macos_password_policy Resource
Use the macos_password_policy resource to set password complexity, password length, etc on macOS systems.
New in Chef Desktop 1.0.
Syntax
The full syntax for all of the properties that are available to the macos_password_policy resource is:
macos_password_policy 'name' do
exempt_user String
lockout_time Integer
max_failed_logins Integer
maximum_password_age Integer # default value: 365
minimum_lowercase_letters Integer # default value: 0
minimum_numeric_characters Integer # default value: 0
minimum_password_length Integer # default value: 12
minimum_special_characters Integer # default value: 0
minimum_uppercase_letters Integer # default value: 0
remember_how_many_passwords Integer # default value: 3
action Symbol # defaults to :set if not specified
end
where:
macos_password_policy
is the resource.name
is the name given to the resource block.action
identifies which steps Chef Infra Client will take to bring the node into the desired state.exempt_user
,lockout_time
,max_failed_logins
,maximum_password_age
,minimum_lowercase_letters
,minimum_numeric_characters
,minimum_password_length
,minimum_special_characters
,minimum_uppercase_letters
, andremember_how_many_passwords
are the properties available to this resource.
Actions
The macos_password_policy resource has the following actions:
:nothing
- This resource block doesn’t act unless notified by another resource to take action. Once notified, this resource block either runs immediately or is queued up to run at the end of a Chef Infra Client run.
:set
- This action sets the password policy as defined in its properties.
Properties
The macos_password_policy resource has the following properties:
exempt_user
- Ruby Type: String
A user to whom the password policy is not applied
lockout_time
- Ruby Type: Integer
The amount of time your account is locked out after you exceed max failed logins
max_failed_logins
- Ruby Type: Integer
The maximum number of failed logins before you are locked out
maximum_password_age
- Ruby Type: Integer | Default Value:
365
The maximum age in days for a password before it must be changed, defaults to 365
minimum_lowercase_letters
- Ruby Type: Integer | Default Value:
0
The minimum number of lower case letters that must be in a password
minimum_numeric_characters
- Ruby Type: Integer | Default Value:
0
The minimum number of numbers that must be in a password
minimum_password_length
- Ruby Type: Integer | Default Value:
12
The minimum length a password must be
minimum_special_characters
- Ruby Type: Integer | Default Value:
0
The minimum number of special characters that must be in a password. Eg. *&^%
minimum_uppercase_letters
- Ruby Type: Integer | Default Value:
0
The minimum number of upper case letters that must be in a password
remember_how_many_passwords
- Ruby Type: Integer | Default Value:
3
The number of previous passwords to remember to prevent users for keeping stale passwords
Common Resource Functionality
Chef resources include common properties, notifications, and resource guards.
Common Properties
The following properties are common to every resource:
compile_time
Ruby Type: true, false | Default Value:
false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the
compile phase
). Set to false to run while Chef Infra Client is configuring the node (theconverge phase
).ignore_failure
Ruby Type: true, false, :quiet | Default Value:
false
Continue running a recipe if a resource fails for any reason.
:quiet
won’t display the full stack trace and the recipe will continue to run if a resource fails.retries
Ruby Type: Integer | Default Value:
0
The number of attempts to catch exceptions and retry the resource.
retry_delay
Ruby Type: Integer | Default Value:
2
The delay in seconds between retry attempts.
sensitive
Ruby Type: true, false | Default Value:
false
Ensure that sensitive resource data isn’t logged by Chef Infra Client.
Notifications
notifies
Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a
'resource[name]'
, the:action
that resource should take, and then the:timer
for that action. A resource may notify more than one resource; use anotifies
statement for each resource to be notified.If the referenced resource doesn’t exist, an error is raised. In contrast,
subscribes
won’t fail if the source resource isn’t found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:before
Specifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayed
Default. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate
,:immediately
Specifies that a notification should be run immediately, for each resource notified.
The syntax for notifies
is:
notifies :action, 'resource[name]', :timer
subscribes
Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the
state of the resource being listened to changes. Specify a
'resource[name]'
, the :action
to be taken, and then the :timer
for
that action.
Note that subscribes
doesn’t apply the specified action to the
resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes
property reloads the nginx
service
whenever its certificate file, located under
/etc/nginx/ssl/example.crt
, is updated. subscribes
doesn’t make any
changes to the certificate file itself, it merely listens for a change
to the file, and executes the :reload
action for its resource (in this
example nginx
) when a change is detected.
If the other resource doesn’t exist, the subscription won’t raise an
error. Contrast this with the stricter semantics of notifies
, which
will raise an error if the other resource doesn’t exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:before
Specifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayed
Default. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate
,:immediately
Specifies that a notification should be run immediately, for each resource notified.
The syntax for subscribes
is:
subscribes :action, 'resource[name]', :timer
Guards
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
- A string is executed as a shell command. If the command returns
0
, the guard is applied. If the command returns any other value, then the guard property isn’t applied. String guards in a powershell_script run Windows PowerShell commands and may returntrue
in addition to0
. - A block is executed as Ruby code that must return either
true
orfalse
. If the block returnstrue
, the guard property is applied. If the block returnsfalse
, the guard property isn’t applied.
A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it’s being executed, and then if the desired state is present, for Chef Infra Client to don’thing.
PropertiesThe following properties can be used to define a guard that’s evaluated during the execution phase of a Chef Infra Client run:
not_if
Prevent a resource from executing when the condition returns
true
.only_if
Allow a resource to execute only if the condition returns
true
.
Examples
The following examples demonstrate various approaches for using the macos_password_policy resource in recipes:
Set the local password policy:
macos_password_policy 'Setup appropriate password complexity and rules' do
max_failed_logins 5
lockout_time 2
maximum_password_age 365
minimum_password_length 12
minimum_numeric_characters 0
minimum_lowercase_letters 0
minimum_uppercase_letters 0
minimum_special_characters 0
remember_how_many_passwords 3
exempt_user 'MyAdmin'
action :set
end