{"id":23261,"date":"2015-10-18T18:21:52","date_gmt":"2015-10-18T12:51:52","guid":{"rendered":"http:\/\/www.tothenew.com\/blog\/?p=23261"},"modified":"2015-10-19T10:54:11","modified_gmt":"2015-10-19T05:24:11","slug":"user-mangement-using-chef-and-aws-opsworks","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/user-mangement-using-chef-and-aws-opsworks\/","title":{"rendered":"User Mangement using CHEF and AWS OpsWorks"},"content":{"rendered":"

CHEF<\/strong> is the most popular configuration management tool in the market these days as CHEF turns infrastructure into code and you can do almost anything using it. Recipes are the heart of CHEF. OpsWorks<\/strong> has been gaining a lot of momentum for last few months, the major factor being its support for CHEF. So,\u00a0in this blog we will be discussing how we can can manage users on multiple machines and their permissions as well. You will see how easy it is to do so and manage all the configurations as well. The recipes I have used can be shared can be used independent of OpsWorks<\/strong> with minimal changes.<\/p>\n

\"download<\/p>\n

USE-CASE<\/h3>\n

I had multiple users on my machines. Whenever there was a new user who joined the firm to give him access on those machines I had to manually go and add the user to that machine. Also, adding the user to a group was necessary so that permissions could be managed at the level of groups. So, I had to think\u00a0of a way out and to manage all this through one click using CHEF and OpsWorks. We will be using a CHEF recipe\u00a0and passing values to those using Opsworks data-bags and deploying the configs using one click deployment in OpsWorks. What OpsWorks does is that it creates a copy of your GitHub repo locally to itself and then executes the recipes when we specify which one to execute. Since, we are using\u00a0data bags in our recipes, we will give input values to them as JSON through OpsWorks.<\/p>\n

GATHERING THE CHEF RECIPES<\/h3>\n

Recipe 1<\/strong>: This is the user creation recipe:<\/h4>\n

[js]<\/p>\n

users = data_bag("user")
\nusers.each do |user|
\n user_data = data_bag_item("user", user)
\n user user_data["id"] do
\n comment user_data["comments"]
\n #uid user_data["uid"]
\n #gid user_data["gid"]
\n home user_data["home"]
\n shell user_data["shell"]
\n password user_data["password"]
\n supports :manage_home => true
\n action :create
\n end<\/p>\n

directory "#{user_data[‘home’]}\/.ssh" do
\n \t mode 0755
\n \t owner user_data["id"]
\n \t action :create
\n end<\/p>\n

file "#{user_data[‘home’]}\/.ssh\/authorized_keys" do
\n \t content user_data["ssh_keys"].join("\\n")
\n \t mode 0600
\n \t owner user_data["id"]
\n \t action :create
\n end
\n\tif user_data["sudo"] == "true"
\n\t\ttemplate "\/etc\/sudoers.d\/#{user_data["id"]}" do
\n \t\tsource "sudoers.erb"
\n \t\tmode "0644"
\n \t\tvariables({
\n \t\t:sudoers_users => user_data["id"]
\n \t\t})
\n\t\tend
\n\tend
\nend<\/p>\n

[\/js]<\/p>\n

The above script will create users based on the JSON values we pass in OpsWorks. It will create a .ssh folder inside the home directory of the user as well and append the ssh-keys inside the authorized_keys file.<\/p>\n

Recipe 2<\/strong>: This will be used to create groups. We will need to pass values to it using OpsWorks:<\/h4>\n

[js]
\ngroups = data_bag("group")
\ngroups.each do |group|
\n group_data = data_bag_item(‘group’, group)
\n group group_data[‘id’] do
\n gid group_data["gid"]
\n members group_data["members"]
\n end
\nend
\n[\/js]<\/p>\n

Recipe 3<\/strong>: Next we would need a script which will help us modify our sudoers file inside sudoers.d:<\/h4>\n

I have just entered some random permissions for the groups:<\/p>\n

[js]
\nline = "%sap ALL= NOPASSWD: \/usr\/sbin\/apache2*
\n%sap ALL= NOPASSWD: \/usr\/local\/bin\/apache2*
\n#%sap ALL= NOPASSWD: \/usr\/local\/bin\/restart-sauce-connect
\n%sap ALL= NOPASSWD: \/usr\/local\/bin\/restart-sauce-connect
\njenkins ALL= NOPASSWD: \/usr\/sbin\/apache2*
\njenkins ALL= NOPASSWD: \/usr\/local\/bin\/restart-sauce-connect
\n"
\nfile = Chef::Util::FileEdit.new(‘\/etc\/sudoers.d\/anyname’)
\nfile.insert_line_if_no_match(\/#{line}\/, line)
\nfile.write_file
\n[\/js]<\/p>\n

Now, just push the recipe to a git repository inside the cookbook user (or any other name of your choice).The structure should be like this:
\nrepo->master-branch->cookbook->recipes->recipe1.rb, recipe2.rb, recipe3.rb<\/p>\n

EXECUTING RECIPES<\/h3>\n

1. Creating a user on servers according to Recipe 1 and giving input to the recipe using OpsWorks.<\/h4>\n

Go to the AWS OpsWorks console. I am assuming that you already have created a stack and added instances to the stack. Remember it supports not all the OS versions so you might want to check the compatibility. From the Dashboard select the stack:
\n\"Edit<\/p>\n

Next, is adding the GitHub repo to your stack settings in order for you to use the recipe we created:
\n\"Stack<\/p>\n

Click on edit inside Stack Settings<\/strong>:
\n\"Stack<\/p>\n

Now, just enter the GitHub repo. details:
\n\"Edit<\/p>\n

Now, go to Deployments<\/strong>:
\n.\"Stack<\/p>\n

You will be taken to the following page:
\n\"Deployments<\/p>\n

Just go ahead and click on Run Command and it should take you to the below page:
\n\"Repeat<\/p>\n

Select Execute Recipes from the drop-down and enter the cookbook name and recipe name as shown in the image.We are using cookbook named “final” and recipe named “createuserwithsudo”. \u00a0When entering them in the Recipes to execute box use “::<\/strong>” (two colons) to separate them.
\nAlso, \u00a0now, click on Advanced which should open a box to input a JSON:
\n\"Repeat<\/p>\n

Sample JSON input:<\/p>\n

[js]
\n{
\n "opsworks": {
\n "data_bags": {
\n "user": {
\n "user1" : {
\n "id" : "user1",
\n "comments" : "some comment",
\n "home" : "\/home\/user1",
\n "shell" : "\/bin\/bash",
\n "sudo" : "false",
\n "password" : "$1$d01YpgzW$Yt64wYX\/uWstYf2lGiZuR0",
\n "ssh_keys" : ["ssh-key-1","ssh-key-2"]
\n },
\n "user2" : {
\n "id" : "user2",
\n "comments" : "some comment",
\n "home" : "\/home\/user2",
\n "shell" : "\/bin\/bash",
\n "sudo" : "true",
\n "password" : "$1$d01YpgzW$Yt64wYX\/uWstYf2lGiZuR0",
\n "ssh_keys" : ["ssh-key-1","ssh-key-2"]
\n },
\n "user3" : {
\n "id" : "user3",
\n "comments" : "some comment",
\n "home" : "\/home\/user3",
\n "shell" : "\/bin\/bash",
\n "sudo" : "true",
\n "password" : "$1$d01YpgzW$Yt64wYX\/uWstYf2lGiZuR0",
\n "ssh_keys" : ["ssh-key-1","ssh-key-2"]
\n }
\n }
\n }
\n }
\n}
\n[\/js]<\/p>\n

You need to replace the user1, 2 and 3 with user-name you want on the server. Also, replace the ssh-keys with the ones associated with the user. The password for the user needs to be generated via open-ssl. CHEF recipe won’t take password in normal text format. Also,
\nsudo<\/strong>==true<\/strong> means user will have root privileges. Next, click on Execute Recipes<\/b>\u00a0after choosing the instances of the stack on which you want the recipe to be executed:
\n\"Repeat<\/p>\n

So, you are done!\u00a0After the recipe is executed, it will show you the results then and there. Also, if you wish to see logs of a previously executed recipe click on the date & time and it should take you to the particular command’s page where you can see logs as well:
\n\"Deployments<\/p>\n

If you make any changes to your recipes in your GitHub, after pushing the changes you need to go to “Run Command”<\/strong> and select Update Cookbooks<\/strong>:
\n\"RunThe user will be created on the specified servers.<\/strong><\/p>\n

2. Now, if you wish to add the newly created user to a group<\/h4>\n

Simply execute the Recipe 2<\/strong>. It will create a group if it does not exist already and then add the users to the group. Execute the recipe as we did before. Enter the cookbook name and recipe name:
\n\"2015-09-30T08:15:10+00:00<\/p>\n

Sample JSON:<\/p>\n

[js]
\n{
\n "opsworks": {
\n "data_bags": {
\n "group": {
\n "admin": {
\n "gid": "3308",
\n "members": ["user1","user2","user3","user4","user5"]
\n }<\/p>\n

}<\/p>\n

}<\/p>\n

}
\n}
\n[\/js]<\/p>\n

3. Handling the file inside sudoers.d to give different permissions.<\/h4>\n

Use\u00a0Recipe 3<\/strong> for this. Just go ahead and run the recipe. I have written some basics commands which can be allowed for a group. You can use this however you like. Remember to update cookbooks in OpsWorks console so that the changes in GitHub repo are reflected here. Just simply execute the recipe as we have done earlier, choose the server and it will append to the file inside sudoers.d<\/p>\n

For example: \/etc\/sudoers.d\/serveralpha<\/p>\n

You need to make changes to the recipe according to your use case and names of files.\u00a0In case you make changes to the recipe make sure you run the Update Cookbooks<\/strong> command as I have shown in step 1.<\/p>\n

This is the basic way of handling users on your servers using CHEF. In my next blog, I shall talk about more use-cases of CHEF.<\/p>\n","protected":false},"excerpt":{"rendered":"

CHEF is the most popular configuration management tool in the market these days as CHEF turns infrastructure into code and you can do almost anything using it. Recipes are the heart of CHEF. OpsWorks has been gaining a lot of momentum for last few months, the major factor being its support for CHEF. So,\u00a0in this […]<\/p>\n","protected":false},"author":174,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":18},"categories":[1174,2348,1],"tags":[248,1935,1910,2606,2597,2599,2601,49,260,2598,1343,2607,1779,2600,2605,2603,2602,2604,2596,2595,1170],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/23261"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/174"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=23261"}],"version-history":[{"count":0,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/23261\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=23261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=23261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=23261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}