使用Chef Vault在Chef中创建多个用户

Question

I have the following user credentials in my chef vault 我的厨师库中有以下用户凭据

$ knife vault show testusers
user1
user2
user3

The content of each individual user looks like this: 每个用户的内容如下所示：

knife vault show testusers user1
comment:  user one
id:       user1
password: secretp@ss
shell:    /bin/bash

I am trying to write a recipe that will loop through my testuser vault and create users based on each vault item's ID. 我正在尝试编写一个配方，该配方将遍历我的testuser库，并根据每个库项目的ID创建用户。 That way i can easily update the testuser vault with new users and rerun the recipe in order to add users in the future. 这样，我可以轻松地用新用户更新testuser保管库并重新运行配方，以便将来添加用户。

Here is a copy of the recipe i have created thus far but it isn't working 这是我到目前为止创建的食谱的副本，但是没有用

chef_gem 'chef-vault' do
  compile_time true if respond_to?(:compile_time)
end

require 'chef-vault'

if node['testcookbook']['testusers'] == true then
    users = data_bag(node['testcookbook']['testusers'])
    users.each do |id|
        user = ChefVault::Item.load(node["testcookbook","testusers"], id)
        testusers user['id'] do
            comment user['comment']
            shell user['shell']
            password user['password']
        end
    end

Can someone please tell me what i am doing wrong here? 有人可以告诉我我在做什么错吗？ Everything seems to look fine from the numerous research i have done. 根据我所做的大量研究，一切看起来都不错。

Edit 编辑

I tried your solution and the following error message. 我尝试了您的解决方案和以下错误消息。

Chef::Exceptions::InvalidDataBagName

------------------------------------

DataBags must have a name matching /^[\.\-[:alnum:]_]+$/, you gave ""

chef_gem 'chef-vault' do
  compile_time true if respond_to?(:compile_time)
end
require 'chef-vault'

17>>    users = data_bag(node['testcookbook']['testusers']).delete_if {|x| x.include? "_keys" }
     users.each do |id|
           user = ChefVault::Item.load(node["testcookbook","testusers"], id)
            testcookbook testusers['id'] do
                   comment testusers['comment']
                   uid testusers['uid']
                   shell testusers['shell']
                   password testusers['password']
              end

[2016-08-22T19:24:58-04:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out [2016-08-22T19：24：58-04：00]致命：Stacktrace转储至/var/chef/cache/chef-stacktrace.out
[2016-08-22T19:24:58-04:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report [2016-08-22T19：24：58-04：00]致命：如果您提交错误报告，请提供stacktrace.out文件的内容
[2016-08-22T19:24:58-04:00] ERROR: DataBags must have a name matching /^[.-[:alnum:]_]+$/, you gave "" [2016-08-22T19：24：58-04：00]错误：DataBag的名称必须与/^[.-[:alnum:]_]+$/匹配，您输入了“”
[2016-08-22T19:24:58-04:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)` [2016-08-22T19：24：58-04：00]致命：Chef :: Exceptions :: ChildConvergeError：Chef运行进程未成功退出（退出代码1）`

Answer 1

You haven't given details of what is not working. 您尚未提供无法正常工作的详细信息。 I suspect Priya is correct that your issue is that you should be reading using the vault API rather than looping thru the data bag. 我怀疑Priya是正确的，您的问题是您应该使用Vault API进行读取，而不是通过数据包进行循环。

I also notice you haven't considered how users would be deleted... 我还注意到您还没有考虑过如何删除用户...

Have you considered using SSH based key authentication, instead of using passwords? 您是否考虑过使用基于SSH的密钥身份验证，而不是使用密码？ In my opinion this would a far superior way to manage users since it avoids the need to share a password with a system administrator. 我认为这将是一种更好的管理用户的方式，因为它避免了与系统管理员共享密码的需要。 An SSH public key is designed to be sharable with the private key remaining known only to the user. SSH公共密钥被设计为可以与仅用户知道的私有密钥共享。

I mention this because the community users cookbook is designed to implement your desired workflow with each user record stored in a data bag. 我之所以这样说是因为社区用户食谱旨在通过将每个用户记录存储在数据袋中来实现您所需的工作流程。 An example of its use is given here: 此处提供了其用法示例：

Chef - how to use a list of attributes in a script Chef-如何在脚本中使用属性列表

Answer 2

IMHO, doing simple databag call on vault will list the encryption keys as well which might result into failure. 恕我直言，在Vault上执行简单的databag调用也会列出加密密钥，这可能会导致失败。 for example, 例如，

My vault has only one item named "root", 我的保管库只有一个名为“ root”的项目，

$knife vault show mrigesh
root

And, accessing vault in the recipe will return an array, with vault and its keys as separate elements: 并且，在配方中访问Vault将返回一个数组，其中Vault及其键作为单独的元素：

users = data_bag("mrigesh")
puts users
root
root_keys

Hence, iterating on this result will try to search for vault named "root_keys" which is not there resulting into failure. 因此，对该结果进行迭代将尝试搜索名为“ root_keys”的文件库，该文件库不会导致失败。

To solve, you can do something like: 要解决此问题，您可以执行以下操作：

node.default['testcookbook']['testusers'] = "testusers"
users = data_bag(node['testcookbook']['testusers']).delete_if {|x| x.include? "_keys" }
users.each do |id|
      user = ChefVault::Item.load(node['testcookbook']['testusers'], id)
      testusers user['id'] do
         comment user['comment']
         shell user['shell']
         password user['password']
      end

end

使用Chef Vault在Chef中创建多个用户

问题描述

2 个解决方案

解决方案1
1 2016-08-22 21:24:44

解决方案2
0 2016-08-22 02:05:55

使用Chef Vault在Chef中创建多个用户

问题描述

2 个解决方案

解决方案1 1 2016-08-22 21:24:44

解决方案2 0 2016-08-22 02:05:55

解决方案1
1 2016-08-22 21:24:44

解决方案2
0 2016-08-22 02:05:55