需求:每臺服務器上都創建dev組,專門給開發人員,給特定的開發人員建賬號,並加入dev組;
運維人員也將創建各自的用戶,並加入wheel組,通過sudo來對組裏成員做權限設置。
架構如下:
manfests裏面的文件內容如下:
- 1,init.pp
- class sudo {
- case $::osfamily {
- 'RedHat': {
- include "sudo::conf"
- import 'sudoers.pp'
- }
- default: {
- fail("$::osfamily not yet supported by the 'sudo' module!")
- }
- }
- }
- 2,conf.pp
- class sudo::conf {
- package { "sudo":
- ensure => present,
- }
- # Source the sudoers file from the Puppet Master
- file { "/etc/sudoers":
- ensure => present,
- owner => 'root',
- group => 'root',
- mode => 0440,
- source => "puppet:///modules/sudo/sudoers",
- require => Package["sudo"],
- }
- # Source a new 'su' file for PAM (caution: this may be platform-specific)
- file { "/etc/pam.d/su":
- ensure => present,
- owner => 'root',
- group => 'root',
- mode => 0644,
- source => "puppet:///modules/sudo/pam_su_el6"
- }
- # Clear any config in sudoers.d
- file { "/etc/sudoers.d":
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0750',
- recurse => true,
- purge => true,
- require => Package["sudo"],
- }
- }
- 3,sudoers.pp
- define sudo::sudoers (
- $sudo_sudoers ,
- $sudo_sysadmins ,
- # $admins = split($sudo_sysadmins, ','),
- # $sudoers = split($sudo_sudoers, ','),
- )
- {
- user { [ $sudo_sysadmins ]:
- ensure => present,
- groups => ['wheel'],
- require => Group['wheel'],
- }
- user { [ $sudo_sudoers ]:
- ensure => present,
- groups => ['dev'],
- require => Group['dev'],
- }
- group { "wheel":
- ensure => present,
- }
- group { "dev":
- ensure => present,
- }
- }
files目錄文件內容如下:
- 1,pam_su_el6
- #%PAM-1.0
- # This file is managed by Puppet.
- #
- auth sufficient pam_rootok.so
- # Uncomment the following line to implicitly trust users in the "wheel" group.
- #auth sufficient pam_wheel.so trust use_uid
- # Uncomment the following line to require a user to be in the "wheel" group.
- auth required pam_wheel.so use_uid
- auth include system-auth
- account sufficient pam_succeed_if.so uid = 0 use_uid quiet
- account include system-auth
- password include system-auth
- session include system-auth
- session optional pam_xauth.so
- 2,sudoers
- ## Sudoers allows particular users to run various commands as
- ## the root user, without needing the root password.
- ##
- ## Examples are provided at the bottom of the file for collections
- ## of related commands, which can then be delegated out to particular
- ## users or groups.
- ##
- ## This file must be edited with the 'visudo' command.
- ## Host Aliases
- ## Groups of machines. You may prefer to use hostnames (perhap using
- ## wildcards for entire domains) or IP addresses instead.
- # Host_Alias FILESERVERS = fs1, fs2
- # Host_Alias MAILSERVERS = smtp, smtp2
- ## User Aliases
- ## These aren't often necessary, as you can use regular groups
- ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
- ## rather than USERALIAS
- # User_Alias ADMINS = jsmith, mikem
- ## Command Aliases
- ## These are groups of related commands...
- ## Networking
- #Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
- ## Installation and management of software
- Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
- ## Services
- #Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
- ## Updating the locate database
- #Cmnd_Alias LOCATE = /usr/bin/updatedb
- ## Storage
- Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
- ## Delegating permissions
- #Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
- ## Processes
- #Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
- ## Drivers
- #Cmnd_Alias DRIVERS = /sbin/modprobe
- ## Denied commands for dev
- Cmnd_Alias DEV_DENIED = /bin/su, /usr/sbin/visudo, /bin/chgrp, /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /usr/sbin/passwd, /sbin/shutdown, /sbin/init, /sbin/reboot, /usr/bin/reboot
- # Defaults specification
- #
- # Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
- # You have to run "ssh -t hostname sudo <cmd>".
- #
- Defaults requiretty
- #
- # Refuse to run if unable to disable echo on the tty. This setting should also be
- # changed in order to be able to use sudo without a tty. See requiretty above.
- #
- Defaults !visiblepw
- Defaults env_reset
- Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
- LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
- LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
- LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
- LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
- _XKB_CHARSET XAUTHORITY"
- ## Next comes the main part: which users can run what software on
- ## which machines (the sudoers file can be shared between multiple
- ## systems).
- ## Syntax:
- ##
- ## user MACHINE=COMMANDS
- ##
- ## The COMMANDS section may have other options added to it.
- ##
- ## Allow root to run any commands anywhere
- root ALL=(ALL) ALL
- ## Allows members of the 'sys' group to run networking, software,
- ## service management apps and more.
- # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
- ## Allows people in group wheel to run all commands
- %wheel ALL=(ALL) ALL
- ## Same thing without a password
- # %wheel ALL=(ALL) NOPASSWD: ALL
- ## Allows members of the users group to mount and unmount the
- ## cdrom as root
- # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
- ## Allows members of the users group to shutdown this system
- # %users localhost=/sbin/shutdown -h now
- ## Denied DEV_DENIED and STORAGE commands for dev group
- %dev ALL=(ALL) ALL, !DEV_DENIED, !STORAGE
使用方法如下:
- include sudo
- sudo::sudoers { "example":
- sudo_sysadmins => ['test-wheel-1','test-wheel-2'],
- sudo_sudoers => ['test-sudo-1'],
- }
github地址如下:https://github.com/vTNT/puppet-sudo