Managing users with virtual resources
Users are a great example of a resource that may need to be realized by multiple classes. Consider the following situation. To simplify administration of a large number of machines, you defined classes for two kinds of users: developers
and sysadmins
. All machines need to include sysadmins
, but only some machines need developers
:
node 'server' { include user::sysadmins } node 'webserver' { include user::sysadmins include user::developers }
However, some users may be members of both groups. If each group simply declares its members as regular user
resources, this will lead to a conflict when a node includes both developers
and sysadmins
, as in the webserver
example.
To avoid this conflict, a common pattern is to make all users virtual resources, defined in a single class user::virtual
that every machine includes, and then realizing the users where they are needed. This way, there will be no conflict if a user is a member of multiple groups.