在日常的运维工作之中,不可避免的需要创建特定的用户来的运行特定的应用,所以对于SA来说,用户的管理是必须要面对的,这里我们就一起来学习下怎样使用saltstack来集中化管理用户,首先看下环境:
hadoop0.updb.com 192.168.0.100 OS:CentOS 6.5 Role:master
uadoop1.updb.com 192.168.0.201 OS:Ubuntu Role:minion
uadoop2.updb.com 192.168.0.202 OS:CentOS 6.5 Role:minion
uadoop3.updb.com 192.168.0.203 OS:CentOS 6.5 Role:minion
在上篇博文中简单介绍了nodegroup,这里在节点组的基础上介绍用户集中化管理,我想通过master的状态配置最后要在三个minion上创建一个kora的用户,如下:
## 首先来看下分组的信息
[root@hadoop0 salt]# cat /etc/salt/master.d/group.conf
nodegroups:
group1: 'L@uadoop2,uadoop3'
group2: 'G@os:Ubuntu'
## 配置完成后/srv/salt/的结构如下
[root@hadoop0 salt]# tree -f
.
├── ./top.sls
└── ./user
└── ./user/users.sls
## top.sls配置如下
[root@hadoop0 salt]# cat top.sls
base:
group1:
- match: nodegroup
- user.users ## 这里引用user目录下的users.sls文件
group2:
- match: nodegroup
- user.users ## 这里引用user目录下的users.sls文件
## users.sls配置如下
[root@hadoop0 salt]# cat user/users.sls
kora:
user.present: ## 这个选项必须有,表示创建用户
- fullname: Lee kora ## 用户的完整名称
- password: '$1$kora$yvxo92.VN.A5shLLA/3701' ## 为用户指定密码
- shell: /bin/bash ## 指定用户的登录shell
- home: /home/kora ## 指定用户的家目录
- uid: 1100 ## 指定UID
- gid_from_name: true ## 让GID和用户的UID保持一致,即使用默认的组
## 这里gid_from_name: true意思是让用户使用和UID想用的GID,等同于useradd -u 500 kora
## 密码生成方法如下
## [root@hadoop0 salt]# openssl passwd -1 -salt 'kora'
## Password:
## $1$kora$yvxo92.VN.A5shLLA/3701
## 配置完成后,执行远程同步的命令,state.sls代表只执行某个状态文件,这里只执行users.sls
[root@hadoop0 salt]# salt -N group2 state.sls user.users
uadoop1:
----------
ID: kora
.....省略部分......
gid:
1100
groups:
- kora
home:
/home/kora
.....省略部分......
uid:
1100
Summary
------------
Succeeded: 1
Failed: 0
------------
Total: 1
## 执行成功,我们在uadoop1上验证一下,发现创建成功,且GID与UID相同
uadoop1@uadoop1:~$ id kora
uid=1100(kora) gid=1100(kora) 组=1100(kora)很简单,对吧。上面我们创建了一个GID与UID相同的用户kora,那么问题来了,如果我想创建一个使用指定的组而不是默认组的用户kora,该怎么做?请看下面
## 为用户指定组而不是使用默认的组跟上面不同的是users.sls文件的内容有少许差别
[root@hadoop0 salt]# cat user/users.sls
kora:
user.present:
- fullname: Lee kora
- password: '$1$kora$yvxo92.VN.A5shLLA/3701'
- shell: /bin/bash
- home: /home/kora
- gid: 1200 ## 指定GID为1200
- groups: ## GID对应的组名为test
- test
- require:
- group: test ## 要求创建test组要在创建kora用户之前
group.present: ## 创建test组
- gid: 1200 ## GID
- name: test ## 组名
## 远程执行
[root@hadoop0 salt]# salt -N group1 state.sls user.users
uadoop3:
----------
ID: kora
.....省略部分......
Comment: Changed gid to 1200 for group test
Changes:
----------
test:
1200
----------
ID: kora
.....省略部分......
gid:
1200
groups:
- test
home:
/home/kora
.....省略部分......
uid:
500
Summary
------------
Succeeded: 2
Failed: 0
------------
Total: 2
uadoop2:
----------
ID: kora
.....省略部分......
Comment: Changed gid to 1200 for group test
Changes:
----------
test:
1200
----------
ID: kora
.....省略部分......
gid:
1200
groups:
- test
home:
/home/kora
.....省略部分......
uid:
500
Summary
------------
Succeeded: 2
Failed: 0
------------
Total: 2
## 执行成功,在uadoop2、uadoop3上验证
[root@uadoop2 ~]# id kora
uid=500(kora) gid=1200(test) groups=1200(test)
[root@uadoop3 ~]# id kora
uid=500(kora) gid=1200(test) groups=1200(test)ok,wonderful!但是往往欲壑难填,有时候我需要有一个默认的主组,同时还要指定一个副组,如下
## users.sls配置如下
[root@hadoop0 salt]# cat user/users.sls
kora:
user.present:
- fullname: Lee kora
- password: '$1$kora$yvxo92.VN.A5shLLA/3701'
- shell: /bin/bash
- home: /home/kora
- uid: 1100
- groups:
- test
- require:
- group: test
group.present:
- gid: 1200
- name: test
## 执行结果
[root@hadoop0 salt]# salt -N group1 state.sls user.users
uadoop2:
----------
ID: kora
.....省略部分......
gid:
1200
members:
name:
test
passwd:
x
----------
ID: kora
.....省略部分......
gid:
1100
groups:
- kora
- test
home:
/home/kora
.....省略部分......
uid:
1100
Summary
------------
Succeeded: 2
Failed: 0
------------
Total: 2
uadoop3:
----------
ID: kora
.....省略部分......
gid:
1200
members:
name:
test
passwd:
x
----------
ID: kora
.....省略部分......
gid:
1100
groups:
- kora
- test
home:
/home/kora
.....省略部分......
uid:
1100
Summary
------------
Succeeded: 2
Failed: 0
------------
Total: 2
## uadoop2、uadoop3上验证
[root@uadoop2 ~]# id kora
uid=1100(kora) gid=1100(kora) groups=1100(kora),1200(test)
[root@uadoop3 ~]# id kora
uid=1100(kora) gid=1100(kora) groups=1100(kora),1200(test)介绍了当用户的添加之后,我们一起来看如何来删除刚刚已经创建的同时拥有两个组的kora用户,如下
## 首先看/srv/salt/目录的结构
[root@hadoop0 salt]# tree -f
.
├── ./top.sls
└── ./user
├── ./user/del.sls
└── ./user/users.sls
## 看top.sls配置
[root@hadoop0 salt]# cat top.sls
base:
group1:
- match: nodegroup
- user.users
- user.del ## 引用user/del.sls文件
group2:
- match: nodegroup
- user.users
- user.del ## 引用user/del.sls文件
## 看del.sls
[root@hadoop0 salt]# cat user/del.sls
kora:
group.absent: ## 首先删除组
- name: test ## 组名test
- require:
- user: kora ## 删除组中用户要在删除组之前
user.absent: ## 删除用户
- name: kora ## 用户名kora
- purge: True ## 清除家目录
- force: True ## 如果用户当前已经登录系统,仍然执行删除操作
## 执行删除操作
[root@hadoop0 salt]# salt -N group1 state.sls user.del
uadoop3:
----------
ID: kora
Function: user.absent
Result: True
Comment: Removed user kora
Changes:
----------
kora: ## 首先删除kora用户及默认组
removed
kora group:
removed
----------
ID: kora
Function: group.absent
Name: test
Result: True
Comment: Removed group test ## 再来删除test组
Changes:
----------
test:
Summary
------------
Succeeded: 2
Failed: 0
------------
Total: 2
uadoop2:
----------
ID: kora
Function: user.absent
Result: True
Comment: Removed user kora
Changes:
----------
kora: ## 首先删除kora用户及默认组
removed
kora group:
removed
----------
ID: kora
Function: group.absent
Name: test
Result: True
Comment: Removed group test ## 再来删除test组
Changes:
----------
test:
Summary
------------
Succeeded: 2
Failed: 0
------------
Total: 2
## 执行完成后,在uadoop2、uadoop3上验证
[root@uadoop2 ~]# id kora
id: kora: No such user
[root@uadoop2 ~]# groupdel test
groupdel: group 'test' does not exist
[root@uadoop2 ~]# groupdel kora
groupdel: group 'kora' does not exist
[root@uadoop3 ~]# id kora
id: kora: No such user
[root@uadoop3 ~]# groupdel test
groupdel: group 'test' does not exist
[root@uadoop3 ~]# groupdel kora
groupdel: group 'kora' does not existok,删除成功!假如这时创建一个用户已经无法满足你了,你需要一次创建一批用户,该怎么做?往下看
## 修改user/users.sls文件内容如下
[root@hadoop0 salt]# cat user/users.sls
{% set users = ['kadefor','kade','foway'] %} ## 声明一个users列表
{% for user in users %} ## 遍历这个列表
{{ user }}:
user.present:
- shell: /bin/bash
- password: '$1$kora$yvxo92.VN.A5shLLA/3701'
- shell: /bin/bash
- home: /home/{{ user }}
- gid: 1200
- groups:
- test
- require:
- group: test
group.present:
- gid: 1200
- name: test
{% endfor %} ## 循环中间内容为创建用户的过程
## 执行命令
[root@hadoop0 salt]# salt -N group1 state.sls user.users
uadoop2:
----------
ID: kadefor
Function: group.present
Name: test
Result: True
Comment: Added group test
Changes:
----------
gid:
1200
members:
name:
test
passwd:
x
----------
ID: kade
.....省略部分......
----------
ID: foway
.....省略部分......
----------
ID: kadefor
.....省略部分......
gid:
1200
groups:
- test
home:
/home/kadefor
.....省略部分......
uid:
500
----------
ID: kade
.....省略部分......
gid:
1200
groups:
- test
home:
/home/kade
.....省略部分......
uid:
501
----------
ID: foway
.....省略部分......
gid:
1200
groups:
- test
home:
/home/foway
.....省略部分......
uid:
502
Summary
------------
Succeeded: 6
Failed: 0
------------
Total: 6
uadoop3:
----------
ID: kadefor
Function: group.present
Name: test
Result: True
Comment: Added group test
Changes:
----------
gid:
1200
members:
name:
test
passwd:
x
----------
ID: kade
.....省略部分......
----------
ID: foway
.....省略部分......
----------
ID: kadefor
.....省略部分......
gid:
1200
groups:
- test
home:
/home/kadefor
.....省略部分......
uid:
500
----------
ID: kade
.....省略部分......
gid:
1200
groups:
- test
home:
/home/kade
.....省略部分......
uid:
501
----------
ID: foway
.....省略部分......
gid:
1200
groups:
- test
home:
/home/foway
.....省略部分......
uid:
502
Summary
------------
Succeeded: 6
Failed: 0
------------
Total: 6
## uadoop2、uadoop3上验证
[root@uadoop2 ~]# id kade
uid=501(kade) gid=1200(test) groups=1200(test)
[root@uadoop2 ~]# id kadefor
uid=500(kadefor) gid=1200(test) groups=1200(test)
[root@uadoop2 ~]# id foway
uid=502(foway) gid=1200(test) groups=1200(test)
[root@uadoop3 ~]# id kade
uid=501(kade) gid=1200(test) groups=1200(test)
[root@uadoop3 ~]# id kadefor
uid=500(kadefor) gid=1200(test) groups=1200(test)
[root@uadoop3 ~]# id foway
uid=502(foway) gid=1200(test) groups=1200(test)批量添加用户成功,可以看到整个过程也是比较简单的。那么批量删除用户呢?请看下面
## 修改user/del.sls文件的内容如下
[root@hadoop0 salt]# cat user/del.sls
{% set users = ['kadefor','kade','foway'] %} ## 声明一个users的列表
{% for user in users %} ## 遍历各个用户执行删除操作
{{ user }}:
user.absent:
- name: {{ user }}
- purge: True
- force: True
{% endfor %}
group.absent: ## 用户删除完成后再来删除组
- name: test
## 执行命令
[root@hadoop0 salt]# salt -N group1 state.sls user.del
uadoop2:
----------
ID: kadefor
Function: user.absent
Result: True
Comment: Removed user kadefor
Changes:
----------
kadefor:
removed
----------
ID: kade
Function: user.absent
Result: True
Comment: Removed user kade
Changes:
----------
kade:
removed
----------
ID: foway
Function: user.absent
Result: True
Comment: Removed user foway
Changes:
----------
foway:
removed
----------
ID: foway
Function: group.absent
Name: test
Result: True
Comment: Removed group test
Changes:
----------
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
uadoop3:
----------
ID: kadefor
Function: user.absent
Result: True
Comment: Removed user kadefor
Changes:
----------
kadefor:
removed
----------
ID: kade
Function: user.absent
Result: True
Comment: Removed user kade
Changes:
----------
kade:
removed
----------
ID: foway
Function: user.absent
Result: True
Comment: Removed user foway
Changes:
----------
foway:
removed
----------
ID: foway
Function: group.absent
Name: test
Result: True
Comment: Removed group test
Changes:
----------
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
## 从返回的信息看,已经删除成功了接着我们看如何为一个用户添加除默认主组之外的多个副组,博文开头只演示了添加一个副组的情况,请看下面
## 修改user/users/.sls文件内容如下
[root@hadoop0 salt]# cat user/users.sls
kora:
user.present:
- shell: /bin/bash
- password: '$1$kora$yvxo92.VN.A5shLLA/3701'
- shell: /bin/bash
- home: /home/kora
- uid: 500
- groups: ## 指定副组列表
- test1
- test2
- test3
- require: ## 创建用户要在创建组之后
- group: test1
- group: test2
- group: test3
{% set groups = ['test1','test2','test3'] %} ## 声明一个组名列表
{% for group in groups %} ## 遍历并依次创建副组
{{ group }}:
group.present:
- name: {{ group }}
{% endfor %}
## 执行命令
[root@hadoop0 salt]# salt -N group1 state.sls user.users
uadoop3:
----------
ID: test1
.....省略部分......
----------
ID: test2
.....省略部分......
----------
ID: test3
.....省略部分......
----------
ID: kora
.....省略部分......
gid:
503
groups:
- kora
- test1
- test2
- test3
home:
/home/kora
.....省略部分......
uid:
500
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
uadoop2:
----------
ID: test1
.....省略部分......
----------
ID: test2
.....省略部分......
----------
ID: test3
.....省略部分......
----------
ID: kora
.....省略部分......
gid:
503
groups:
- kora
- test1
- test2
- test3
home:
/home/kora
.....省略部分......
uid:
500
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
## 成功,从反馈的结果看,so good,再到uadoop2、uadoop3上来看看
[root@uadoop2 ~]# id kora
uid=500(kora) gid=503(kora) groups=503(kora),500(test1),501(test2),502(test3)
[root@uadoop3 ~]# id kora
uid=500(kora) gid=503(kora) groups=503(kora),500(test1),501(test2),502(test3)哈哈,很完美噢。那么我们在来尝试删除一个拥有多个组的用户,请往下看
## 修改user/del.sls文件的内容如下
[root@hadoop0 salt]# cat user/del.sls
kora:
user.absent:
- name: kora
- purge: True
- force: True
{% set groups = ['test1','test2','test3'] %} ## 声明删除组的列表
{% for group in groups %} ## 遍历并依次删除组
{{ group }}:
group.absent:
- name: {{ group }}
- require: ## 引擎流,删除用户要在删除组之前
- user: kora
{% endfor %}
## 执行命令
[root@hadoop0 salt]# salt -N group1 state.sls user.del
uadoop2:
----------
ID: kora
Function: user.absent
Result: True
Comment: Removed user kora
Changes:
----------
kora:
removed
kora group:
removed
----------
ID: test1
Function: group.absent
Result: True
Comment: Removed group test1
Changes:
----------
test1:
----------
ID: test2
Function: group.absent
Result: True
Comment: Removed group test2
Changes:
----------
test2:
----------
ID: test3
Function: group.absent
Result: True
Comment: Removed group test3
Changes:
----------
test3:
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
uadoop3:
----------
ID: kora
Function: user.absent
Result: True
Comment: Removed user kora
Changes:
----------
kora:
removed
kora group:
removed
----------
ID: test1
Function: group.absent
Result: True
Comment: Removed group test1
Changes:
----------
test1:
----------
ID: test2
Function: group.absent
Result: True
Comment: Removed group test2
Changes:
----------
test2:
----------
ID: test3
Function: group.absent
Result: True
Comment: Removed group test3
Changes:
----------
test3:
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4ok,删除成功,如果你有100个节点的集群,如此方法来操作,是不是感觉很爽。好了,最后我们再来看一下如何批量修改用户的密码
## 首先生成新密码,-1选项代表使用md5加密
[root@hadoop0 salt]# openssl passwd -1
Password:
Verifying - Password:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
## 创建修改密码对应的状态文件user/passwd.sls
[root@hadoop0 salt]# cat user/passwd.sls
{% set users = ['kadefor','kade','foway'] %}
{% for user in users %}
{{ user }}:
user.present:
- password: '$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1'
{% endfor %}
## 在top.sls文件中添加对应的引用
[root@hadoop0 salt]# cat top.sls
base:
group1:
- match: nodegroup
- user.users
- user.del
- user.passwd
group2:
- match: nodegroup
- user.users
- user.del
- user.passwd
## 执行命令
[root@hadoop0 salt]# salt -N group1 state.sls user.passwd
uadoop2:
----------
ID: kadefor
Function: user.present
Result: True
Comment: Updated user kadefor
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
----------
ID: kade
Function: user.present
Result: True
Comment: Updated user kade
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
----------
ID: foway
Function: user.present
Result: True
Comment: Updated user foway
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
Summary
------------
Succeeded: 3
Failed: 0
------------
Total: 3
uadoop3:
----------
ID: kadefor
Function: user.present
Result: True
Comment: Updated user kadefor
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
----------
ID: kade
Function: user.present
Result: True
Comment: Updated user kade
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
----------
ID: foway
Function: user.present
Result: True
Comment: Updated user foway
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
Summary
------------
Succeeded: 3
Failed: 0
------------
Total: 3可以看到密码修改已经成功,测试切换用户登录也ok!可见salt用来集中化管理用户是多用的随意且强大。只要你愿意,你可以控制N多个节点的用户相关的创建、删除、密码修改。当然你也可以选择批量来一次性创建多个用户,也可以为一个用户批量创建多个所属组,也可以批量来删除用户,批量删除删除所属组。总之,拥有了saltstack,你会觉得自己对集群用户集中化的管理变得无所不能。哈哈,接下来就是你的enjoy time.
转载于:https://blog.51cto.com/quenlang/1577122
291
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
