No OneTemporary
Actions

Size

17 KB

Subscribers

None

View Options

	diff --git a/README.md b/README.md
	index a3e90f5..b2d7504 100644
	--- a/README.md
	+++ b/README.md
	@@ -1,185 +1,186 @@
	# puppet-sudo [![Build Status](https://secure.travis-ci.org/saz/puppet-sudo.png)](http://travis-ci.org/saz/puppet-sudo)
	https://github.com/saz/puppet-sudo

	Manage sudo configuration via Puppet

	### Gittip
	[![Support via Gittip](https://rawgithub.com/twolfson/gittip-badge/0.2.0/dist/gittip.png)](https://www.gittip.com/saz/)

	## Usage

	### WARNING
	This module will purge your current sudo config

	If this is not what you're expecting, set `purge` and/or `config_file_replace` to false

	### Install sudo with default sudoers

	#### Purge current sudo config
	```puppet
	class { 'sudo': }
	```

	#### Purge sudoers.d directory, but leave sudoers file as it is
	```puppet
	class { 'sudo':
	config_file_replace => false,
	}
	```

	#### Leave current sudo config as it is
	```puppet
	class { 'sudo':
	purge => false,
	config_file_replace => false,
	}
	```

	### Adding sudoers configuration

	#### Using Code

	```puppet
	class { 'sudo': }
	sudo::conf { 'web':
	source => 'puppet:///files/etc/sudoers.d/web',
	}
	sudo::conf { 'admins':
	priority => 10,
	content => "%admins ALL=(ALL) NOPASSWD: ALL",
	}
	sudo::conf { 'joe':
	priority => 60,
	source => 'puppet:///files/etc/sudoers.d/users/joe',
	}
	```

	#### Using Hiera

	A hiera hash may be used to assemble the sudoers configuration.
	Hash merging is also enabled, which supports layering the configuration settings.

	Examples using:
	- YAML backend
	- an environment called __production__
	- a __/etc/puppet/hiera.yaml__ hierarchy configuration:

	```yaml
	:hierarchy:
	- "%{environment}"
	- "defaults"
	```

	##### Load module

	###### Using Puppet version 3+

	Load the module via Puppet Code or your ENC.

	```puppet
	include sudo
	```

	###### Using Puppet version 2.7+

	After [Installing Hiera](http://docs.puppetlabs.com/hiera/1/installing.html):

	- Load the `sudo` and `sudo::configs` modules via Puppet Code or your ENC.

	```puppet
	include sudo
	include sudo::configs
	```

	##### Configure Hiera YAML __(defaults.yaml)__

	These defaults will apply to all systems.

	```yaml
	sudo::configs:
	'web':
	'source' : 'puppet:///files/etc/sudoers.d/web'
	'admins':
	'content' : "%admins ALL=(ALL) NOPASSWD: ALL"
	'priority' : 10
	'joe':
	'priority' : 60
	'source' : 'puppet:///files/etc/sudoers.d/users/joe'
	```

	##### Configure Hiera YAML __(production.yaml)__

	This will only apply to the production environment.
	In this example we are:
	- inheriting/preserving the __web__ configuration
	- overriding the __admins__ configuration
	- removing the __joe__ configuration

	```yaml
	sudo::configs:
	'admins':
	'content' : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
	'priority' : 10
	'joe':
	'ensure' : 'absent'
	'source' : 'puppet:///files/etc/sudoers.d/users/joe'
	```

	If you have Hiera version >= 1.2.0 and enable [Hiera Deeper Merging](http://docs.puppetlabs.com/hiera/1/lookup_types.html#deep-merging-in-hiera--120) you may conditionally override any setting.

	In this example we are:
	- inheriting/preserving the __web__ configuration
	- overriding the __admins:content__ setting
	- inheriting/preserving the __admins:priority__ setting
	- inheriting/preserving the __joe:source__ and __joe:priority__ settings
	- removing the __joe__ configuration

	```yaml
	sudo::configs:
	'admins':
	'content' : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
	'joe':
	'ensure' : 'absent'
	```

	##### Set a custom name for the sudoers file

	In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the ```sudo_file_name``` option to manually set the desired file name.

	```puppet
	sudo::conf { "foreman-proxy":
	ensure => "present",
	source => "puppet:///modules/sudo/foreman-proxy",
	sudo_file_name => "foreman-proxy",
	}
	```

	### sudo::conf / sudo::configs notes
	* You can pass template() through content parameter.
	* One of content or source must be set.

	## sudo class parameters

	\| Parameter \| Type \| Default \| Description \|
	\| :-------------- \| :------ \|:----------- \| :---------- \|
	\| enable \| boolean \| true \| Set this to remove or purge all sudoers configs \|
	\| package \| string \| OS specific \| Set package name _(for unsupported platforms)_ \|
	\| package_ensure \| string \| present \| latest, absent, or a specific package version \|
	\| package_source \| string \| OS specific \| Set package source _(for unsupported platforms)_ \|
	\| purge \| boolean \| true \| Purge unmanaged files from config_dir \|
	\| purge_ignore \| string \| undef \| Files excluded from purging in config_dir \|
	\| config_file \| string \| OS specific \| Set config_file _(for unsupported platforms)_ \|
	\| config_file_replace \| boolean \| true \| Replace config file with module config file \|
	+\| includedirsudoers \| boolean \| OS specific \| Add #includedir /etc/sudoers.d with augeas \|
	\| config_dir \| string \| OS specific \| Set config_dir _(for unsupported platforms)_ \|
	\| source \| string \| OS specific \| Set source _(for unsupported platforms)_ \|

	## sudo::conf class / sudo::configs hash parameters

	\| Parameter \| Type \| Default \| Description \|
	\| :-------------- \| :----- \|:----------- \| :---------- \|
	\| ensure \| string \| present \| present or absent \|
	\| priority \| number \| 10 \| file name prefix \|
	\| content \| string \| undef \| content of configuration snippet \|
	\| source \| string \| undef \| source of configuration snippet \|
	\| sudo_config_dir \| string \| OS Specific \| configuration snippet directory _(for unsupported platforms)_ \|
	\| sudo_file_name \| string \| undef \| custom file name for sudo file in sudoers directory \|
	diff --git a/manifests/init.pp b/manifests/init.pp
	index e1fc9af..728a764 100644
	--- a/manifests/init.pp
	+++ b/manifests/init.pp
	@@ -1,162 +1,167 @@
	# Class: sudo
	#
	# This module manages sudo
	#
	# Parameters:
	# [ensure]
	# Ensure if present or absent.
	# Default: present
	#
	# [package]
	# Name of the package.
	# Only set this, if your platform is not supported or you know,
	# what you're doing.
	# Default: auto-set, platform specific
	#
	# [package_ensure]
	# Allows you to ensure a particular version of a package
	# Default: present / lastest for RHEL < 5.5
	#
	# [package_source]
	# Where to find the package. Only set this on AIX (required) and
	# Solaris (required) or if your platform is not supported or you
	# know, what you're doing.
	#
	# The default for aix is the perzl sudo package. For solaris 10 we
	# use the official www.sudo.ws binary package.
	#
	# Default: AIX: perzl.org
	# Solaris: www.sudo.ws
	#
	# [package_admin_file]
	# Where to find a Solaris 10 package admin file for
	# an unattended installation. We do not supply a default file, so
	# this has to be staged separately
	#
	# Only set this on Solaris 10 (required)
	# Default: /var/sadm/install/admin/puppet
	#
	# [purge]
	# Whether or not to purge sudoers.d directory
	# Default: true
	#
	# [purge_ignore]
	# Files to exclude from purging in sudoers.d directory
	# Default: undef
	#
	# [config_file]
	# Main configuration file.
	# Only set this, if your platform is not supported or you know,
	# what you're doing.
	# Default: auto-set, platform specific
	#
	# [config_file_replace]
	# Replace configuration file with that one delivered with this module
	# Default: true
	#
	+# [includedirsudoers]
	+# Add #includedir /etc/sudoers.d to the end of sudoers, if not config_file_replace
	+# Default: true if RedHat 5.x
	+#
	# [config_dir]
	# Main configuration directory
	# Only set this, if your platform is not supported or you know,
	# what you're doing.
	# Default: auto-set, platform specific
	#
	# [source]
	# Alternate source file location
	# Only set this, if your platform is not supported or you know,
	# what you're doing.
	# Default: auto-set, platform specific
	#
	# Actions:
	# Installs sudo package and checks the state of sudoers file and
	# sudoers.d directory.
	#
	# Requires:
	# Nothing
	#
	# Sample Usage:
	# class { 'sudo': }
	#
	# [Remember: No empty lines between comments and class definition]
	class sudo(
	$enable = true,
	$package = $sudo::params::package,
	$package_ensure = $sudo::params::package_ensure,
	$package_source = $sudo::params::package_source,
	$package_admin_file = $sudo::params::package_admin_file,
	$purge = true,
	$purge_ignore = undef,
	$config_file = $sudo::params::config_file,
	$config_file_replace = true,
	+ $includedirsudoers = $sudo::params::includedirsudoers,
	$config_dir = $sudo::params::config_dir,
	$source = $sudo::params::source
	) inherits sudo::params {


	validate_bool($enable)
	case $enable {
	true: {
	$dir_ensure = 'directory'
	$file_ensure = 'present'
	}
	false: {
	$dir_ensure = 'absent'
	$file_ensure = 'absent'
	}
	default: { fail('no $enable is set') }
	}

	class { 'sudo::package':
	package => $package,
	package_ensure => $package_ensure,
	package_source => $package_source,
	package_admin_file => $package_admin_file,
	}

	file { $config_file:
	ensure => $file_ensure,
	owner => 'root',
	group => $sudo::params::config_file_group,
	mode => '0440',
	replace => $config_file_replace,
	source => $source,
	require => Package[$package],
	}

	file { $config_dir:
	ensure => $dir_ensure,
	owner => 'root',
	group => $sudo::params::config_file_group,
	mode => '0550',
	recurse => $purge,
	purge => $purge,
	ignore => $purge_ignore,
	require => Package[$package],
	}

	- if $config_file_replace == false and $::osfamily == 'RedHat' and $::operatingsystemmajrelease == '5' {
	+ if $config_file_replace == false and $includedirsudoers {
	augeas { 'includedirsudoers':
	changes => ['set /files/etc/sudoers/#includedir /etc/sudoers.d'],
	incl => $config_file,
	lens => 'FixedSudoers.lns',
	}
	}

	# Load the Hiera based sudoer configuration (if enabled and present)
	#
	# NOTE: We must use 'include' here to avoid circular dependencies with
	# sudo::conf
	#
	# NOTE: There is no way to detect the existence of hiera. This automatic
	# functionality is therefore made exclusive to Puppet 3+ (hiera is embedded)
	# in order to preserve backwards compatibility.
	#
	# http://projects.puppetlabs.com/issues/12345
	#
	if (versioncmp($::puppetversion, '3') != -1) {
	include 'sudo::configs'
	}

	anchor { 'sudo::begin': } ->
	Class['sudo::package'] ->
	anchor { 'sudo::end': }
	}
	diff --git a/manifests/params.pp b/manifests/params.pp
	index ba0295f..44efe82 100644
	--- a/manifests/params.pp
	+++ b/manifests/params.pp
	@@ -1,169 +1,184 @@
	-#class sudo::params
	+#class sudo::params
	#Set the paramters for the sudo module
	class sudo::params {
	$source_base = "puppet:///modules/${module_name}/"

	case $::osfamily {
	debian: {
	case $::operatingsystem {
	'Ubuntu': {
	$source = "${source_base}sudoers.ubuntu"
	}
	default: {
	if (0 + $::operatingsystemmajrelease >= 7) {
	$source = "${source_base}sudoers.debian"
	} else {
	$source = "${source_base}sudoers.olddebian"
	}
	}
	}
	$package = 'sudo'
	$package_ensure = 'present'
	$package_source = ''
	$package_admin_file = ''
	$config_file = '/etc/sudoers'
	+ $includedirsudoers = false
	$config_dir = '/etc/sudoers.d/'
	$config_file_group = 'root'
	}
	redhat: {
	$package = 'sudo'

	# rhel 5.0 to 5.4 use sudo 1.6.9 which does not support
	# includedir, so we have to make sure sudo 1.7 (comes with rhel
	# 5.5) is installed.
	$package_ensure = $::operatingsystemrelease ? {
	/^5.[01234]/ => 'latest',
	default => 'present',
	}
	$package_source = ''
	$package_admin_file = ''
	$config_file = '/etc/sudoers'
	+ $includedirsudoers = $::operatingsystemmajrelease ? {
	+ '5' => true,
	+ default => false,
	+ }
	$config_dir = '/etc/sudoers.d/'
	$source = $::operatingsystemrelease ? {
	/^5/ => "${source_base}sudoers.rhel5",
	/^6/ => "${source_base}sudoers.rhel6",
	/^7/ => "${source_base}sudoers.rhel7",
	default => "${source_base}sudoers.rhel6",
	}
	$config_file_group = 'root'
	}
	suse: {
	$package = 'sudo'
	$package_ensure = 'present'
	$package_source = ''
	$package_admin_file = ''
	$config_file = '/etc/sudoers'
	+ $includedirsudoers = false
	$config_dir = '/etc/sudoers.d/'
	$source = "${source_base}sudoers.suse"
	$config_file_group = 'root'
	}
	solaris: {
	case $::operatingsystem {
	'OmniOS': {
	$package = 'sudo'
	$package_ensure = 'present'
	$package_source = ''
	$package_admin_file = ''
	$config_file = '/etc/sudoers'
	+ $includedirsudoers = false
	$config_dir = '/etc/sudoers.d/'
	$source = "${source_base}sudoers.omnios"
	$config_file_group = 'root'
	}
	default: {
	case $::kernelrelease {
	'5.11': {
	$package = 'pkg://solaris/security/sudo'
	$package_ensure = 'present'
	$package_source = ''
	$package_admin_file = ''
	$config_file = '/etc/sudoers'
	+ $includedirsudoers = false
	$config_dir = '/etc/sudoers.d/'
	$source = "${source_base}sudoers.solaris"
	$config_file_group = 'root'
	}
	'5.10': {
	$package = 'TCMsudo'
	$package_ensure = 'present'
	$package_source = "http://www.sudo.ws/sudo/dist/packages/Solaris/10/TCMsudo-1.8.9p5-${::hardwareisa}.pkg.gz"
	$package_admin_file = '/var/sadm/install/admin/puppet'
	$config_file = '/etc/sudoers'
	+ $includedirsudoers = false
	$config_dir = '/etc/sudoers.d/'
	$source = "${source_base}sudoers.solaris"
	$config_file_group = 'root'
	}
	default: {
	fail("Unsupported platform: ${::osfamily}/${::operatingsystem}/${::kernelrelease}")
	}
	}
	}
	}
	}
	freebsd: {
	$package = 'security/sudo'
	$package_ensure = 'present'
	$package_source = ''
	$package_admin_file = ''
	$config_file = '/usr/local/etc/sudoers'
	+ $includedirsudoers = false
	$config_dir = '/usr/local/etc/sudoers.d/'
	$source = "${source_base}sudoers.freebsd"
	$config_file_group = 'wheel'
	}
	openbsd: {
	$package = undef
	$package_ensure = 'present'
	$package_source = ''
	$package_admin_file = ''
	$config_file = '/etc/sudoers'
	+ $includedirsudoers = false
	$config_dir = '/etc/sudoers.d/'
	$source = "${source_base}sudoers.openbsd"
	$config_file_group = 'wheel'
	}
	aix: {
	$package = 'sudo'
	$package_ensure = 'present'
	$package_source = 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.9-6.aix53.lam.rpm'
	$package_admin_file = ''
	$config_file = '/etc/sudoers'
	+ $includedirsudoers = false
	$config_dir = '/etc/sudoers.d/'
	$source = "${source_base}sudoers.aix"
	$config_file_group = 'system'
	}
	default: {
	case $::operatingsystem {
	gentoo: {
	$package = 'sudo'
	$package_ensure = 'present'
	$config_file = '/etc/sudoers'
	+ $includedirsudoers = false
	$config_dir = '/etc/sudoers.d/'
	$source = "${source_base}sudoers.gentoo"
	$config_file_group = 'root'
	}
	archlinux: {
	$package = 'sudo'
	$package_ensure = 'present'
	$config_file = '/etc/sudoers'
	+ $includedirsudoers = false
	$config_dir = '/etc/sudoers.d/'
	$source = "${source_base}sudoers.archlinux"
	$config_file_group = 'root'
	}
	amazon: {
	$package = 'sudo'
	$package_ensure = 'present'
	$config_file = '/etc/sudoers'
	+ $includedirsudoers = false
	$config_dir = '/etc/sudoers.d/'
	$source = $::operatingsystemrelease ? {
	/^5/ => "${source_base}sudoers.rhel5",
	/^6/ => "${source_base}sudoers.rhel6",
	default => "${source_base}sudoers.rhel6",
	}
	$config_file_group = 'root'
	}
	default: {
	fail("Unsupported platform: ${::osfamily}/${::operatingsystem}")
	}
	}
	$package_source = ''
	$package_admin_file = ''
	}
	}
	}

File Metadata

Mime Type: text/x-diff
Expires: Thu, Sep 18, 5:00 PM (1 d, 22 h)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 3326218

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions