0

A basic data bag structure is: /data_bags/[data bag name]/[data bag items]

Let say I want to create a data bag for all the possible admins of all my nodes in a data bag called users. i.e.

/data_bags/users/admin1.json
/data_bags/users/admin2.json
/data_bags/users/admin3.json

Now for node1 I only want to have admin1 and admin3 and for node2 I want to have admin2 and admin3 as my admins.

How can I separate or structure my configuration in a way that I can specify or split my data bags item for each different node?

One idea I have is if we can do something like this.

/data_bags/node1/users/...
/data_bags/node2/users/...

I am a starter in chef, so if what I want to is stupid and should be handled other way then, I appreciate any information to point me to right direction.

Starx
  • 77,474
  • 47
  • 185
  • 261
  • What is the main goal after this ? Or to say it another way: how will you use those user informations ? this sounds like a XY problem of RBAC management more than a structure one. You can still have an attribute on each node telling which admins you wish for each node and fetch data_bag_item by this list. – Tensibai Jan 10 '17 at 13:05

2 Answers2

1

You either need to group by user or by host. We have the following data bag structure (more docs):

{
    "id": "a-srv123-admin",
    ...
    "nodes": {
            "srv123.example.org": {
                    "sudo": "true"
            }
    }
}

More nodes can be added to the node hash. The corresponding recipe then searches for data bag items matching its own node['fqdn']:

users = search('users', "nodes:#{node['fqdn']}")

Of course, if it is more important to you to have it grouped by node, just do it the other way around and simply pick the data bag item matching the fqdn or similar attribute.

StephenKing
  • 36,187
  • 11
  • 83
  • 112
  • So the node needs to be separated inside the item itself? Looks disappointing. Thanks for your answer. – Starx Jan 10 '17 at 12:19
  • It's just code and data. You can do, however you like. You can have data bag items per node, per user, or (per user per node, i.e.`srv123-johndoe.json` which contains just some `true` value). OTOH, you can put all that information into a single data bag item. I only illustrated the thing that works for us™ at a somewhat low complexity. – StephenKing Jan 10 '17 at 12:44
  • Hmm, But then I would probably have to use a file reader to search eligible data bag items. Having a solution to [this](http://stackoverflow.com/questions/41568041/how-to-specify-a-data-bag-path-in-knife-rb-configuration-file) would be the best think I think, but sadly haven't found any. – Starx Jan 10 '17 at 12:48
  • I think you're thinking far too complex. Would it be okay for you to have items `users/srv123.example.org` containing the users? Otherwise, I suggest that you edit your question a bit with maybe a desired structure. I'm not getting your point then. – StephenKing Jan 10 '17 at 12:50
  • I don't want to change the question too much, but I updated with one structure I had in mind. – Starx Jan 10 '17 at 12:53
  • Thx. I don't see a reason why you can't do a `knife data bag from file users data_bags/node1/users/johndoe.json` with this. Give it a try, please, I might be wrong. Be warned: It's IMHO against chef conventions, so others might get easily confused. – StephenKing Jan 10 '17 at 13:00
  • It responds with `Response: No data bag 'node1' could be found. Please create this data bag before adding items to it.` – Starx Jan 10 '17 at 13:14
  • This worked for me (after creating the data bag via `knife data bag create test`): `knife data bag from file test data_bags/foo/bar/test.json`. So it should work for your paths, too. – StephenKing Jan 10 '17 at 14:26
  • Thank you for your answer. I will just vote up for now, as I am not sure which solution works for me yet. – Starx Jan 16 '17 at 10:56
1

The community users cookbook supports this feature. On each server you specify the user group you want managed and the cookbook will search the databag items for matching group memberships.

For an example, take a look at this answer:

Update

The "users" cookbook has an LWRP that defines which group of users should be installed on the server.

users_manage "admins1"

In the data bag you then specify the groups that the user is a member of. So for example "user1" would be included in servers who require the admins1 or admins2 group.

{
  "id": "user1",
  "ssh_keys": [
    "ssh-rsa I AM A DUMMY KEY 1"
  ],
  "groups": [
    "admins1",
    "admins2"
  ],
  "uid": 2001
}

You could of course create a group specific to each server, but that wouldn't scale terribly well. Personally I'd suggest group names based on user roles.

  • admins
  • devops
  • developers
  • deployers
Community
  • 1
  • 1
Mark O'Connor
  • 76,015
  • 10
  • 139
  • 185
  • I do use that cookbook, I want to control which user is created on which node. – Starx Jan 12 '17 at 09:10
  • @Starx I've updated my answer. The link above has a working example (test kitchen project) – Mark O'Connor Jan 12 '17 at 22:17
  • So, if a server has that group and only then the users will be created? – Starx Jan 13 '17 at 08:08
  • @Starx You run a recipe that creates the group, and then yes the users associated with that group are created. To fully understand what it's doing I suggesting reading the code for the "users_manage" LWRP. You'll discover a chef search of the "users" data bag: see: https://github.com/chef-cookbooks/users/blob/6a16e047b4a39b5d4c7a73a7e5e1c3313786bb86/providers/manage.rb#L39 – Mark O'Connor Jan 13 '17 at 22:00
  • Thank you for your answer. I will just vote up for now, as I am not sure which solution works for me yet. – Starx Jan 16 '17 at 10:56