diff --git a/sudoers/files/sudoers b/sudoers/files/sudoers index affc316..1786748 100644 --- a/sudoers/files/sudoers +++ b/sudoers/files/sudoers @@ -1,3 +1,4 @@ +{% from "sudoers/map.jinja" import ad_group_maps with context %} {%- if (not included) %} {%- set sudoers = pillar.get('sudoers', {}) %} {%- if grains['os_family'] == 'Debian' %} @@ -94,6 +95,13 @@ Runas_Alias {{ name }} = {{ ",".join(runas) }} %{{ group }} {{ spec }} {%- endfor %} {%- endfor %} +{%- for unix_group in ad_groups %} + {%- if unix_group in ad_group_maps.keys() %} +%{{ unix_group }} {{ ad_group_maps[unix_group] }} + {%- else %} +%{{ unix_group }} {{ ad_group_maps['default'] }} + {%- endif %} +{%- endfor %} {% if includedir %} ## Read drop-in files from /etc/sudoers.d diff --git a/sudoers/init.sls b/sudoers/init.sls index 922fdf7..8c6be9c 100644 --- a/sudoers/init.sls +++ b/sudoers/init.sls @@ -1,5 +1,8 @@ {% from "sudoers/map.jinja" import sudoers with context %} +# our list of plos core active directory groups +{%- set ad_groups = salt['pillar.get']('group_map:core').keys() %} + sudo: pkg.installed: - name: {{ sudoers.pkg }} @@ -13,5 +16,6 @@ sudo: - source: salt://sudoers/files/sudoers - context: included: False + ad_groups: {{ ad_groups }} - require: - pkg: sudo diff --git a/sudoers/map.jinja b/sudoers/map.jinja index 14023d0..cd97539 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -13,3 +13,15 @@ 'config-path': '/usr/local/etc', 'group': 'wheel'}, }, merge=salt['pillar.get']('sudoers:lookup', None)) %} + +# our plos active directory core groups sudoers permissions, filtered by environment +{% set ad_group_maps = salt['grains.filter_by']({ + 'default': { 'default': 'ALL = (root) NOPASSWD: SUPPORT' }, + 'vagrant': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, + 'dev': { 'default': 'ALL = (ALL:ALL) NOPASSWD: ALL' }, + 'qa': { 'default': 'ALL = (root) NOPASSWD: SUPPORT', + 'plosqa': 'ALL = (root) NOPASSWD: ALL' }, + }, + grain='environment', + merge=salt['pillar.get']('group_maps:lookup', None)) +%}