This post has gone through a few iterations. You can see the full history on the github repo.
One of the great things about a configuration management solution like Salt is the ability to centrally manage local users. Sure LDAP and Kerberos are great, but sometimes it’s better to keep things simple, that’s what I’m doing with Salt. Leveraging Pillars I can define certain users to be added to servers of a given role. Here’s how I do it.
Start by defining your users, separating and targeting by role.:
And define your users:
It should be fairly self-explanatory how this works. Tywin is added to every server. Tyrion is only added to webservers and Cersei is only added to database servers. Robb has been fired and his access to all servers has been revoked.
Now the logic for adding these users.
The first section removes any revoked users, and removed revoked users ssh keys from the root account, as well as their own.
The second section adds any users in the users pillar to the system. It also adds their keys to the root account. This isn’t ideal, but I’ve not found any other way to allow users to edit files over scp. Running
vim scp://root@server//etc/file is very useful, and simply doesn’t work with sudo.
Lastly, hashing passwords and putting that value into the pillar to define it wouldn’t be difficult. But it does make it difficult for users to change their passwords. And with encrypted ssh keys, it seems unnecessary to me. So I push out a final config to allow users to sudo without a password, since no password is defined in the first place.
The file that’s being managed to allow sudo without password is below:
# /srv/salt/users/files/sudoers.d/sudonopasswd %sudo ALL = (ALL) NOPASSWD: ALL