proxmox/manifests/hypervisor/group.pp

63 lines
1.7 KiB
Puppet

# == Define: proxmox::hypervisor::group
#
# Manage groups and permissions to access the PVE ressources
#
# === Parameters
#
# [*group*]
# _default_: +$title+, the title/name of the ressource
#
# Is the group's name.
#
# [*role*]
# _default_: +undef+
#
# [*acl_path*]
# _default_: +/+
#
# The objects in Proxmox form a tree, virtual machines (/vms/$vmid), storage
# (/storage/$storageid) or ressource (/pool/$poolname). The role for this
# group will be applied on this path.
#
# [*permission_file*]
# _default_: +/etc/pve/user.cfg+
#
# The file where group's informations are stored.
#
# [*users*]
# _default_: +undef+
#
# The user list members of this group. A user will be created if not exist.
#
define proxmox::hypervisor::group ( $group = $title, $role, $acl_path = '/', $permission_file = '/etc/pve/user.cfg', $users = '' ) {
# Manage group only if Proxmox is available
if $::is_proxmox == 'true' {
# Create the group in Proxmox
exec { "create_${group}_group":
path => ['/bin','/sbin','/usr/bin','/usr/sbin'],
command => "pveum groupadd ${group}",
unless => "grep '^group:${group}' ${permission_file}",
}
->
# Define the permission
exec { "add_${group}_permission":
path => [ '/bin', '/sbin', '/usr/bin', '/usr/sbin' ],
command => "pveum aclmod ${acl_path} -group ${group} -role ${role}",
unless => "grep '@${group}' ${permission_file}",
}
}
# The permissions file
if ! defined(File["${permission_file}"]) {
file { "${permission_file}":
ensure => present,
owner => root,
group => www-data,
mode => 0640,
}
}
} # Public ressource: proxmox::hypervisor::group