Friday, January 31, 2014

Adding multiple users with chef(bash and template,cookbook_file)-public key added

Forward
* This article  shows how to add multiple users by using chef recipe. I used 'template' and cookbook_file in this example.
  This post assumes that readers are already installed and configured chef-server and clients.
  In terms of security, this article may not be excellent. So, do use carefully. If you are in the situation that the security is the real issue, use the "data bag encryption" for public or private key. 

1. Create cookbook 

root@knife2:/home/young/chef-repo# knife cookbook create user add


2. Making templates/user.txt.erb

root@knife2:/home/young/chef-repo# vi cookbooks/useradd/templates/default/user.txt.erb 
user1:users_group
user2:users_group
user3:users_group
user4:users_group

3. Create authorized_keys file.
I used vi to paster public key. Could use scp or other method.
root@knife2:/home/young/chef-repo# vi cookbooks/useradd/templates/default/authorized_keys
blablabla……..^^

4. Lastly, I made recipes/default.rb 
root@knife2:/home/young/chef-repo# vi cookbooks/useradd/recipes/default.rb 



#
# Cookbook Name:: useradd
# Recipe:: default
#
# Copyright 2014, My Future Company
#
# All rights reserved - Do Not Redistribute
#
# Author ohyoungjooung@gmail.com


template '/root/users' do
    source 'user.txt.erb'
end

cookbook_file "/root/authorized_keys" do
    source "authorized_keys"
    mode 0600
end

bash 'useradding' do
    user "root"
    cwd "/root"
    code <<-EOH 
    check(){
     if [[ $?=="0" ]]
     then
      echo "$1 is successful"
     else 
      echo "failed to achive mission"
      exit 1 
     fi
    }
    groupadd users_group
    for i in $(cat users)
    do
    USER=`echo $i | cut -d':' -f1`
    GROUP=`echo $i | cut -d':' -f2`
    #RUN COMMAND OF useradd
    useradd $USER -g $GROUP -m
    check "$USER useradd"
    mkdir /home/$USER/.ssh
    check "$USER mkdir"
    cp authorized_keys /home/$USER/.ssh/
    check "$USER authcp"
    chmod 0700 /home/$USER/.ssh
    chown -R $USER /home/$USER/.ssh
    chmod 0600 /home/$USER/.ssh/authorized_keys
    done
    rm -f /root/users
    rm -f /root/authorized_keys
    EOH

end

5. Uploading useradd recipe and test

root@knife2:/home/young/chef-repo# knife cookbook upload useradd
Uploading useradd        [0.1.0]
Uploaded 1 cookbook

# On node of chef-clint1
root@chef-client1:~# chef-client -o useradd

  * bash[useradding] action run[2014-01-30T11:35:55+09:00] INFO: Processing bash[useradding] action run (useradd::default line 14)
[2014-01-30T11:35:55+09:00] INFO: bash[useradding] ran successfully

    - execute "bash"  "/tmp/chef-script20140130-8091-1449qkb"

[2014-01-30T11:35:55+09:00] INFO: Chef Run complete in 0.277210052 seconds
[2014-01-30T11:35:55+09:00] INFO: Running report handlers
[2014-01-30T11:35:55+09:00] INFO: Report handlers complete
Chef Client finished, 2 resources updated

root@chef-client1:~# cat /etc/passwd | grep user
user1:x:1003:1004::/home/user1:/bin/sh
user2:x:1004:1004::/home/user2:/bin/sh
user3:x:1005:1004::/home/user3:/bin/sh
user4:x:1006:1004::/home/user4:/bin/sh
root@chef-client1:~# 


6. Using knife bootstrap on chef-client2 server. If you already ssh setting like private an public key password authentication won't be necessary.

root@knife2:/home/young/chef-repo# knife bootstrap chef-client2 -r 'recipe[useradd]' -x young --sudo
Bootstrapping Chef on chef-client2
Failed to authenticate young - trying password auth
Enter your password: 
chef-client2 Starting Chef Client, version 11.8.2
chef-client2 resolving cookbooks for run list: ["useradd"]
chef-client2 Synchronizing Cookbooks:
chef-client2   - useradd
chef-client2 Compiling Cookbooks...
chef-client2 Converging 2 resources
chef-client2 Recipe: useradd::default
chef-client2   * template[/tmp/users] action create
chef-client2     - create new file /tmp/users
chef-client2     - update content in file /tmp/users from none to ebcaf0
chef-client2         --- /tmp/users 2014-01-30 11:43:59.452210250 +0900
chef-client2         +++ /tmp/chef-rendered-template20140130-11865-15ixyap 2014-01-30 11:43:59.452210250 +0900
chef-client2         @@ -1 +1,6 @@
chef-client2         +user1:users_group
chef-client2         +user2:users_group
chef-client2         +user3:users_group
chef-client2         +user4:users_group
chef-client2         +
chef-client2 
chef-client2   * bash[useradding] action run
chef-client2     - execute "bash"  "/tmp/chef-script20140130-11865-30nl8s"
chef-client2 
chef-client2 Chef Client finished, 2 resources updated


 *Conclusion
This recipe is not sufficient because it does not include password. 
But it maybe useful for sysadmins to add many users for multiple servers in no time.

https://github.com/ohyoungjooung2/useradd

No comments:

Post a Comment