在日常的运维工作之中,不可避免的需要创建特定的用户来的运行特定的应用,所以对于SA来说,用户的管理是必须要面对的,这里我们就一起来学习下怎样使用saltstack来集中化管理用户,首先看下环境:
hadoop0.updb.com 192.168.0.100 OS:CentOS 6.5 Role:master
uadoop1.updb.com 192.168.0.201 OS:Ubuntu Role:minion
uadoop2.updb.com 192.168.0.202 OS:CentOS 6.5 Role:minion
uadoop3.updb.com 192.168.0.203 OS:CentOS 6.5 Role:minion
在上篇博文中简单介绍了nodegroup,这里在节点组的基础上介绍用户集中化管理,我想通过master的状态配置最后要在三个minion上创建一个kora的用户,如下:
## 首先来看下分组的信息 [root@hadoop0 salt]# cat /etc/salt/master.d/group.conf nodegroups: group1: 'L@uadoop2,uadoop3' group2: 'G@os:Ubuntu' ## 配置完成后/srv/salt/的结构如下 [root@hadoop0 salt]# tree -f . ├── ./top.sls └── ./user └── ./user/users.sls ## top.sls配置如下 [root@hadoop0 salt]# cat top.sls base: group1: - match: nodegroup - user.users ## 这里引用user目录下的users.sls文件 group2: - match: nodegroup - user.users ## 这里引用user目录下的users.sls文件 ## users.sls配置如下 [root@hadoop0 salt]# cat user/users.sls kora: user.present: ## 这个选项必须有,表示创建用户 - fullname: Lee kora ## 用户的完整名称 - password: '$1$kora$yvxo92.VN.A5shLLA/3701' ## 为用户指定密码 - shell: /bin/bash ## 指定用户的登录shell - home: /home/kora ## 指定用户的家目录 - uid: 1100 ## 指定UID - gid_from_name: true ## 让GID和用户的UID保持一致,即使用默认的组 ## 这里gid_from_name: true意思是让用户使用和UID想用的GID,等同于useradd -u 500 kora ## 密码生成方法如下 ## [root@hadoop0 salt]# openssl passwd -1 -salt 'kora' ## Password: ## $1$kora$yvxo92.VN.A5shLLA/3701 ## 配置完成后,执行远程同步的命令,state.sls代表只执行某个状态文件,这里只执行users.sls [root@hadoop0 salt]# salt -N group2 state.sls user.users uadoop1: ---------- ID: kora .....省略部分...... gid: 1100 groups: - kora home: /home/kora .....省略部分...... uid: 1100 Summary ------------ Succeeded: 1 Failed: 0 ------------ Total: 1 ## 执行成功,我们在uadoop1上验证一下,发现创建成功,且GID与UID相同 uadoop1@uadoop1:~$ id kora uid=1100(kora) gid=1100(kora) 组=1100(kora)
很简单,对吧。上面我们创建了一个GID与UID相同的用户kora,那么问题来了,如果我想创建一个使用指定的组而不是默认组的用户kora,该怎么做?请看下面
## 为用户指定组而不是使用默认的组跟上面不同的是users.sls文件的内容有少许差别 [root@hadoop0 salt]# cat user/users.sls kora: user.present: - fullname: Lee kora - password: '$1$kora$yvxo92.VN.A5shLLA/3701' - shell: /bin/bash - home: /home/kora - gid: 1200 ## 指定GID为1200 - groups: ## GID对应的组名为test - test - require: - group: test ## 要求创建test组要在创建kora用户之前 group.present: ## 创建test组 - gid: 1200 ## GID - name: test ## 组名 ## 远程执行 [root@hadoop0 salt]# salt -N group1 state.sls user.users uadoop3: ---------- ID: kora .....省略部分...... Comment: Changed gid to 1200 for group test Changes: ---------- test: 1200 ---------- ID: kora .....省略部分...... gid: 1200 groups: - test home: /home/kora .....省略部分...... uid: 500 Summary ------------ Succeeded: 2 Failed: 0 ------------ Total: 2 uadoop2: ---------- ID: kora .....省略部分...... Comment: Changed gid to 1200 for group test Changes: ---------- test: 1200 ---------- ID: kora .....省略部分...... gid: 1200 groups: - test home: /home/kora .....省略部分...... uid: 500 Summary ------------ Succeeded: 2 Failed: 0 ------------ Total: 2 ## 执行成功,在uadoop2、uadoop3上验证 [root@uadoop2 ~]# id kora uid=500(kora) gid=1200(test) groups=1200(test) [root@uadoop3 ~]# id kora uid=500(kora) gid=1200(test) groups=1200(test)
ok,wonderful!但是往往欲壑难填,有时候我需要有一个默认的主组,同时还要指定一个副组,如下
## users.sls配置如下 [root@hadoop0 salt]# cat user/users.sls kora: user.present: - fullname: Lee kora - password: '$1$kora$yvxo92.VN.A5shLLA/3701' - shell: /bin/bash - home: /home/kora - uid: 1100 - groups: - test - require: - group: test group.present: - gid: 1200 - name: test ## 执行结果 [root@hadoop0 salt]# salt -N group1 state.sls user.users uadoop2: ---------- ID: kora .....省略部分...... gid: 1200 members: name: test passwd: x ---------- ID: kora .....省略部分...... gid: 1100 groups: - kora - test home: /home/kora .....省略部分...... uid: 1100 Summary ------------ Succeeded: 2 Failed: 0 ------------ Total: 2 uadoop3: ---------- ID: kora .....省略部分...... gid: 1200 members: name: test passwd: x ---------- ID: kora .....省略部分...... gid: 1100 groups: - kora - test home: /home/kora .....省略部分...... uid: 1100 Summary ------------ Succeeded: 2 Failed: 0 ------------ Total: 2 ## uadoop2、uadoop3上验证 [root@uadoop2 ~]# id kora uid=1100(kora) gid=1100(kora) groups=1100(kora),1200(test) [root@uadoop3 ~]# id kora uid=1100(kora) gid=1100(kora) groups=1100(kora),1200(test)
介绍了当用户的添加之后,我们一起来看如何来删除刚刚已经创建的同时拥有两个组的kora用户,如下
## 首先看/srv/salt/目录的结构 [root@hadoop0 salt]# tree -f . ├── ./top.sls └── ./user ├── ./user/del.sls └── ./user/users.sls ## 看top.sls配置 [root@hadoop0 salt]# cat top.sls base: group1: - match: nodegroup - user.users - user.del ## 引用user/del.sls文件 group2: - match: nodegroup - user.users - user.del ## 引用user/del.sls文件 ## 看del.sls [root@hadoop0 salt]# cat user/del.sls kora: group.absent: ## 首先删除组 - name: test ## 组名test - require: - user: kora ## 删除组中用户要在删除组之前 user.absent: ## 删除用户 - name: kora ## 用户名kora - purge: True ## 清除家目录 - force: True ## 如果用户当前已经登录系统,仍然执行删除操作 ## 执行删除操作 [root@hadoop0 salt]# salt -N group1 state.sls user.del uadoop3: ---------- ID: kora Function: user.absent Result: True Comment: Removed user kora Changes: ---------- kora: ## 首先删除kora用户及默认组 removed kora group: removed ---------- ID: kora Function: group.absent Name: test Result: True Comment: Removed group test ## 再来删除test组 Changes: ---------- test: Summary ------------ Succeeded: 2 Failed: 0 ------------ Total: 2 uadoop2: ---------- ID: kora Function: user.absent Result: True Comment: Removed user kora Changes: ---------- kora: ## 首先删除kora用户及默认组 removed kora group: removed ---------- ID: kora Function: group.absent Name: test Result: True Comment: Removed group test ## 再来删除test组 Changes: ---------- test: Summary ------------ Succeeded: 2 Failed: 0 ------------ Total: 2 ## 执行完成后,在uadoop2、uadoop3上验证 [root@uadoop2 ~]# id kora id: kora: No such user [root@uadoop2 ~]# groupdel test groupdel: group 'test' does not exist [root@uadoop2 ~]# groupdel kora groupdel: group 'kora' does not exist [root@uadoop3 ~]# id kora id: kora: No such user [root@uadoop3 ~]# groupdel test groupdel: group 'test' does not exist [root@uadoop3 ~]# groupdel kora groupdel: group 'kora' does not exist
ok,删除成功!假如这时创建一个用户已经无法满足你了,你需要一次创建一批用户,该怎么做?往下看
## 修改user/users.sls文件内容如下
[root@hadoop0 salt]# cat user/users.sls
{% set users = ['kadefor','kade','foway'] %} ## 声明一个users列表
{% for user in users %} ## 遍历这个列表
{{ user }}:
user.present:
- shell: /bin/bash
- password: '$1$kora$yvxo92.VN.A5shLLA/3701'
- shell: /bin/bash
- home: /home/{{ user }}
- gid: 1200
- groups:
- test
- require:
- group: test
group.present:
- gid: 1200
- name: test
{% endfor %} ## 循环中间内容为创建用户的过程
## 执行命令
[root@hadoop0 salt]# salt -N group1 state.sls user.users
uadoop2:
----------
ID: kadefor
Function: group.present
Name: test
Result: True
Comment: Added group test
Changes:
----------
gid:
1200
members:
name:
test
passwd:
x
----------
ID: kade
.....省略部分......
----------
ID: foway
.....省略部分......
----------
ID: kadefor
.....省略部分......
gid:
1200
groups:
- test
home:
/home/kadefor
.....省略部分......
uid:
500
----------
ID: kade
.....省略部分......
gid:
1200
groups:
- test
home:
/home/kade
.....省略部分......
uid:
501
----------
ID: foway
.....省略部分......
gid:
1200
groups:
- test
home:
/home/foway
.....省略部分......
uid:
502
Summary
------------
Succeeded: 6
Failed: 0
------------
Total: 6
uadoop3:
----------
ID: kadefor
Function: group.present
Name: test
Result: True
Comment: Added group test
Changes:
----------
gid:
1200
members:
name:
test
passwd:
x
----------
ID: kade
.....省略部分......
----------
ID: foway
.....省略部分......
----------
ID: kadefor
.....省略部分......
gid:
1200
groups:
- test
home:
/home/kadefor
.....省略部分......
uid:
500
----------
ID: kade
.....省略部分......
gid:
1200
groups:
- test
home:
/home/kade
.....省略部分......
uid:
501
----------
ID: foway
.....省略部分......
gid:
1200
groups:
- test
home:
/home/foway
.....省略部分......
uid:
502
Summary
------------
Succeeded: 6
Failed: 0
------------
Total: 6
## uadoop2、uadoop3上验证
[root@uadoop2 ~]# id kade
uid=501(kade) gid=1200(test) groups=1200(test)
[root@uadoop2 ~]# id kadefor
uid=500(kadefor) gid=1200(test) groups=1200(test)
[root@uadoop2 ~]# id foway
uid=502(foway) gid=1200(test) groups=1200(test)
[root@uadoop3 ~]# id kade
uid=501(kade) gid=1200(test) groups=1200(test)
[root@uadoop3 ~]# id kadefor
uid=500(kadefor) gid=1200(test) groups=1200(test)
[root@uadoop3 ~]# id foway
uid=502(foway) gid=1200(test) groups=1200(test)
批量添加用户成功,可以看到整个过程也是比较简单的。那么批量删除用户呢?请看下面
## 修改user/del.sls文件的内容如下
[root@hadoop0 salt]# cat user/del.sls
{% set users = ['kadefor','kade','foway'] %} ## 声明一个users的列表
{% for user in users %} ## 遍历各个用户执行删除操作
{{ user }}:
user.absent:
- name: {{ user }}
- purge: True
- force: True
{% endfor %}
group.absent: ## 用户删除完成后再来删除组
- name: test
## 执行命令
[root@hadoop0 salt]# salt -N group1 state.sls user.del
uadoop2:
----------
ID: kadefor
Function: user.absent
Result: True
Comment: Removed user kadefor
Changes:
----------
kadefor:
removed
----------
ID: kade
Function: user.absent
Result: True
Comment: Removed user kade
Changes:
----------
kade:
removed
----------
ID: foway
Function: user.absent
Result: True
Comment: Removed user foway
Changes:
----------
foway:
removed
----------
ID: foway
Function: group.absent
Name: test
Result: True
Comment: Removed group test
Changes:
----------
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
uadoop3:
----------
ID: kadefor
Function: user.absent
Result: True
Comment: Removed user kadefor
Changes:
----------
kadefor:
removed
----------
ID: kade
Function: user.absent
Result: True
Comment: Removed user kade
Changes:
----------
kade:
removed
----------
ID: foway
Function: user.absent
Result: True
Comment: Removed user foway
Changes:
----------
foway:
removed
----------
ID: foway
Function: group.absent
Name: test
Result: True
Comment: Removed group test
Changes:
----------
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
## 从返回的信息看,已经删除成功了
接着我们看如何为一个用户添加除默认主组之外的多个副组,博文开头只演示了添加一个副组的情况,请看下面
## 修改user/users/.sls文件内容如下
[root@hadoop0 salt]# cat user/users.sls
kora:
user.present:
- shell: /bin/bash
- password: '$1$kora$yvxo92.VN.A5shLLA/3701'
- shell: /bin/bash
- home: /home/kora
- uid: 500
- groups: ## 指定副组列表
- test1
- test2
- test3
- require: ## 创建用户要在创建组之后
- group: test1
- group: test2
- group: test3
{% set groups = ['test1','test2','test3'] %} ## 声明一个组名列表
{% for group in groups %} ## 遍历并依次创建副组
{{ group }}:
group.present:
- name: {{ group }}
{% endfor %}
## 执行命令
[root@hadoop0 salt]# salt -N group1 state.sls user.users
uadoop3:
----------
ID: test1
.....省略部分......
----------
ID: test2
.....省略部分......
----------
ID: test3
.....省略部分......
----------
ID: kora
.....省略部分......
gid:
503
groups:
- kora
- test1
- test2
- test3
home:
/home/kora
.....省略部分......
uid:
500
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
uadoop2:
----------
ID: test1
.....省略部分......
----------
ID: test2
.....省略部分......
----------
ID: test3
.....省略部分......
----------
ID: kora
.....省略部分......
gid:
503
groups:
- kora
- test1
- test2
- test3
home:
/home/kora
.....省略部分......
uid:
500
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
## 成功,从反馈的结果看,so good,再到uadoop2、uadoop3上来看看
[root@uadoop2 ~]# id kora
uid=500(kora) gid=503(kora) groups=503(kora),500(test1),501(test2),502(test3)
[root@uadoop3 ~]# id kora
uid=500(kora) gid=503(kora) groups=503(kora),500(test1),501(test2),502(test3)
哈哈,很完美噢。那么我们在来尝试删除一个拥有多个组的用户,请往下看
## 修改user/del.sls文件的内容如下
[root@hadoop0 salt]# cat user/del.sls
kora:
user.absent:
- name: kora
- purge: True
- force: True
{% set groups = ['test1','test2','test3'] %} ## 声明删除组的列表
{% for group in groups %} ## 遍历并依次删除组
{{ group }}:
group.absent:
- name: {{ group }}
- require: ## 引擎流,删除用户要在删除组之前
- user: kora
{% endfor %}
## 执行命令
[root@hadoop0 salt]# salt -N group1 state.sls user.del
uadoop2:
----------
ID: kora
Function: user.absent
Result: True
Comment: Removed user kora
Changes:
----------
kora:
removed
kora group:
removed
----------
ID: test1
Function: group.absent
Result: True
Comment: Removed group test1
Changes:
----------
test1:
----------
ID: test2
Function: group.absent
Result: True
Comment: Removed group test2
Changes:
----------
test2:
----------
ID: test3
Function: group.absent
Result: True
Comment: Removed group test3
Changes:
----------
test3:
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
uadoop3:
----------
ID: kora
Function: user.absent
Result: True
Comment: Removed user kora
Changes:
----------
kora:
removed
kora group:
removed
----------
ID: test1
Function: group.absent
Result: True
Comment: Removed group test1
Changes:
----------
test1:
----------
ID: test2
Function: group.absent
Result: True
Comment: Removed group test2
Changes:
----------
test2:
----------
ID: test3
Function: group.absent
Result: True
Comment: Removed group test3
Changes:
----------
test3:
Summary
------------
Succeeded: 4
Failed: 0
------------
Total: 4
ok,删除成功,如果你有100个节点的集群,如此方法来操作,是不是感觉很爽。好了,最后我们再来看一下如何批量修改用户的密码
## 首先生成新密码,-1选项代表使用md5加密
[root@hadoop0 salt]# openssl passwd -1
Password:
Verifying - Password:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
## 创建修改密码对应的状态文件user/passwd.sls
[root@hadoop0 salt]# cat user/passwd.sls
{% set users = ['kadefor','kade','foway'] %}
{% for user in users %}
{{ user }}:
user.present:
- password: '$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1'
{% endfor %}
## 在top.sls文件中添加对应的引用
[root@hadoop0 salt]# cat top.sls
base:
group1:
- match: nodegroup
- user.users
- user.del
- user.passwd
group2:
- match: nodegroup
- user.users
- user.del
- user.passwd
## 执行命令
[root@hadoop0 salt]# salt -N group1 state.sls user.passwd
uadoop2:
----------
ID: kadefor
Function: user.present
Result: True
Comment: Updated user kadefor
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
----------
ID: kade
Function: user.present
Result: True
Comment: Updated user kade
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
----------
ID: foway
Function: user.present
Result: True
Comment: Updated user foway
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
Summary
------------
Succeeded: 3
Failed: 0
------------
Total: 3
uadoop3:
----------
ID: kadefor
Function: user.present
Result: True
Comment: Updated user kadefor
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
----------
ID: kade
Function: user.present
Result: True
Comment: Updated user kade
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
----------
ID: foway
Function: user.present
Result: True
Comment: Updated user foway
Changes:
----------
passwd:
$1$KW9LqU15$WxpkIidau.CgHS0LydxjV1
Summary
------------
Succeeded: 3
Failed: 0
------------
Total: 3
可以看到密码修改已经成功,测试切换用户登录也ok!可见salt用来集中化管理用户是多用的随意且强大。只要你愿意,你可以控制N多个节点的用户相关的创建、删除、密码修改。当然你也可以选择批量来一次性创建多个用户,也可以为一个用户批量创建多个所属组,也可以批量来删除用户,批量删除删除所属组。总之,拥有了saltstack,你会觉得自己对集群用户集中化的管理变得无所不能。哈哈,接下来就是你的enjoy time.