saltstack之用户管理
在集中化管理中,用户管理是重要的。
下面是我自己总结salt对用户管理的文档。
一、添加单个用户:
生成密码
openssl passwd -1 -salt 'linwangyi'
user.users文件
[root@salt51 salt]# cat user/useradd.sls
linwangyi:
user.present:
-fullname: linwangyi D
- shell:/bin/bash
-password: '$1$linwangy$PMII.NL0igptfGBV0PtxI1'
- home:/home/linwangyi
- uid: 501
- gid: 501
- groups:
-linwangyi
- require:
- group:linwangyi
group.present:
- gid: 501
top.sls文件:
[root@salt51salt]# cat top.sls
base:
'*':
- soft_install.nginx
- soft_install.mysql
- soft_install.php
- soft_install.tomcat
- user.useradd
- user.users
- user.userpasswd
- user.userdel
- user.addsudo
- user.addgroup
- user.delgroup
运行结果:
因为有多个.sls文件,如果想单独运行某个的话
salt '*'state.sls xxx
[root@salt51 salt]# salt '192.168.2.99' state.sls user.useradd
192.168.2.99:
----------
ID: linwangyi
Function: group.present
Result: True
Comment: Added group linwangyi
Changes:
----------
省略
uid:
501
workphone:
Summary
------------
Succeeded: 2
Failed: 0
------------
Total: 2
其它参数:
请参考官方其它参数:http://www.saltstack.cn/projects/cssug-kb/wiki/Managing_user_with_salt
user.present: 确保指定的账户名存在,并指定其对应的属性. 这些属性包括如下内容:
name: 指定需要管理的账户名.
uid: 指定uid, 如果不设置将配自动分配下一个有效的uid.
gid: 指定默认的组id(group id)
gid_from_name: 如果设置为_True_,默认的组id将自动设置为和本用户同名的组id
groups: 分配给该用户的组列表(a list of groups). 如果组在minion上不存在,则本state会报错. 如果设置会空,将会删除本用户所属的除了默认组之外的其他组
optional_groups: 分配给用户的组列表。 如果组在minion上不存在,则state会忽略它.
home: 关于用户的家目录(home directory).
password: 设置用户hash之后的密码.
enforce_password: 当设置为_False_时,如果设置的_password_与用户原密码不同,将保持原密码不做更改.如果没有设置_password_选项,该选项将自动忽略掉.
shell: 指定用户的login shell。 默认将设置为系统默认shell。
unique: UID唯一,默认为True.
system: 从_FIRST_SYSTEM_UID_和_LAST_SYSTEM_UID_间选择一个随机的UID.
二、批量添加用户:
如果不需要将用户添加到同一组中,可以删除组相关的信息,如果没有该组,可以先添加组:
users.sls文件:
[root@salt51 salt]# cat user/users.sls
{% set users = ['jerry','tom','sunday'] %}
{% for user in users %}
` user `:
user.present:
- shell: /bin/bash
- home: /home/` user `
- password: '$1$linwangy$PMII.NL0igptfGBV0PtxI1'
- gid: 501
- groups:
- linwangyi
- require:
- group: linwangyi
{% endfor %}
运行结果:
[root@salt51 salt]# salt '192.168.2.99' state.sls user.users
192.168.2.99:
----------
ID: jerry
Function: user.present
Result: True
Comment: New user jerry created
Changes:
----------
fullname:
省略
Summary
------------
Succeeded: 3
Failed: 0
------------
Total: 3
三、批量修改用户:
生成密码
[root@salt51 salt]# openssl passwd -1
Password:
Verifying - Password:
$1$h7niwjpG$2nAnRib36QUr2wnfYXC4u0
userpasswd.sls文件:
[root@salt51 salt]# cat user/userpasswd.sls
{% set users = ['jerry','tom','sunday'] %}
{% for user in users %}
` user `:
user.present:
- shell: /bin/bash
- password: '$1$h7niwjpG$2nAnRib36QUr2wnfYXC4u0'
{% endfor %}
运行结果:
[root@salt51 salt]# salt '192.168.2.99' state.sls user.userpasswd
192.168.2.99:
----------
ID: jerry
Function: user.present
Result: True
Comment: Updated user jerry
Changes:
----------
passwd:
$1$h7niwjpG$2nAnRib36QUr2wnfYXC4u0
----------
省略
------------
Succeeded: 3
Failed: 0
------------
Total: 3
(注明:还可以修改用户其它参数。)
四、批量删除用户:
userdel.sls文件:
[root@salt51 salt]# cat user/userdel.sls
{% set users = ['jerry','tom','sunday'] %}
{% for user in users %}
` user `:
user.present:
- purge: True #设置清除用户的文件(家目录)
- force: True #如果用户当前已登录,则absent state会失败. 设置force选项为True时,就算用户当前处于登录状态也会删除本用户.
{% endfor %}
运行结果:
查看用户登录:(有一个将删除的用户登录)
[root@salt51 salt]# salt '192.168.2.99' status.w
192.168.2.99:
省略
----------
- idle:
18:57
- jcpu:
2:20
- login:
192.168.2.29
- pcpu:
0.03s
- tty:
pts/0
- user:
sunday
- what:
0.03s -bash
[root@salt51 salt]# salt '192.168.2.99' state.sls user.userdel
192.168.2.99:
----------
省略
----------
ID: sunday
Function: user.absent
Result: True
Comment: Removed user sunday
Changes:
----------
sunday:
removed
Summary
------------
Succeeded: 3
Failed: 0
------------
Total: 3
[root@salt51 salt]# salt '192.168.2.99' status.w
192.168.2.99:
----------
- idle:
15:51
- jcpu:
1:13
- login:
-
- pcpu:
0.11s
- tty:
tty1
- user:
root
- what:
0.11s -bash
查看时Sunday用户已经退出,不过登录用户登录在系统中,还可以对系统操作。
五、添加sudo用户:
addsudo.sls文件:
[root@salt51 salt]# cat user/addsudo.sls
/etc/sudoers:
file.append:
- text:
- "OPER_SUPER ALL = KILL,SU,ROOT"
- "User_Alias OPER_SUPER=linwangyi"
- "Cmnd_Alias ROOT=/bin/su"
- "OPER_SUPER ALL =NOPASSWD:ROOT"
运行结果:
[root@salt51 salt]# salt '192.168.2.99' state.sls user.addsudo
192.168.2.99:
----------
ID: /etc/sudoers
Function: file.append
Result: True
Comment: Appended 4 lines
Changes:
----------
diff:
---
+++
@@ -116,3 +116,7 @@
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
+OPER_SUPER ALL = KILL,SU,ROOT
+User_Alias OPER_SUPER=linwangyi
+Cmnd_Alias ROOT=/bin/su
+OPER_SUPER ALL =NOPASSWD:ROOT
Summary
------------
Succeeded: 1
Failed: 0
------------
Total: 1
六、添加用户组:
addgroup.sls文件:
[root@salt51 salt]# cat user/addgroup.sls
devgroup:
group.present:
- gid: 601
yunwei:
group.present:
- gid: 602
运行结果:
[root@salt51 salt]# salt '192.168.2.99' state.sls user.addgroup
192.168.2.99:
----------
ID: devgroup
Function: group.present
省略
----------
ID: yunwei
Function: group.present
省略
Summary
------------
Succeeded: 2
Failed: 0
------------
Total: 2
[root@salt51 salt]# salt '192.168.2.99' cmd.run 'grep -E "(devgroup|yunwei)" /etc/group'
192.168.2.99:
devgroup:x:601:
yunwei:x:602:
七、删除用户组:
delgroup.sls文件:
[root@salt51 salt]# cat user/delgroup.sls
{% set groups = ['devgroup','yunwei'] %}
{% for group in groups %}
` group `:
group.absent
{% endfor %}
运行结果:
[root@salt51 salt]# salt '192.168.2.99' state.sls user.delgroup
192.168.2.99:
----------
ID: devgroup
Function: group.absent
Result: True
Comment: Removed group devgroup
Changes:
----------
devgroup:
----------
ID: yunwei
Function: group.absent
Result: True
Comment: Removed group yunwei
Changes:
----------
yunwei:
Summary
------------
Succeeded: 2
Failed: 0
------------
Total: 2
[root@salt51 salt]# salt '192.168.2.99' cmd.run 'grep -E "(devgroup|yunwei)" /etc/group'
192.168.2.99: