<The CFEngine Blog

User promises are coming

Posted by Mahesh Kumar
October 11, 2013

A while ago, work was started on a new promise type in CFEngine, the “users” promise type. What it does is make promises about which users are supposed to be present on each host, what login credentials they have, what groups they are part of, and so on. This has traditionally been something one would have to write in the CFEngine policy using system commands, but with this new feature it becomes a much more convenient and robust solution for users management.

The work is not finished, but it’s starting to take form nicely, and currently all use cases work on the Linux platform. Work is underway to bring support to the commercial Unixes, as well as Windows.

Let’s take a look at what the new promise type looks like. This is a typical promise:

bundle agent mybundle
{
  "john"
    policy => "present",
    password => johns_password,
    group_primary => "users",
    group_secondary => { "printers", "payroll" },
    description => "John Smith",
    home_dir => "/nfs/home/john",
    home_bundle => new_home_dir("/nfs/home/john");
}

body password johns_password
{
  format => "hash";
  data => "zvSwyQioR9DNI"; # "john"
}

I think most attributes here should be self explanatory to most system administrators, but some are worth talking about. For instance, the policy attribute takes one of three possible values, and tells CFEngine whether you want this user to be “present”, “absent” or “locked”.

The password body is also worth mentioning. It has two modes of operation: You can either promise that the user needs a certain plaintext password to log in, or you can (as displayed above) promise that a certain password hash is associated with a user. This saves you the potential security risk of having plaintext passwords listed in the policy. Note that there may be differences in what each platform supports here; the details are still being worked out.

And at last, the home_bundle. It takes as a value the name of a bundle that should be evaluated when that user is created, and it is expected to fill the user’s home directory with initial config files and setup. After that, the bundle is never executed again for that user, unless the account is deleted and recreated.

As I mentioned, this is still work in progress, but for those of you comfortable with compiling your own version of CFEngine, you try this feature by checking out the development branch. Clone the git repository and check out the branch by using these commands:

$ git clone https://github.com/kacfengine/core.git
$ git checkout -b user-promises origin/user-promises

I assume that if you try this, you are familiar with how to build CFEngine from source code. Also, keep in mind that at the time of writing, only Linux has been tested.

This is a much requested feature, and we hope that it will make configuration management even easier with CFEngine! It will be available in CFEngine version 3.6.0.

Try CFEngine Enterprise for free

Sign up for CFEngine Enterprise and connect up to 25 hosts for free. No credit card required. Get started in minutes.

Try enterprise for free