Page MenuHomePhabricator
Paste P2128

all groups access to bastions
ActivePublic

Authored by Krenair on Sep 30 2015, 11:28 PM.
diff --git a/manifests/role/bastionhost.pp b/manifests/role/bastionhost.pp
index 8d141d3..915ccd5 100644
--- a/manifests/role/bastionhost.pp
+++ b/manifests/role/bastionhost.pp
@@ -8,6 +8,14 @@ class role::bastionhost::general {
include base::firewall
include role::backup::host
+ class { 'standard': has_admin => false }
+ $admin_module_path = get_module_path('admin')
+ $admin_data = loadyaml("${admin_module_path}/data/data.yaml")
+ class { 'admin':
+ groups => keys($admin_data['groups']),
+ only_ops_sudo => true
+ }
+
backup::set {'home': }
ferm::service { 'ssh':
diff --git a/manifests/site.pp b/manifests/site.pp
index 74e046c..2ef0409 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -236,7 +236,6 @@ node 'bast1001.wikimedia.org' {
$ganglia_aggregator = true
role bastionhost::general
- include standard
include dsh
}
@@ -246,7 +245,6 @@ node 'bast2001.wikimedia.org' {
interface => 'eth0',
}
role bastionhost::general
- include standard
}
@@ -257,7 +255,6 @@ node 'bast4001.wikimedia.org' {
}
role bastionhost::general
- include standard
include role::ipmi
include role::installserver::tftp-server
@@ -1109,7 +1106,6 @@ node 'hooft.esams.wikimedia.org' {
}
role bastionhost::general
- include standard
include role::installserver::tftp-server
class { 'ganglia::monitor::aggregator':
diff --git a/modules/admin/manifests/hashgroup.pp b/modules/admin/manifests/hashgroup.pp
index 560cd10..0dba0e1 100644
--- a/modules/admin/manifests/hashgroup.pp
+++ b/modules/admin/manifests/hashgroup.pp
@@ -7,9 +7,13 @@
#
# [*phash*]
# Hash that contains valid group data
+#
+# [*only_ops_sudo*]
+# When set to true, only the 'ops' group can have any privileges.
define admin::hashgroup(
$phash={},
+ $only_ops_sudo=false
)
{
@@ -26,9 +30,16 @@ define admin::hashgroup(
$group_name = $name
}
- admin::group { $group_name:
- ensure => $gdata['ensure'],
- gid => $gdata['gid'],
- privileges => $gdata['privileges'],
+ if $only_ops_sudo && $name != 'ops' {
+ admin::group { $group_name:
+ ensure => $gdata['ensure'],
+ gid => $gdata['gid'],
+ }
+ } else {
+ admin::group { $group_name:
+ ensure => $gdata['ensure'],
+ gid => $gdata['gid'],
+ privileges => $gdata['privileges'],
+ }
}
}
diff --git a/modules/admin/manifests/init.pp b/modules/admin/manifests/init.pp
index d38abab..2bc5e9e 100644
--- a/modules/admin/manifests/init.pp
+++ b/modules/admin/manifests/init.pp
@@ -8,10 +8,13 @@
# [*$always_groups*]
# Array of valid groups to always run
#
+# [*$only_ops_sudo*]
+# When set to true, only the 'ops' group can have any privileges.
class admin(
$groups=[],
$always_groups=['absent', 'ops', 'wikidev'],
+ $only_ops_sudo=false
)
{
include sudo
@@ -34,8 +37,9 @@ class admin(
}
admin::hashgroup { $all_groups:
- phash => $data,
- before => Admin::Hashuser[$user_set],
+ phash => $data,
+ before => Admin::Hashuser[$user_set],
+ only_ops_sudo => $only_ops_sudo
}
admin::hashuser { $user_set:

Event Timeline

Krenair changed the title of this paste from untitled to all groups access to bastions.
Krenair updated the paste's language from autodetect to diff.
Krenair added projects: acl*sre-team, Puppet.
Krenair edited the content of this paste. (Show Details)