Chef: create a user only for certain roles?

Question

I'd like to setup a user (called 'deployer'), but only for certain roles.

I'm using the Opscode users cookbook. I'm calling it from a 'base' (included by all other cookbooks) wrapper cookbook. So, users in my data_bags/users directory are getting created on all of my Chef nodes.

With that in mind, my 'deployer' user doesn't seem to belong in data_bags/users/deployer.json. (That would create it for all nodes.)

I'm thinking and exploring to find one or more clean ways to do this. My use case is probably not unusual, so I would hope to find an "easy" path with Chef to do what I need. My thoughts and ideas currently include:

1. I have not yet found the explicit code that reads from my 'users' data bag. After finding such code, perhaps I could adjust it to filter based on an attribute so that certain users are excluded unless a particular role is 'running'?

2. I may create a separate data bag, perhaps "foo-users", where 'foo' is the role. Then I could use the Opscode users cookbook to use that particular data bag exactly when needed.

Answer 1

Take a look at the deployer cookbook. This cookbook is complimentary to the users cookbook, as it can leverage the same "users" databag.

Answer 2

I'm currently leaning towards using this code for the roles where it is needed:

user "deployer" do
  comment "deployer account"
  supports manage_home: true
  shell "/bin/false"
end

Since I don't need the user to have a login shell, so keeping credentials hidden away in a data bag is not particularly important.

This would not be a clean solution if I had lots of user accounts that belonged on various combinations of machines. But for my case, it is simple and should work fine.