Linux-Help/cookbook-sudo_rules
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Initial release 0.1.0

Browse source
This commit is contained in:
Eric Renfro 2015-05-13 00:08:15 -04:00
commit 17c935af1d
6 changed files with 224 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
Berksfile Normal file
View file

@ -0,0 +1,6 @@
source "https://supermarket.chef.io"
metadata
cookbook 'sudo', ">= 2.7.1"

13
CHANGELOG.md Normal file
View file

@ -0,0 +1,13 @@
sudo_rules CHANGELOG
====================
This file is used to list changes made in each version of the sudo_rules cookbook.
0.1.0
-----
- [erenfro] - Initial release of test
- - -
Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown.
The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown.

95
README.md Normal file
View file

@ -0,0 +1,95 @@
sudo_rules Cookbook
===================
Reads through a special data bag of sudo rules to compile a list of sudoers.d rules to create/remove.
Requirements
------------
#### packages
- sudo
Attributes
----------
TODO: List your cookbook attributes here.
e.g.
#### sudo_rules::default
<table>
<tr>
<th>Key</th>
<th>Type</th>
<th>Description</th>
<th>Default</th>
</tr>
<tr>
<td><tt>['sudo_rules']['data_bag']</tt></td>
<td>String</td>
<td>Name of data bag to use for entries</td>
<td><tt>sudo_rules</tt></td>
</tr>
</table>
Usage
-----
#### sudo_rules::default
Include `sudo_rules` in your node's `run_list`:
```json
{
"name":"my_node",
"run_list": [
"recipe[sudo_rules]"
]
}
```
And provide properly formatted data bag:
```json
{
"id": "Data Bag unique name, default value for name below",
"name": "Name of the sudoers.d file
"hosts": [
"fqdn1",
"fqdn2",
...
],
"action": "create",
"user": "someuser",
"runas": "ALL",
"commands": [
"/usr/sbin/somecommand args",
"/usr/sbin/anothercommand",
...
],
"defaults": [
"env_reset"
]
}
```
Id: Required: Name of Data Bag item, and sudoers.d/Id filename.
Name: Optional: Instead of using Id, you can choose the name of the file for sudoers.d/Name instead.
Hosts: Required: List of hosts to apply this rule to by fqdn, can be wildcard matched.
Action: `create` or `remove`: Default `create`
User: Required: Username or %Groupname to use for the sudo rule.
Runas: Allowed colon-separated list of users for sudoers runas: Default `ALL`
Commands: Required: List of commands (and arguments) this rule adds for the user/group.
Defaults: List of defaults this user has.
Contributing
------------
TODO: (optional) If this is a public cookbook, detail the process for contributing. If this is a private cookbook, remove this section.
e.g.
1. Fork the repository on Github
2. Create a named feature branch (like `add_component_x`)
3. Write your change
4. Write tests for your change (if applicable)
5. Run the tests, ensuring they all pass
6. Submit a Pull Request using Github
License and Authors
-------------------
Authors: TODO: List authors

2
attributes/default.rb Normal file
View file

@ -0,0 +1,2 @@
default["sudo_rules"]["data_bag"] = "sudo_rules"

10
metadata.rb Normal file
View file

@ -0,0 +1,10 @@
name 'sudo_rules'
maintainer 'Linux-Help.org'
maintainer_email 'erenfro@linux-help.org'
license 'All rights reserved'
description 'Configures sudo rules from data bags using the sudo cookbook'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.1.0'
depends 'sudo', '>= 2.7.1'

98
recipes/default.rb Normal file
View file

@ -0,0 +1,98 @@
#
# Cookbook Name:: sudo_rules
# Recipe:: default
#
# Copyright 2015, Linux-Help.org
#
# All rights reserved - Do Not Redistribute
#
include_recipe "sudo"
node.override['authorization']['sudo']['include_sudoers_d'] = true
search_node = node['fqdn']
if Chef::Config[:solo] and nod chef_solo_search_installed?
Chef::Log.warn("This recipe uses search. Chef Solo does not support search unless you install the chef-solo-search cookbook.")
else
search(node['sudo_rules']['data_bag'], "hosts:#{search_node}").each do |rule|
# Name
if rule["name"].kind_of?(String)
rule_name = rule["name"]
else
rule_name = rule["id"]
end
# Action Create/Remove
if rule["action"].kind_of?(String)
if rule["action"] == "create" or rule["action"] == "remove"
rule_action = rule["action"]
else
rule_action = "create"
end
else
rule_action = "create"
end
# Username or Group
if rule['user'].kind_of?(String)
rule_user = rule['user']
else
Chef::Log.warn("data_bag #{rule['id']} has no user entry and is required. Skipped.")
next
end
# Pasword or NoPassword
if rule['nopasswd'].kind_of?(TrueClass)
rule_nopasswd = rule['nopasswd']
else
rule_nopasswd = false
end
# RunAS
if rule['runas'].kind_of?(String)
rule_runas = rule['runas']
else
rule_runas = 'ALL'
end
# Commands
if rule['commands'].kind_of?(Array)
rule_commands = rule['commands']
elsif rule['rules'].kind_of?(String)
rule_commands = [ rule['commands'] ]
else
Chef::Log.warn("data_bag #{rule['id']} has no commands is required. Skipped.")
next
end
# Defaults
if rule['defaults'].kind_of?(Array)
rule_defaults = rule['defaults']
elsif rule['defaults'].kind_of?(String)
rule_defaults = [ rule['defaults'] ]
else
rule_defaults = []
end
sudo rule["id"] do
name rule_name
user rule_user
runas rule_runas
nopasswd rule_nopasswd
commands rule_commands
defaults rule_defaults
end
#puts "ID: #{rule["id"]}"
#puts "Name: #{rule_name}"
#puts "Action: #{rule_action}"
#puts "User: #{rule_user}"
#puts "Runas: #{rule_runas}"
#puts "Nopasswd #{rule_nopasswd}"
#puts "Commands: #{rule_commands}"
#puts "Defaults: #{rule_defaults}"
#puts "--"
end
end