Understanding Salt Stack user and group management

This state will create a user:
russell:
  user: 
    - present
This state will create a user and a group. This also makes the user part of the group, and handles creating the group first:
russell:
  group:
    - present
  user: 
    - present
    - groups:
      - russell 
    - require:
      - group: russell
This state handles user and group generation along with password and ssh-key maintenance. This is all done securely using pillar to parameterize arguments:
# This state will create users accounts 
#
# This state requires a pillar named 'users' with data formatted like:
# 
# users:
#
#  tusername:
#    fullname: Test Username
#    uid: 1007
#    gid: 1007
#    groups:
#      - sudo
#      - ops
#    crypt: $password-hash-sha512-prefered
#    pub_ssh_keys:
#      - ssh-rsa list-of-public-keys tusername-sm
#
#  anotheruser: ... snipped ...

# loop over all users presented by pillar:
# create user's group, create user, then add pub keys
{% for username, details in pillar.get('users', {}).items() %}
{{ username }}:

  group:
    - present
    - name: {{ username }}
    - gid: {{ details.get('gid', '') }}

  user:
    - present
    - fullname: {{ details.get('fullname','') }}
    - name: {{ username }}
    - shell: /bin/bash
    - home: /home/{{ username }}
    - uid: {{ details.get('uid', '') }}
    - gid: {{ details.get('gid', '') }}
    - crypt: {{ details.get('crypt','') }}
    {% if 'groups' in details %}
    - groups:
      {% for group in details.get('groups', []) %}
      - {{ group }}
      {% endfor %}
    - require:
      {% for group in details.get('groups', []) %}
      - group: {{ group }}
      {% endfor %}
    {% endif %}

  {% if 'pub_ssh_keys' in details %}
  ssh_auth:
    - present
    - user: {{ username }}
    - names:
    {% for pub_ssh_key in details.get('pub_ssh_keys', []) %}
      - {{ pub_ssh_key }}
    {% endfor %}
    - require:
      - user: {{ username }}
  {% endif %}

{% endfor %}

4 thoughts on “Understanding Salt Stack user and group management

  1. What should the name of the file be and what pathname should it have? I know these could be almost anything, but a hint would help the novice.

  2. Just curious about the – crypt: argument;
    looking on the doc, I can’t find it. The most similar one is – password…
    Is that yet right for 2015.8.8 ?

Leave a Reply

Your email address will not be published. Required fields are marked *