在日常的运维工作之中,不可避免的需要创建特定的用户来的运行特定的应用,所以对于SA来说,用户的管理是必须要面对的,这里我们就一起来学习下怎样使用saltstack来集中化管理用户,首先看下环境:
hadoop0.updb.com 192.168.0.100 OS:CentOS 6.5 Role:master
uadoop1.updb.com 192.168.0.201 OS:Ubuntu Role:minion
uadoop2.updb.com 192.168.0.202 OS:CentOS 6.5 Role:minion
uadoop3.updb.com 192.168.0.203 OS:CentOS 6.5 Role:minion
在上篇博文中简单介绍了nodegroup,这里在节点组的基础上介绍用户集中化管理,我想通过master的状态配置最后要在三个minion上创建一个kora的用户,如下:
## 首先来看下分组的信息
[root@hadoop0 salt]# cat /etc/salt/master.d/group.conf
nodegroups:
group1: 'L@uadoop2,uadoop3'
group2: 'G@os:Ubuntu'
## 配置完成后/srv/salt/的结构如下
[root@hadoop0 salt]# tree -f
.
├── ./top.sls
└── ./user
└── ./user/users.sls
## top.sls配置如下
[root@hadoop0 salt]# cat top.sls
base:
group1:
- match: nodegroup
- user.users ## 这里引用user目录下的users.sls文件
group2:
- match: nodegroup
- user.users ## 这里引用user目录下的users.sls文件
## users.sls配置如下
[root@hadoop0 salt]# cat user/users.sls
kora:
user.present: ## 这个选项必须有,表示创建用户
- fullname: Lee kora ## 用户的完整名称
- password: '$1$kora$yvxo92.VN.A5shLLA/3701' ## 为用户指定密码
- shell: /bin/bash ## 指定用户的登录shell
- home: /home/kora ## 指定用户的家目录
- uid: 1100 ## 指定UID
- gid_from_name: true ## 让GID和用户的UID保持一致,即使用默认的组
## 这里gid_from_name: true意思是让用户使用和UID想用的GID,等同于useradd -u 500 kora
## 密码生成方法如下
## [root@hadoop0 salt]# openssl passwd -1 -salt 'kora'
## Password:
## $1$kora$yvxo92.VN.A5shLLA/3701
## 配置完成后,执行远程同步的命令,state.sls代表只执行某个状态文件,这里只执行users.sls
[root@hadoop0 salt]# salt -N group2 state.sls user.users
uadoop1:
----------
ID: kora
.....省略部分......
gid:
1100
groups:
- kora
home:
/home/kora
.....省略部分......
uid:
1100
Summary
------------
Succeeded: 1
Failed: 0
------------
Total: 1
## 执行成功,我们在uadoop1上验证一下,发现创建成功,且GID与UID相同
uadoop1@uadoop1:~$ id kora
uid=1100(kora) gid=1100(kora) 组=1100(kora)
很简单,对吧。上面我们创建了一个GID与UID相同的用户kora,那么问题来了,如果我想创建一个使用指定的组而不是默认组的用户kora,该怎么做?请看下面
## 为用户指定组而不是使用默认的组跟上面不同的是users.sls文件的内容有少许差别
[root@hadoop0 salt]# cat user/users.sls
kora:
user.present:
- fullname: Lee kora
- password: '$1$kora$yvxo92.VN.A5shLLA/3701'
- shell: /bin/bash
- home: /home/kora
- gid: 1200 ## 指定GID为1200
- groups: ## GID对应的组名为test
- test
- require:
- group: test ## 要求创建test组要在创建kora用户之前
group.present: ## 创建test组
- gid: 1200 ## GID
- name: test ## 组名
## 远程执行
[root@hadoop0 salt]# salt -N group1 state.sls user.users
uadoop3:
----------
ID: kora
.....省略部分......
Comment: Changed gid to 1200 for group test
Changes:
----------
test:
1200
----------
ID: kora
.....省略部分......
gid:
1200
groups:
- test
home:
/home/kora
.....省略部分......
uid:
500
Summary
------------
Succeeded: 2
Failed: 0
------------
Total: 2
uadoop2:
----------
ID: kora
.....省略部分......
Comment: Changed gid to 1200 for group test
Changes:
----------
test:
1200
----------
ID: kora
.....省略部分......
gid:
1200
groups:
- test
home:
/home/kora
.....省略部分......
uid:
500
Summary
------------
Succeeded: 2
Failed: 0
------------
Total: 2
## 执行成功,在uadoop2、uadoop3上验证
[root@uadoop2 ~]# id kora
uid=500(kora) gid=1200(test) groups=1200(test)
[root@uadoop3 ~]# id kora
uid=500(kora) gid=1200(test) groups=1200(test)
ok,wonderful!但是往往欲壑难填,有时候我需要有一个默认的主组,同时还要指定一个副组,如下
## users.sls配置如下
[root@hadoop0 salt]# cat user/users.sls
kora:
user.present:
- fullname: Lee kora
- password: '$1$kora$yvxo92.VN.A5shLLA/3701'
- shell: /bin/bash
- home: /home/kora
- uid: 1100
- groups:
- test
- require:
- group: test
group.present:
- gid: 1200
- name: test
## 执行结果
[root@hadoop0 salt]# salt -N group1 state.sls user.users
uadoop2:
----------
ID: kora
.....省略部分......
gid:
1200
members:
name:
test
passwd:
x
----------
ID: kora
.....省略部分......
gid:
1100
groups:
- kora
- test
home:
/home/kora
.....省略部分......
uid:
1100
Summary
------------
Succeeded: 2
Failed: 0
------------
Total: 2
uadoop3:
----------
ID: kora
.....省略部分......
gid:
1200
members:
name:
test
passwd:
x
----------
ID: kora
.....省略部分......
gid:
1100
groups:
- kora
- test
home:
/home/kora
.....省略部分......
uid:
1100
Summary
------------
Succeeded: 2
Failed: 0
------------
Total: 2
## uadoop2、uadoop3上验证
[root@uadoop2 ~]# id kora
uid=1100(kora) gid=1100(kora) groups=1100(kora),1200(test)
[root@uadoop3 ~]# id kora
uid=1100(kora) gid=1100(kora) groups=1100(kora),1200(test)
介绍了当用户的添加之后,我们一起来看如何来删除刚刚已经创建的同时拥有两个组的kora用户,如下
## 首先看/srv/salt/目录的结构
[root@hadoop0 salt]# tree -f
.
├── ./top.sls
└── ./user
├── ./user/del.sls
└── ./user/users.sls
## 看top.sls配置
[root@hadoop0 salt]# cat top.sls
base:
group1:
- match: nodegroup
- user.users
- user.del ## 引用user/del.sls文件
group2:
- match: nodegroup
- user.users
- user.del ## 引用user/del.sls文件
## 看del.sls
[root@hadoop0 salt]# cat user/del.sls
kora:
group.absent: ## 首先删除组
- name: test ## 组名test
- require:
- user: kora ## 删除组中用户要在删除组之前
user.absent: ## 删除用户
- name: kora ## 用户名kora
- purge: True ## 清除家目录
- force: True ## 如果用户当前已经登录系统,仍然执行删除操作
## 执行删除操作
[root@hadoop0 salt]# salt -N group1 state.sls user.del
uadoop3:
----------
ID: kora
Function: user.absent
Result: True
Comment: Removed user kora
Changes:
----------
kora: ## 首先删除kora用户及默认组
removed
kora group:
removed
----------
ID: kora
Function: group.absent
Name: test
Result: True
Comment: Removed group test ## 再来删除test组
Changes:
----------
test:
Summary
------------
Succeeded: 2
Failed: 0
------------
Total: 2
uadoop2:
----------
ID: kora
Function: user.absent
Result: True
Comment: Removed user kora
Changes:
----------
kora: ## 首先删除kora用户及默认组
removed
kora group:
removed
----------
ID: kora
Function: group.absent
Name: test
Result: True
Comment: Removed group test ## 再来删除test组
Changes:
----------
test:
Summary
------------
Succeeded: 2
Failed: 0
------------
Total: 2
## 执行完成后,在uadoop2、uadoop3上验证
[root@uadoop2 ~]# id kora
id: kora: No such user
[root@uadoop2 ~]# groupdel test
groupdel: group 'test' does not exist
[root@uadoop2 ~]# groupdel kora
groupdel: group 'kora' does not exist
[root@uadoop3 ~]# id kora
id: kora: No such user
[root@uadoop3 ~]# groupdel test
groupdel: group 'test' does not exist
[root@uadoop3 ~]# groupdel kora
groupdel: group 'kora' does not exist
ok,删除成功!假如这时创建一个用户已经无法满足你了,你需要一次创建一批用户,该怎么做?往下看
## 修改user/users.sls文件内容如下
[root@hadoop0 salt]# cat user/users.sls
{% set users = ['kadefor','kade','foway'] %} ## 声明一个users列表
{% for user in users %} ## 遍历这个列表
{{ user }}:
user.present:
- shell: /bin/bash
- password: '$1$kora$yvxo92.VN.A5shLLA/3701'
- shell: /bin/bash
- home: /home/{{ user }}
- gid: 1200
- groups:
- test
- require:
- group: test
group.present:
- gid: 1200
- name: test
{% endfor %} ## 循环中间内容为创建用户的过程
## 执行命令
[root@hadoop0 salt]# salt -N group1 state.sls user.users
uadoop2:
----------
ID: kadefor
Function: group.present
Name: test
Result: True
Comment: Added group test
Changes:
----------
gid:
1200
members:
name:
test
passwd:
x
----------
ID: kade
.....省略部分......
----------
ID: foway
.....省略部分......
----------
ID: kadefor
.....省略部分......
gid:
1200
groups:
- test
home:
/home/kadefor
.....省略部分......
uid:
500
----------
ID: kade
.....省略部分......
gid:
1200
groups:
- test
home:
/home/kade
.....省略部分......
uid:
501
----------
ID: foway
.....省略部分......
gid:
1200
groups:
- test
home:
/home/foway
.....省略部分......
uid:
502
Summary
------------
Succeeded: 6
Failed: 0
------------
Total: 6
uadoop3:
----------
ID: kadefor
Function: group.present
Name: test
Result: True
Comment: Added group test
Changes:
----------
gid:
1200
members:
name:
test
passwd:
x
----------
ID: kade
.....省略部分......
----------
ID: foway
.....省略部分......
----------
ID: kadefor
.....省略部分......
gid:
1200
groups:
- test
home:
/home/kadefor
.....省略部分......
uid:
500
----------
ID: kade
.....省略部分......
gid:
1200
groups:
- test
home:
/home/kade
.....省略部分......
uid:
501
----------
ID: foway
.....省略部分......
gid:
1200
groups:
- test
home:
/home/foway
.....省略部分......
uid:
502
Summary
------------
Succeeded: 6
Failed: 0
------------
Total: 6
## uadoop2、uadoop3上验证
[root@uadoop2 ~]# id kade
uid=501(kade) gid=1200(test) groups=1200(test)
[root@uadoop2 ~]# id kadefor
uid=500(kadefor) gid=1200(test) groups=1200(test)
[root@uadoop2 ~]# id foway
uid=502(foway) gid=1200(test) groups=1200(test)
[root@uadoop3 ~]# id kade
uid=501(kade) gid=1200(test) groups=1200(test)
[root@uadoop3 ~]# id kadefor
uid=500(kadefor) gid=1200(test) groups=1200(test)
[root@uadoop3 ~]# id foway
uid=502(foway) gid=1200(test) groups=1200(test)
批量添加用户成功,可以看到整个过程也是比较简单的。那么批量删除用户呢?请看下面
## 修改user/del.sls文件的内容如下
[root@hadoop0 salt]# cat user/del.sls
{% set users = ['kadefor','kade','foway'] %} ## 声明一个users的列表
{% for user in users %} ## 遍历各个用户执行删除操作
{{ user }}:
user.absent:
- name: {{ user }}
- purge: True
- force: True
{% endfor %}
group.absent: ## 用户删除完成后再来删除组
- name: test
## 执行命令
[root@hadoop0 salt]# salt -N group1 state.sls user.del
uadoop2:
----------
ID: kadefor
Function: user.absent
Result: True
Comment: Removed user kadefor
Changes:
----------
kadefor:
removed
----------
ID: kade
Function: user.absent
Result: True
Comment: Removed user kade
Changes:
----------
kade:
removed
----------
ID: foway
Function: user.absent
Result: True
Comment: Removed user foway
Changes:
----------
foway:
removed
----------
ID: foway
Function: group.absent
Name: test
Result: True
Comment: Removed group test
Changes:
----------
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
uadoop3:
----------
ID: kadefor
Function: user.absent
Result: True
Comment: Removed user kadefor
Changes:
----------
kadefor:
removed
----------
ID: kade
Function: user.absent
Result: True
Comment: Removed user kade
Changes:
----------
kade:
removed
----------
ID: foway
Function: user.absent
Result: True
Comment: Removed user foway
Changes:
----------
foway:
removed
----------
ID: foway
Function: group.absent
Name: test
Result: True
Comment: Removed group test
Changes:
----------
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
## 从返回的信息看,已经删除成功了
接着我们看如何为一个用户添加除默认主组之外的多个副组,博文开头只演示了添加一个副组的情况,请看下面
## 修改user/users/.sls文件内容如下
[root@hadoop0 salt]# cat user/users.sls
kora:
user.present:
- shell: /bin/bash
- password: '$1$kora$yvxo92.VN.A5shLLA/3701'
- shell: /bin/bash
- home: /home/kora
- uid: 500
- groups: ## 指定副组列表
- test1
- test2
- test3
- require: ## 创建用户要在创建组之后
- group: test1
- group: test2
- group: test3
{% set groups = ['test1','test2','test3'] %} ## 声明一个组名列表
{% for group in groups %} ## 遍历并依次创建副组
{{ group }}:
group.present:
- name: {{ group }}
{% endfor %}
## 执行命令
[root@hadoop0 salt]# salt -N group1 state.sls user.users
uadoop3:
----------
ID: test1
.....省略部分......
----------
ID: test2
.....省略部分......
----------
ID: test3
.....省略部分......
----------
ID: kora
.....省略部分......
gid:
503
groups:
- kora
- test1
- test2
- test3
home:
/home/kora
.....省略部分......
uid:
500
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
uadoop2:
----------
ID: test1
.....省略部分......
----------
ID: test2
.....省略部分......
----------
ID: test3
.....省略部分......
----------
ID: kora
.....省略部分......
gid:
503
groups:
- kora
- test1
- test2
- test3
home:
/home/kora
.....省略部分......
uid:
500
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
## 成功,从反馈的结果看,so good,再到uadoop2、uadoop3上来看看
[root@uadoop2 ~]# id kora
uid=500(kora) gid=503(kora) groups=503(kora),500(test1),501(test2),502(test3)
[root@uadoop3 ~]# id kora
uid=500(kora) gid=503(kora) groups=503(kora),500(test1),501(test2),502(test3)
哈哈,很完美噢。那么我们在来尝试删除一个拥有多个组的用户,请往下看
## 修改user/del.sls文件的内容如下
[root@hadoop0 salt]# cat user/del.sls
kora:
user.absent:
- name: kora
- purge: True
- force: True
{% set groups = ['test1','test2','test3'] %} ## 声明删除组的列表
{% for group in groups %} ## 遍历并依次删除组
{{ group }}:
group.absent:
- name: {{ group }}
- require: ## 引擎流,删除用户要在删除组之前
- user: kora
{% endfor %}
## 执行命令
[root@hadoop0 salt]# salt -N group1 state.sls user.del
uadoop2:
----------
ID: kora
Function: user.absent
Result: True
Comment: Removed user kora
Changes:
----------
kora:
removed
kora group:
removed
----------
ID: test1
Function: group.absent
Result: True
Comment: Removed group test1
Changes:
----------
test1:
----------
ID: test2
Function: group.absent
Result: True
Comment: Removed group test2
Changes:
----------
test2:
----------
ID: test3
Function: group.absent
Result: True
Comment: Removed group test3
Changes:
----------
test3:
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
uadoop3:
----------
ID: kora
Function: user.absent
Result: True
Comment: Removed user kora
Changes:
----------
kora:
removed
kora group:
removed
----------
ID: test1
Function: group.absent
Result: True
Comment: Removed group test1
Changes:
----------
test1:
----------
ID: test2
Function: group.absent
Result: True
Comment: Removed group test2
Changes:
----------
test2:
----------
ID: test3
Function: group.absent
Result: True
Comment: Removed group test3
Changes:
----------
test3:
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
ok,删除成功,如果你有100个节点的集群,如此方法来操作,是不是感觉很爽。好了,最后我们再来看一下如何批量修改用户的密码
## 首先生成新密码,-1选项代表使用md5加密
[root@hadoop0 salt]# openssl passwd -1
Password:
Verifying - Password:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
## 创建修改密码对应的状态文件user/passwd.sls
[root@hadoop0 salt]# cat user/passwd.sls
{% set users = ['kadefor','kade','foway'] %}
{% for user in users %}
{{ user }}:
user.present:
- password: '$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1'
{% endfor %}
## 在top.sls文件中添加对应的引用
[root@hadoop0 salt]# cat top.sls
base:
group1:
- match: nodegroup
- user.users
- user.del
- user.passwd
group2:
- match: nodegroup
- user.users
- user.del
- user.passwd
## 执行命令
[root@hadoop0 salt]# salt -N group1 state.sls user.passwd
uadoop2:
----------
ID: kadefor
Function: user.present
Result: True
Comment: Updated user kadefor
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
----------
ID: kade
Function: user.present
Result: True
Comment: Updated user kade
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
----------
ID: foway
Function: user.present
Result: True
Comment: Updated user foway
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
Summary
------------
Succeeded: 3
Failed: 0
------------
Total: 3
uadoop3:
----------
ID: kadefor
Function: user.present
Result: True
Comment: Updated user kadefor
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
----------
ID: kade
Function: user.present
Result: True
Comment: Updated user kade
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
----------
ID: foway
Function: user.present
Result: True
Comment: Updated user foway
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
Summary
------------
Succeeded: 3
Failed: 0
------------
Total: 3
可以看到密码修改已经成功,测试切换用户登录也ok!可见salt用来集中化管理用户是多用的随意且强大。只要你愿意,你可以控制N多个节点的用户相关的创建、删除、密码修改。当然你也可以选择批量来一次性创建多个用户,也可以为一个用户批量创建多个所属组,也可以批量来删除用户,批量删除删除所属组。总之,拥有了saltstack,你会觉得自己对集群用户集中化的管理变得无所不能。哈哈,接下来就是你的enjoy time.
转载于:https://blog.51cto.com/quenlang/1577122