A convenient Chef LWRP to manage user accounts and SSH keys. This is not the Opscode users cookbook.
- Website: http://fnichol.github.io/chef-user/
- Opscode Community Site: http://community.opscode.com/cookbooks/user
- Source Code: https://github.com/fnichol/chef-user
Simply include recipe[user] in your run_list and the user_account resource will be available.
To use recipe[user::data_bag], include it in your run_list and have a data bag called "users" with an item like the following:
{ "id" : "hsolo", "comment" : "Han Solo", "home" : "/opt/hoth/hsolo", "groups" : ["admin", "www-data"], "ssh_keys" : ["123...", "456..."] } or a user to be removed:
{ "id" : "lando", "action" : "remove" } If you have a username containing a period, use a dash in the data bag item and set a username attribute:
{ "id" : "luke-skywalker", "username" : "luke.skywalker", "action" : ["create", "lock"] } The data bag recipe will iterate through a list of usernames defined in node['users'] (by default) and attempt to pull in the user's information from the data bag item. In other words, having:
node['users'] = ['hsolo', 'lando', 'luke.skywalker'] will set up the hsolo user information and not use the lando user information.
Tested on 0.10.8 but newer and older version should work just fine. File an issue if this isn't the case.
The following platforms have been tested with this cookbook, meaning that the recipes run on these platforms without error:
- ubuntu
- debian
- mac_os_x
There are no external cookbook dependencies.
Depending on the situation and use case there are several ways to install this cookbook. All the methods listed below assume a tagged version release is the target, but omit the tags to get the head of development. A valid Chef repository structure like the Opscode repo is also assumed.
To install this cookbook from the Community Site, use the knife command:
knife cookbook site install user Berkshelf is a cookbook dependency manager and development workflow assistant. To install Berkshelf:
cd chef-repo gem install berkshelf berks init To use the Community Site version:
echo "cookbook 'user'" >> Berksfile berks install Or to reference the Git version:
repo="fnichol/chef-user" latest_release=$(curl -s https://api.github.com/repos/$repo/git/refs/tags \ | ruby -rjson -e ' j = JSON.parse(STDIN.read); puts j.map { |t| t["ref"].split("/").last }.sort.last ') cat >> Berksfile <<END_OF_BERKSFILE cookbook 'user', :git => 'git://github.com/$repo.git', :branch => '$latest_release' END_OF_BERKSFILE berks install Librarian-Chef is a bundler for your Chef cookbooks. To install Librarian-Chef:
cd chef-repo gem install librarian librarian-chef init To use the Opscode platform version:
echo "cookbook 'user'" >> Cheffile librarian-chef install Or to reference the Git version:
repo="fnichol/chef-user" latest_release=$(curl -s https://api.github.com/repos/$repo/git/refs/tags \ | ruby -rjson -e ' j = JSON.parse(STDIN.read); puts j.map { |t| t["ref"].split("/").last }.sort.last ') cat >> Cheffile <<END_OF_CHEFFILE cookbook 'user', :git => 'git://github.com/$repo.git', :ref => '$latest_release' END_OF_CHEFFILE librarian-chef install This recipe is a no-op and does nothing.
Processes a list of users with data drawn from a data bag. The default data bag is users and the list of user account to create on this node is set on node['users'].
The default parent path of a user's home directory. Each resource can override this value which varies by platform. Generally speaking, the default value is "/home".
The default user shell given to a user. Each resource can override this value which varies by platform. Generally speaking, the default value is "/bin/bash".
The default Unix permissions applied to a user's home directory.
The default is "2755".
Whether of not to manage the home directory of a user by default. Each resource can override this value. The are 2 valid states:
"true",true, or"yes": will manage the user's home directory."false",false, or"no": will not manage the user's home directory.
The default is true.
Whether of not to allow the creation of a user account with a duplicate UID. Each resource can override this value. The are 2 valid states:
"true",true, or"yes": will allow duplicate UIDs."false",false, or"no": will not allow duplicate UIDs.
The default is false.
Whether or not to to create a group with the same name as the user by default. Each resource can override this value. The are 2 valid states:
"true",true, or"yes": will create a group for the user by default."false",false, or"no": will not create a group for the user by default.
The default is true.
Whether or not to generate an SSH keypair for the user by default. Each resource can override this value. There are 2 valid states:
"true",true, or"yes": will generate an SSH keypair when the account is created."false",false, or"no": will not generate an SSH keypair when the account is created.
The default is true.
The data bag name containing a group of user account information. This is used by the data_bag recipe to use as a database of user accounts.
The default is "users".
The node attributes containing an array of users to be managed. If a nested hash in the node's attributes is required, then use a / between subhashes. For example, if the users' array is stored in node['system']['accounts']), then set node['user']['user_array_node_attr'] to "system/accounts".
The default is "users".
Note: in order to use the password attribute, you must have the ruby-shadow gem installed. On Debian/Ubuntu you can get this by installing the "libshadow-ruby1.8" package.
| Action | Description | Default |
|---|---|---|
| create | Create the user, its home directory, .ssh/authorized_keys, and .ssh/{id_dsa,id_dsa.pub}. | Yes |
| remove | Remove the user account. | |
| modify | Modiy the user account. | |
| manage | Manage the user account. | |
| lock | Lock the user's password. | |
| unlock | Unlock the user's password. |
| Attribute | Description | Default Value |
|---|---|---|
| username | Name attribute: The name of the user. | nil |
| comment | Gecos/Comment field. | nil |
| uid | The numeric user id. | nil |
| gid | The primary group id. | nil |
| home | Home directory location. | "#{node['user']['home_root']}/#{username} |
| shell | The login shell. | node['user']['default_shell'] |
| password | Shadow hash of password. | nil |
| system_user | Whether or not to create a system user. | false |
| manage_home | Whether or not to manage the home directory. | true |
| non_unique | Whether or not to allow the creation of a user account with a duplicate UID. | false |
| create_group | Whether or not to to create a group with the same name as the user. | node['user']['create_group'] |
| ssh_keys | A String or Array of SSH public keys to populate the user's .ssh/authorized_keys file. | [] |
| ssh_keygen | Whether or not to generate an SSH keypair for the user. | node['user']['ssh_keygen'] |
user_account 'hsolo' do comment 'Han Solo' ssh_keys ['3dc348d9af8027df7b9c...', '2154d3734d609eb5c452...'] home '/opt/hoth/hsolo' end user_account 'lando' do action [:create, :lock] end user_account 'obiwan' do action :remove end - Source hosted at GitHub
- Report issues/Questions/Feature requests on GitHub Issues
Pull requests are very welcome! Make sure your patches are well tested. Ideally create a topic branch for every separate change you make.
Author:: [Fletcher Nichol][fnichol] (fnichol@nichol.ca) 
Copyright 2011, Fletcher Nichol
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.