From 1dae1acf4ea80595e2322a864ce1df3a917019e6 Mon Sep 17 00:00:00 2001 From: Andrew Teixeira Date: Wed, 19 Aug 2020 17:05:05 -0400 Subject: [PATCH] * Add the ability to manage the user and group for nrpe * Update REFERENCE.md using `puppet strings` --- REFERENCE.md | 45 +++++++++++++++++++ manifests/config.pp | 30 +++++++++++-- manifests/init.pp | 15 +++++++ manifests/params.pp | 14 ++++++ spec/classes/nrpe_spec.rb | 92 +++++++++++++++++++++++++++++++++++++++ 5 files changed, 193 insertions(+), 3 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index c9fcdbd..0461bcf 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -108,6 +108,11 @@ The following parameters are available in the `nrpe` class: * [`ssl_log_client_cert`](#-nrpe--ssl_log_client_cert) * [`ssl_log_client_cert_details`](#-nrpe--ssl_log_client_cert_details) * [`manage_pid_dir`](#-nrpe--manage_pid_dir) +* [`manage_group`](#-nrpe--manage_group) +* [`manage_user`](#-nrpe--manage_user) +* [`user_comment`](#-nrpe--user_comment) +* [`user_home_dir`](#-nrpe--user_home_dir) +* [`user_shell`](#-nrpe--user_shell) * [`config`](#-nrpe--config) * [`include_dir`](#-nrpe--include_dir) * [`provider`](#-nrpe--provider) @@ -394,6 +399,46 @@ Whether to manage the directory where the PID file should exist. Default value: `false` +##### `manage_group` + +Data type: `Boolean` + +Whether to manage the group nrpe uses. + +Default value: `false` + +##### `manage_user` + +Data type: `Boolean` + +Whether to manage the user nrpe uses. + +Default value: `false` + +##### `user_comment` + +Data type: `Optional[String]` + +An optional string to use for the user's GECOS field. + +Default value: `undef` + +##### `user_home_dir` + +Data type: `Stdlib::Absolutepath` + +The absolute path to the home directory to use for the user. + +Default value: `$nrpe::params::user_home_dir` + +##### `user_shell` + +Data type: `Stdlib::Absolutepath` + +The absolute path to the shell to use for the user. + +Default value: `$nrpe::params::user_shell` + ##### `config` Data type: `Stdlib::Absolutepath` diff --git a/manifests/config.pp b/manifests/config.pp index 8e1d582..caf335c 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -2,10 +2,34 @@ # # @api private class nrpe::config { - unless $nrpe::supplementary_groups.empty { + if $nrpe::manage_group { + group { $nrpe::nrpe_group: + ensure => 'present', + system => true, + } + $group_req = Group[$nrpe::nrpe_group] + } else { + $group_req = undef + } + + if $nrpe::manage_user { user { $nrpe::nrpe_user: - gid => $nrpe::nrpe_group, - groups => $nrpe::supplementary_groups, + ensure => 'present', + before => Service[$nrpe::service_name], + comment => $nrpe::user_comment, + gid => $nrpe::nrpe_group, + groups => $nrpe::supplementary_groups, + home => $nrpe::user_home_dir, + require => $group_req, + shell => $nrpe::user_shell, + system => true, + } + } else { + unless $nrpe::supplementary_groups.empty { + user { $nrpe::nrpe_user: + gid => $nrpe::nrpe_group, + groups => $nrpe::supplementary_groups, + } } } diff --git a/manifests/init.pp b/manifests/init.pp index 03eaaf5..c56a645 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -91,6 +91,16 @@ # Whether to log details of client SSL certificates. # @param manage_pid_dir # Whether to manage the directory where the PID file should exist. +# @param manage_group +# Whether to manage the group nrpe uses. +# @param manage_user +# Whether to manage the user nrpe uses. +# @param user_comment +# An optional string to use for the user's GECOS field. +# @param user_home_dir +# The absolute path to the home directory to use for the user. +# @param user_shell +# The absolute path to the shell to use for the user. # @param config # **Private** You should not need to override this parameter. # @param include_dir @@ -139,6 +149,11 @@ Array[String[1]] $supplementary_groups = [], Boolean $manage_pid_dir = false, Integer[0] $listen_queue_size = $nrpe::params::listen_queue_size, + Boolean $manage_user = false, + Boolean $manage_group = false, + Optional[String] $user_comment = undef, + Stdlib::Absolutepath $user_home_dir = $nrpe::params::user_home_dir, + Stdlib::Absolutepath $user_shell = $nrpe::params::user_shell, # Private parameters. You shouldn't need to override these. Stdlib::Absolutepath $config = $nrpe::params::nrpe_config, diff --git a/manifests/params.pp b/manifests/params.pp index 83f70e8..8ba8ad6 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -28,6 +28,8 @@ 'nagios-nrpe-server', 'monitoring-plugins', ] + $user_home_dir = '/var/lib/nagios' + $user_shell = '/bin/false' } 'Solaris': { $libdir = '/opt/csw/libexec/nagios-plugins' @@ -42,6 +44,8 @@ 'nrpe', 'nagios_plugins', ] + $user_home_dir = '/var/lib/nagios' + $user_shell = '/bin/false' } 'RedHat': { $libdir = fact('os.architecture') ? { @@ -59,6 +63,8 @@ 'nrpe', 'nagios-plugins-all', ] + $user_home_dir = '/var/run/nrpe' + $user_shell = '/sbin/nologin' } 'FreeBSD': { $libdir = '/usr/local/libexec/nagios' @@ -73,6 +79,8 @@ 'nrpe3', 'nagios-plugins', ] + $user_home_dir = '/var/spool/nagios' + $user_shell = '/sbin/nologin' } 'OpenBSD': { $libdir = '/usr/local/libexec/nagios' @@ -87,6 +95,8 @@ 'nrpe', 'monitoring-plugins', ] + $user_home_dir = '/var/lib/nagios' + $user_shell = '/bin/false' } 'Suse': { $libdir = '/usr/lib/nagios/plugins' @@ -115,6 +125,8 @@ ] } } + $user_home_dir = '/var/lib/nagios' + $user_shell = '/bin/false' } 'Gentoo': { $libdir = fact('os.architecture') ? { @@ -132,6 +144,8 @@ 'net-analyzer/nrpe', 'net-analyzer/nagios-plugins', ] + $user_home_dir = '/dev/null' + $user_shell = '/sbin/nologin' } default: { } diff --git a/spec/classes/nrpe_spec.rb b/spec/classes/nrpe_spec.rb index 22ca420..534c983 100644 --- a/spec/classes/nrpe_spec.rb +++ b/spec/classes/nrpe_spec.rb @@ -90,6 +90,98 @@ it { is_expected.to compile.with_all_deps } end + + context 'when manage_group is true' do + let(:params) { { 'manage_group' => true } } + + case facts[:osfamily] + when 'OpenBSD' + it { is_expected.to contain_group('_nrpe') } + when 'RedHat' + it { is_expected.to contain_group('nrpe') } + else + it { is_expected.to contain_group('nagios') } + end + end + + context 'when manage_user is true' do + let(:params) { { 'manage_user' => true } } + + case facts[:osfamily] + when 'FreeBSD' + it { + is_expected.to contain_user('nagios'). + with_gid('nagios'). + with_home('/var/spool/nagios'). + with_shell('/sbin/nologin') + } + when 'Gentoo' + it { + is_expected.to contain_user('nagios'). + with_gid('nagios'). + with_home('/dev/null'). + with_shell('/sbin/nologin') + } + + when 'OpenBSD' + it { + is_expected.to contain_user('_nrpe'). + with_gid('_nrpe'). + with_home('/var/lib/nagios'). + with_shell('/bin/false') + } + when 'RedHat' + it { + is_expected.to contain_user('nrpe'). + with_gid('nrpe'). + with_home('/var/run/nrpe'). + with_shell('/sbin/nologin') + } + else + it { + is_expected.to contain_user('nagios'). + with_gid('nagios'). + with_home('/var/lib/nagios'). + with_shell('/bin/false') + } + end + end + + context 'when manage_group and manage_user are true' do + let(:params) do + { + 'manage_group' => true, + 'manage_user' => true + } + end + + case facts[:osfamily] + when 'OpenBSD' + it { + is_expected.to contain_group('_nrpe') + } + + it { + is_expected.to contain_user('_nrpe').with_require('Group[_nrpe]') + } + when 'RedHat' + it { + is_expected.to contain_group('nrpe') + } + + it { + is_expected.to contain_user('nrpe').with_require('Group[nrpe]') + } + else + it { + is_expected.to contain_group('nagios') + } + + it { + is_expected.to contain_user('nagios').with_require('Group[nagios]') + } + end + end end end end