user Resource
This page is generated from the Chef Infra Client source code.To suggest a change, edit the user.rb file and submit a pull request to the Chef Infra Client repository.
Use the user resource to add users, update existing users, remove users, and to lock/unlock user passwords.
Note
System attributes are collected by Ohai at the start of every Chef Infra Client run. By design, the actions available to the user resource are processed after the start of a Chef Infra Client run. This means that system attributes added or modified by the user resource during a Chef Infra Client run must be reloaded before they can be available to Chef Infra Client. These system attributes can be reloaded in two ways: by picking up the values at the start of the (next) Chef Infra Client run or by using the ohai resource to reload the system attributes during the current Chef Infra Client run.
Syntax
A user resource block manages users on a node:
user 'a user' do
comment 'A random user'
uid 1234
gid 'groupname'
home '/home/random'
shell '/bin/bash'
password '$1$JJsvHslasdfjVEroftprNn4JHtDi'
end
The full syntax for all of the properties that are available to the user resource is:
user 'name' do
comment String
force true, false # see description
gid String, Integer
home String
iterations Integer
manage_home true, false
non_unique true, false
password String
salt String
shell String
system true, false
uid String, Integer
username String # defaults to 'name' if not specified
action Symbol # defaults to :create if not specified
end
where:
user
is the resourcename
is the name of the resource blockaction
identifies the steps Chef Infra Client will take to bring the node into the desired statecomment
,force
,gid
,home
,iterations
,manage_home
,non_unique
,password
,salt
,shell
,system
,uid
, andusername
are properties of this resource, with the Ruby type shown. See “Properties” section below for more information about all of the properties that may be used with this resource.
Actions
The user resource has the following actions:
:create
- (default) Create a user with given properties. If a user already exists (but does not match), update that user to match.
:lock
- Lock a user’s password.
:manage
- Manage an existing user. This action does nothing if the user does not exist.
:modify
- Modify an existing user. This action raises an exception if the user does not exist.
:nothing
- This resource block doesn’t act unless notified by another resource to take action. Once notified, this resource block either runs immediately or is queued up to run at the end of a Chef Infra Client run.
:remove
- Remove a user.
:unlock
- Unlock a user’s password.
Properties
The user resource has the following properties:
comment
- Ruby Type: String
One (or more) comments about the user.
expire_date
- Ruby Type: String
(Linux) The date on which the user account will be disabled. The date is specified in YYYY-MM-DD format.
New in Chef Infra Client 18.0
force
- Ruby Type: true, false
Force the removal of a user. May be used only with the
:remove
action.Warning
Using this property may leave the system in an inconsistent state. For example, a user account will be removed even if the user is logged in. A user’s home directory will be removed, even if that directory is shared by multiple users.
gid
- Ruby Type: String, Integer
The identifier for the group. This property was previously named
group
and both continue to function.
home
- Ruby Type: String
The location of the home directory.
inactive
- Ruby Type: String, Integer
(Linux) The number of days after a password expires until the account is permanently disabled. A value of
0
disables the account as soon as the password has expired, and a value of-1
disables the feature.New in Chef Infra Client 18.0
iterations
- Ruby Type: Integer
macOS platform only. The number of iterations for a password with a SALTED-SHA512-PBKDF2 shadow hash.
manage_home
- Ruby Type: true, false
Manage a user’s home directory.
When used with the
:create
action, a user’s home directory is created based onHOME_DIR
. If the home directory is missing, it is created unlessCREATE_HOME
in/etc/login.defs
is set tono
. When created, a skeleton set of files and subdirectories are included within the home directory.When used with the
:modify
action, a user’s home directory is moved toHOME_DIR
. If the home directory is missing, it is created unlessCREATE_HOME
in/etc/login.defs
is set tono
. The contents of the user’s home directory are moved to the new location.
non_unique
- Ruby Type: true, false
Create a duplicate (non-unique) user account.
password
- Ruby Type: String
The password shadow hash
salt
- Ruby Type: String
A SALTED-SHA512-PBKDF2 hash.
shell
- Ruby Type: String
The login shell.
system
- Ruby Type: true, false
Create a system user. This property may be used with
useradd
as the provider to create a system user which passes the-r
flag touseradd
.
uid
- Ruby Type: String, Integer
The numeric user identifier.
username
- Ruby Type: String
The name of the user. Default value: the
name
of the resource block. See “Syntax” section above for more information.
Common Resource Functionality
Chef resources include common properties, notifications, and resource guards.
Common Properties
The following properties are common to every resource:
compile_time
Ruby Type: true, false | Default Value:
false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the
compile phase
). Set to false to run while Chef Infra Client is configuring the node (theconverge phase
).ignore_failure
Ruby Type: true, false, :quiet | Default Value:
false
Continue running a recipe if a resource fails for any reason.
:quiet
won’t display the full stack trace and the recipe will continue to run if a resource fails.retries
Ruby Type: Integer | Default Value:
0
The number of attempts to catch exceptions and retry the resource.
retry_delay
Ruby Type: Integer | Default Value:
2
The delay in seconds between retry attempts.
sensitive
Ruby Type: true, false | Default Value:
false
Ensure that sensitive resource data isn’t logged by Chef Infra Client.
Notifications
notifies
Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a
'resource[name]'
, the:action
that resource should take, and then the:timer
for that action. A resource may notify more than one resource; use anotifies
statement for each resource to be notified.If the referenced resource doesn’t exist, an error is raised. In contrast,
subscribes
won’t fail if the source resource isn’t found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:before
Specifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayed
Default. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate
,:immediately
Specifies that a notification should be run immediately, for each resource notified.
The syntax for notifies
is:
notifies :action, 'resource[name]', :timer
subscribes
Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the
state of the resource being listened to changes. Specify a
'resource[name]'
, the :action
to be taken, and then the :timer
for
that action.
Note that subscribes
doesn’t apply the specified action to the
resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes
property reloads the nginx
service
whenever its certificate file, located under
/etc/nginx/ssl/example.crt
, is updated. subscribes
doesn’t make any
changes to the certificate file itself, it merely listens for a change
to the file, and executes the :reload
action for its resource (in this
example nginx
) when a change is detected.
If the other resource doesn’t exist, the subscription won’t raise an
error. Contrast this with the stricter semantics of notifies
, which
will raise an error if the other resource doesn’t exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:before
Specifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayed
Default. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate
,:immediately
Specifies that a notification should be run immediately, for each resource notified.
The syntax for subscribes
is:
subscribes :action, 'resource[name]', :timer
Guards
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
- A string is executed as a shell command. If the command returns
0
, the guard is applied. If the command returns any other value, then the guard property isn’t applied. String guards in a powershell_script run Windows PowerShell commands and may returntrue
in addition to0
. - A block is executed as Ruby code that must return either
true
orfalse
. If the block returnstrue
, the guard property is applied. If the block returnsfalse
, the guard property isn’t applied.
A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it’s being executed, and then if the desired state is present, for Chef Infra Client to don’thing.
PropertiesThe following properties can be used to define a guard that’s evaluated during the execution phase of a Chef Infra Client run:
not_if
Prevent a resource from executing when the condition returns
true
.only_if
Allow a resource to execute only if the condition returns
true
.
Examples
The following examples demonstrate various approaches for using the user resource in recipes:
Create a system user
user 'systemguy' do
comment 'system guy'
system true
shell '/bin/false'
end
Create a system user with a variable
The following example shows how to create a system user. In this
instance, the home
value is calculated and stored in a variable called
user_home
which sets the user’s home
attribute.
user_home = "/home/#{node['cookbook_name']['user']}"
user node['cookbook_name']['user'] do
gid node['cookbook_name']['group']
shell '/bin/bash'
home user_home
system true
action :create
end
Use SALTED-SHA512-PBKDF2 passwords
macOS 10.8 (and higher) calculates the password shadow hash using SALTED-SHA512-PBKDF2. The length of the shadow hash value is 128 bytes, the salt value is 32 bytes, and an integer specifies the number of iterations. The following code will calculate password shadow hashes for macOS 10.8 (and higher):
password = 'my_awesome_password'
salt = OpenSSL::Random.random_bytes(32)
iterations = 25000 # Any value above 20k should be fine.
shadow_hash = OpenSSL::PKCS5::pbkdf2_hmac(
password,
salt,
iterations,
128,
OpenSSL::Digest::SHA512.new
).unpack('H*').first
salt_value = salt.unpack('H*').first
Use the calculated password shadow hash with the user resource:
user 'my_awesome_user' do
password 'cbd1a....fc843' # Length: 256
salt 'bd1a....fc83' # Length: 64
iterations 25000
end