ admin::group { $group_name:
+ ensure => $gdata['ensure'],
+ gid => $gdata['gid'],
+ }
+ } else {
+ admin::group { $group_name:
+ ensure => $gdata['ensure'],
+ gid => $gdata['gid'],
+ privileges => $gdata['privileges'],
+ }
}
}
diff --git a/modules/admin/manifests/init.pp b/modules/admin/manifests/init.pp
index d38abab..bb3d98c 100644
--- a/modules/admin/manifests/init.pp
+++ b/modules/admin/manifests/init.pp
@@ -8,10 +8,13 @@
# [*$always_groups*]
# Array of valid groups to always run
#
+# [*$sudo_groups*]
+# When set, only specified groups get any privileges.
class admin(
$groups=[],
$always_groups=['absent', 'ops', 'wikidev'],
+ $sudo_groups=undef
)
{
include sudo
@@ -34,8 +37,9 @@ class admin(
}
admin::hashgroup { $all_groups:
- phash => $data,
- before => Admin::Hashuser[$user_set],
+ phash => $data,
+ before => Admin::Hashuser[$user_set],
+ sudo_groups => $sudo_groups
}
admin::hashuser { $user_set:
File Metadata
Details
Attached
Mime Type
text/plain; charset=utf-8
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2660396
Default Alt Text
all groups access to bastions (3 KB)
Attached To
Mode
P2128 all groups access to bastions
Attached
Detach File
Event Timeline
Log In to Comment