hortonworks/puppet-sudo

Name: puppet-sudo

Owner: Hortonworks Inc

Description: Fork of saz/sudo because we have to have custom stuff in /etc/sudoers

Created: 2015-01-20 17:44:45.0

Updated: 2015-01-20 17:47:59.0

Pushed: 2015-01-20 17:47:59.0

Homepage: null

Size: 164

Language: Augeas

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

puppet-sudo

Manage sudo configuration via Puppet

Gittip

Usage

WARNING

This module will purge your current sudo config

If this is not what you're expecting, set purge and/or config_file_replace to false

Install sudo with default sudoers

Purge current sudo config

class { 'sudo': }

Purge sudoers.d directory, but leave sudoers file as it is

class { 'sudo':
  config_file_replace => false,
}

Leave current sudo config as it is

class { 'sudo':
  purge               => false,
  config_file_replace => false,
}

Adding sudoers configuration

Using Code

class { 'sudo': }
sudo::conf { 'web':
  source => 'puppet:///files/etc/sudoers.d/web',
}
sudo::conf { 'admins':
  priority => 10,
  content  => "%admins ALL=(ALL) NOPASSWD: ALL",
}
sudo::conf { 'joe':
  priority => 60,
  source   => 'puppet:///files/etc/sudoers.d/users/joe',
}

Using Hiera

A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.

Examples using:

• YAML backend
• an environment called production
• a /etc/puppet/hiera.yaml hierarchy configuration:

rarchy:
"%{environment}"
"defaults"

Load module Using Puppet version 3+

Load the module via Puppet Code or your ENC.

include sudo

Using Puppet version 2.7+

After Installing Hiera:

• Load the sudo and sudo::configs modules via Puppet Code or your ENC.

include sudo
include sudo::configs

Configure Hiera YAML (defaults.yaml)

These defaults will apply to all systems.

::configs:
'web':
    'source'    : 'puppet:///files/etc/sudoers.d/web'
'admins':
    'content'   : "%admins ALL=(ALL) NOPASSWD: ALL"
    'priority'  : 10
'joe':
    'priority'  : 60
    'source'    : 'puppet:///files/etc/sudoers.d/users/joe'

Configure Hiera YAML (production.yaml)

This will only apply to the production environment. In this example we are:

• inheriting/preserving the web configuration
• overriding the admins configuration
• removing the joe configuration

::configs:
'admins':
    'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
    'priority'  : 10
'joe':
    'ensure'    : 'absent'
    'source'    : 'puppet:///files/etc/sudoers.d/users/joe'

If you have Hiera version >= 1.2.0 and enable Hiera Deeper Merging you may conditionally override any setting.

In this example we are:

• inheriting/preserving the web configuration
• overriding the admins:content setting
• inheriting/preserving the admins:priority setting
• inheriting/preserving the joe:source and joe:priority settings
• removing the joe configuration

::configs:
'admins':
    'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
'joe':
    'ensure'    : 'absent'

Set a custom name for the sudoers file

In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the `sudo_file_name` option to manually set the desired file name.

::conf { "foreman-proxy":
ensure          => "present",
source          => "puppet:///modules/sudo/foreman-proxy",
sudo_file_name  => "foreman-proxy",

sudo::conf / sudo::configs notes

• You can pass template() through content parameter.
• One of content or source must be set.

sudo class parameters

| Parameter | Type | Default | Description | | :————– | :—— |:———– | :———- | | enable | boolean | true | Set this to remove or purge all sudoers configs | | package | string | OS specific | Set package name (for unsupported platforms) | | package_ensure | string | present | latest, absent, or a specific package version | | package_source | string | OS specific | Set package source (for unsupported platforms) | | purge | boolean | true | Purge unmanaged files from config_dir | | purge_ignore | string | undef | Files excluded from purging in config_dir | | config_file | string | OS specific | Set config_file (for unsupported platforms) | | config_file_replace | boolean | true | Replace config file with module config file | | config_dir | string | OS specific | Set config_dir (for unsupported platforms) | | source | string | OS specific | Set source (for unsupported platforms) |

sudo::conf class / sudo::configs hash parameters

| Parameter | Type | Default | Description | | :————– | :—– |:———– | :———- | | ensure | string | present | present or absent | | priority | number | 10 | file name prefix | | content | string | undef | content of configuration snippet | | source | string | undef | source of configuration snippet | | sudo_config_dir | string | OS Specific | configuration snippet directory (for unsupported platforms) | | sudo_file_name | string | undef | custom file name for sudo file in sudoers directory |