Resource Type: macauthdb

Defined in:
lib/puppet/type/macauthdb.rb
Providers:
default

Overview

Manage the OS X authorization database. See the [Apple developer site](developer.apple.com/library/mac/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Introduction/Introduction.html) for more information.

Note that authorization store directives with hyphens in their names have been renamed to use underscores, as Puppet does not react well to hyphens in identifiers.

Autorequires: If Puppet is managing the ‘/System/Library/Security/authorization.plist` file, each macauthdb resource will autorequire it.

Example:

# Allow everyone to modify Energy Saver settings in the System Prefernces control panel

# First change the parent class macauthdb { ‘system.preferences’:

ensure            => 'present',
allow_root        => 'true',
auth_class        => 'user',
auth_type         => 'right',
authenticate_user => 'true',
comment           => 'Checked by the Admin framework when making changes to certain System Preferences.',
group             => 'everyone',
session_owner     => 'false',
shared            => 'true',
timeout           => '2147483647',
tries             => '10000',

}

# Then change the target macauthdb { ‘system.preferences.energysaver’:

ensure            => 'present',
allow_root        => 'true',
auth_class        => 'user',
auth_type         => 'right',
authenticate_user => 'true',
comment           => 'Checked by the Admin framework when making changes to the Energy Saver preference pane.',
group             => 'everyone',
session_owner     => 'false',
shared            => 'true',
timeout           => '2147483647',
tries             => '10000',

}

Properties

  • allow_root

    Corresponds to ‘allow-root` in the authorization store. Specifies whether a right should be allowed automatically if the requesting process is running with `uid == 0`. AuthorizationServices defaults this attribute to false if not specified.

  • auth_class

    Corresponds to ‘class` in the authorization store; renamed due to ’class’ being a reserved word in Puppet.

    Supported values:
    • user
    • evaluate-mechanisms
    • allow
    • deny
    • rule
  • auth_type

    Corresponds to ‘class` in the authorization store; renamed due to ’class’ being a reserved word in Puppet.

    Supported values:
    • right
    • rule
  • authenticate_user

    Corresponds to ‘authenticate-user` in the authorization store.

  • comment
  • ensure

    The basic property that the resource should be in.

    Supported values:
    • present
    • absent
    • default
  • entitled

    Boolean that indicates whether to grant a right based on the entitlement.

  • entitled_group

    Boolean that indicates whether to grant a right based on the entitlement and if the user is a member of the Authorization Group (:group).

  • extract_password

    Boolean that indicates that the password should be extracted to the context.

  • group

    A group which the user must authenticate as a member of. This must be a single group.

  • kofn

    How large a subset of rule mechanisms must succeed for successful authentication. If there are ‘n’ mechanisms, then ‘k’ (the integer value of this parameter) mechanisms must succeed. The most common setting for this parameter is ‘1`. If `k-of-n` is not set, then every mechanism — that is, ’n-of-n’ — must succeed.

  • mechanisms

    A sequence of suitable mechanisms to be evaluated. (Array)

  • require_apple_signed

    Boolean require the caller to be signed by apple.

  • rule

    The rule(s) that this right refers to.

  • session_owner

    Whether the session owner automatically matches this rule or right. Corresponds to ‘session-owner` in the authorization store.

  • shared

    Whether the Security Server should mark the credentials used to gain this right as shared. The Security Server may use any shared credentials to authorize this right. For maximum security, set sharing to false so credentials stored by the Security Server for one application may not be used by another application.

  • timeout

    The number of seconds in which the credential used by this rule will expire. For maximum security where the user must authenticate every time, set the timeout to 0. For minimum security, remove the timeout attribute so the user authenticates only once per session.

  • tries

    The number of tries allowed.

  • vpn_entitled_group

    Boolean that indicates whether to grant a right base on the VPN entitlement and if the user is a member of the Authorization Group (:group).

Parameters

  • name (namevar)

    The name of the right or rule to be managed. Corresponds to ‘key` in Authorization Services. The key is the name of a rule. A key uses the same naming conventions as a right. The Security Server uses a rule’s key to match the rule with a right. Wildcard keys end with a ‘.’. The generic rule has an empty key value. Any rights that do not match a specific rule use the generic rule.

  • provider

    The specific backend to use for this ‘macauthdb` resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.