Allow adding "sudo" users that can authenticate via SSH key

[michiels]

We want some way to create regular users that have sudo access on the server. Ideally we can pass in a list of users with one ore more corresponding SSH keys.

This way we can "share" the server with people so they can do emergency maintenance if necessary.

[berkes]

How about using the "users::sysadmins" from https://supermarket.getchef.com/cookbooks/users ?

This has two downsides:

• It does add an extra task: users of the chef-repo need to maintain a list of users in a directory "data_bags"
• It requires an additional gem, the chef-solo-search, because this recipe searches in the databags

It has upsides:

• It is a known and welldocumented way to get sysadmins on a chef-managed server. The de-facto-standard.
• It keeps the list of users with access out of the node.js and therefore centralized. (this could be considered a downside if you require to manage different users for all your nodes)

Edit: and another downside: somehow the **** data bags don't work/get uploaded with chef-solo. No idea why.

[berkes]

Friendly bump. ✋ Can anyone have a look at PR #125, and tell me if that is completely stupid, or the right direction?

[michiels]

@berkes Sorry did not respond earlier. I think @jvanbaarsen posted some feedback on your PR. As I see it: almost done and shippable :) Thanks for your work so far!

[berkes]

No prob. I did not have any chef-time over the weekend and last few days. Might find some time thursday or friday-evening.

[jvanbaarsen]

👍

[berkes]

I've just updated the PR:

• licence is not MIT
• Adding sysadmins is not through a hash, the username is the key.
• quoting changed to match Hound-CIs suggestions also on existing code.

[ghost]

@michiels, @jvanbaarsen I think this one can be closed, since #125 is merged?

[conradwt]

Is it recommended that one add the deploy user to the "sysadmins":

 "sysadmins": {
    "<username>": {
      "password": "<hashed password: openssl passwd -1 'plaintextpassword'>",
      "ssh_keys": [
        "ssh-rsa AAA123...xyz== foo",
        "ssh-rsa AAA456...uvw== bar"
      ]
    }
  }
  "ssh_deploy_keys": [
    "<enter the contents of an id_rsa.pub here>"
  ],

Next, should there be a comma before "ssh_deploy_keys" in the above? Lastly, could someone add some comment(s) for setting the "ssh_keys"?

[berkes]

Next, should there be a comma before "ssh_deploy_keys" in the above?

Yes, this is a bug. PR here #148

Lastly, could someone add some comment(s) for setting the "ssh_keys"?

Would a wiki-page be enough? Problem with json is, that it cannot contain comments. :/

[jvanbaarsen]

@berkes Maybe we can add something like this to the README?

[berkes]

README is fine with me too. I'll cook up a PR tomorrow (friday).

[jvanbaarsen]

You're the best! Thanks!

2014-11-27 9:31 GMT+01:00 Bèr Kessels [email protected]:

README is fine with me too. I'll cook up a PR tomorrow (friday).

—
Reply to this email directly or view it on GitHub
#79 (comment).

[conradwt]

@berkes A Wiki page would be great to describe the ends-and-outs of editing this file.

[berkes]

@jvanbaarsen I started off in the README, but found that I needed to put waay to much details and notes in there, so I went for a wiki-page: https://github.com/intercity/chef-repo/wiki/sample_host.json-explained#sysadmins

This is WIP, so I did not create a PR with a change to the README to link there.

The information there should cover the questions in this issue, so it can probably be closed.

[conradwt]

@jvanbaarsen It's a great start on the Wiki-Page. Also, I would recommend adding a PostgreSQL section: which has the following:

• updated runlist
• how to setup database owner password

Next, I would add an example of adding a package like Memcached or something similar so the user is clear in the overall syntax.

For example, if one wants to install memcached and imagemagick packages system wide on an Ubuntu system, then one would do the following:

"packages": [ "memcached", "imagemagick" ],

[berkes]

I think this ticket can be closed now, as the PRs is merged in, the feature is implemented. Any additions or changes could go into new issues, not?