Chef 通过数据包延迟属性分配
[英]Chef delay attribute assignment via data bag
问题描述
So i have a bit of a pickle.
所以我有一点泡菜。 I have an encrypted data bag to store LDAP passwords.我有一个加密的数据包来存储 LDAP 密码。 In my node run list, one of my recipes installs the secret key onto my client machine.在我的节点运行列表中,我的一个配方将密钥安装到我的客户端机器上。 In my problematic cookbook, i have a helper (in /libraries) that pulls data from AD (using LDAP).在我有问题的食谱中,我有一个助手(在 /libraries 中)从 AD 中提取数据(使用 LDAP)。 Problem is, i can't find a way to delay the assignment of my node attribute after initial compile phase.问题是,我找不到在初始编译阶段后延迟分配节点属性的方法。
Take this line of code as example :以这行代码为例:
node.override['yp_chefserver']['osAdminUser'] = node['yp_chefserver']['osAdminUser'] + get_sam("#{data_bag_item('yp_chefserver', 'ldap', IO.read('/etc/chef/secret/yp_chefserver'))['ldap_password']}")
Im trying to override an attribute by adding an array returned by my helper function "get_sam" which returns an array, but it needs to run AFTER the compile phase since the file "/etc/chef/secret/yp_chefserver" doesnt exist before the convergence of my runlist.我试图通过添加我的辅助函数“get_sam”返回的数组来覆盖一个属性,该数组返回一个数组,但它需要在编译阶段之后运行,因为文件“/etc/chef/secret/yp_chefserver”在收敛之前不存在我的运行列表。
So my question : Is there a way to assign node attributes via data_bag_items during the execution phase?所以我的问题是:有没有办法在执行阶段通过 data_bag_items 分配节点属性?
Some things i've tried :我尝试过的一些事情:
ruby_block 'attribution' do
only_if { File.exist?('/etc/chef/secret/yp_chefserver')}
block do
node.override['yp_chefserver']['osAdminUser'] = node['yp_chefserver']['osAdminUser'] + get_sam("#{data_bag_item('yp_chefserver', 'ldap', IO.read('/etc/chef/secret/yp_chefserver'))['ldap_password']}")
Chef::Log.warn("content of osAdminUser : #{node['yp_chefserver']['osAdminUser']}")
end
end
This doesn't work because the custom resource ruby_block doesn't have the method "data_bag_item".这不起作用,因为自定义资源 ruby_block 没有方法“data_bag_item”。 I've tried using lazy attributes in my "chef_server" custom resource, but same problem.我试过在我的“chef_server”自定义资源中使用惰性属性,但同样的问题。
I also tried having the attribution done directly in my helper module, but since the helper module compiles before the exec phase, the file doesn't exist when it assigns the variable.我还尝试在我的助手模块中直接完成归因,但由于助手模块在 exec 阶段之前编译,因此在分配变量时该文件不存在。
Here is the helper function in question should anyone wonder, it pulls the SamAccountName from LDAP to assign admin users to my chef server.如果有人想知道,这是有问题的辅助函数,它从 LDAP 中提取 SamAccountName 以将管理员用户分配给我的厨师服务器。 : :
module YpChefserver
module LDAP
require 'net-ldap'
@ldap
def get_ldap(ldap_password)
if @ldap.nil?
@ldap = Net::LDAP.new :host => "ADSERVER",
:port => 389,
:auth => {
:method => :simple,
:username => "CN=USERNAME,OU=East Service Accounts,OU=System Accounts,DC=ad,DC=ypg,DC=com",
:password => "#{ldap_password}"
}
end
@ldap
end
def get_ldap_users(ldap_password)
filter = Net::LDAP::Filter.eq("cn", "DevOps")
treebase = "dc=ad, dc=ypg, dc=com"
get_ldap(ldap_password).search(:base => treebase, :filter => filter) do |entry|
#puts "DN: #{entry.dn}"
entry.each do |attribute, values|
return values if attribute == :member
end
end
end
def get_sam(ldap_password)
samacc = Array.new
get_ldap_users(ldap_password).entries.each{ |elem|
y = elem.to_s.split(/[,=]/)
filter = Net::LDAP::Filter.eq("cn", y[1])
treebase = "OU=Support Users and Groups,OU=CGI Support,DC=ad,DC=ypg,DC=com"
get_ldap(ldap_password).search(:base => treebase, :filter => filter, :attributes => "SamAccountName") do |entry|
samacc << entry.samaccountname
end
}
return samacc
end
end
end
1 个解决方案
解决方案1
1 已采纳 2019-03-21 19:46:03
Turns out you can actually call it inside a ruby block, just by using the actual Chef call instead of the resource name, as follow :事实证明,您实际上可以在 ruby 块中调用它,只需使用实际的 Chef 调用而不是资源名称,如下所示:
ruby_block 'attributes' do
only_if {File.exist?('/etc/chef/secret/yp_chefserver')}
block do
dtbg = Chef::EncryptedDataBagItem.load('yp_chefserver','ldap',"IO.read('/etc/chef/secret/yp_chefserver')")
end
end
Leaving this here for those who might need it把这个留在这里给那些可能需要它的人
EDIT : Here is final function using the code mentionned above to pull accounts from AD, using encrypted data bags to provide the password and to then pass those results to my node attributes, all during the execution phase :编辑:这是使用上面提到的代码从 AD 中提取帐户的最终函数,使用加密的数据包提供密码,然后将这些结果传递给我的节点属性,所有这些都在执行阶段:
ruby_block 'attributes' do
extend YpChefserver::LDAP
only_if {File.exist?('/etc/chef/secret/yp_chefserver')}
block do
# Chef::Config[:encrypted_data_bag_secret] = '/etc/chef/secret/yp_chefserver'
dtbg = Chef::EncryptedDataBagItem.load('yp_chefserver','ldap')
node.override['yp_chefserver']['ldap_pw'] = dtbg['ldap_password']
userarray = Array.new
userarray.push("#{node['yp_chefserver']['osAdminUser']}")
get_sam("#{node['yp_chefserver']['ldap_pw']}").each { |i| userarray.push(i[0]) }
node.override['yp_chefserver']['authorized_users'] = userarray
node.override['yp_chefserver']['local_admin_pw'] = dtbg['local_admin_pw']
end
end
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.