How to generate customized sudoers files in puppet depending on the environment they're deployed to?

Posted by gozu on Server Fault See other posts from Server Fault or by gozu
Published on 2012-12-04T17:51:30Z Indexed on 2012/12/06 5:07 UTC
Read the original article Hit count: 546

the sysadmins are present in the sudoers files of all environments, but other sudoers are not. Different environments all have slightly different sudoers. Most of the time, 90% of users are the same, and 10% vary so we cannot have only one sudoers file for everything.

Right now, we are using puppet with 10 different files with names like sudoers.production1, sudoers.production2, sudoers.production3, sudoers.testing1, sudoers.staging1 and so forth.

Puppet then picks the file to deploy based on the server's $domain (ex: dbserver.staging1.acme.com) or $hardwaremodel. It works fine but it's a nightmare to maintain so many files.

I'd like to autogenerate sudoers files based on the server's domain and have only one big file with all the sudoers permissions for all users and all environments. Something that looks like:

User_Alias ADMINS = abe, bob, carol, dave

case $domain {
 "staging1.acme.com" {
    #add dev1,dev2,tester1,tester2 to sudoers file 
  }
 "testing2.acme.com" {
    #add tester1, tester3, tester4 to sudoers file
  }    

What's the best way to go about this? Suggestions for alternatives are welcome. I'd appreciate any tips.

Update 1:

For security reasons, we'd rather not concatenate a bunch of files from a folder located on a puppet client in case someone puts a file in there (maliciously or not) and either breaks the combined file or inserts something in it.

Most importantly, for usability, we'd like to keep the number of sudoers related files (fragment or complete) on puppet server to either 3 (prod/stage/test) or preferably 1 file. this file would (somehow) generate sudoers files on the puppet server and send one customized file to each puppet client.

The purpose of this would be only searching for a username in a single file and removing it quicker than doing it on 11 files. When adding a user to a bunch of environments, it won't be as quick, but only one file would need to be opened and looked at, greatly reducing the chances of an omission.

our Sudo version is 1.6.9p8 so we can't use /sudoers.d folder, only a sudoers file.

© Server Fault or respective owner

Related posts about linux

Related posts about puppet