Jira (PUP-9465) group resource type misunderstands/misuses libuser

56 views
Skip to first unread message

James Ralston (JIRA)

unread,
Jul 30, 2019, 6:09:02 PM7/30/19
to puppe...@googlegroups.com
James Ralston updated an issue
 
Puppet / New Feature PUP-9465
group resource type misunderstands/misuses libuser
Change By: James Ralston
Summary: group resource type should support lgroupadd provider on Linux misunderstands/misuses libuser
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

James Ralston (JIRA)

unread,
Jul 30, 2019, 6:26:03 PM7/30/19
to puppe...@googlegroups.com
James Ralston updated an issue
Change By: James Ralston
Labels: group libuser linux user

James Ralston (JIRA)

unread,
Jul 30, 2019, 6:26:03 PM7/30/19
to puppe...@googlegroups.com
James Ralston updated an issue
Change By: James Ralston
Affects Version/s: PUP 6.6.0

James Ralston (JIRA)

unread,
Jul 30, 2019, 6:26:03 PM7/30/19
to puppe...@googlegroups.com
James Ralston updated an issue
Change By: James Ralston
Affects Version/s: PUP 6.1.0

Mihai Buzgau (JIRA)

unread,
Aug 6, 2019, 9:55:03 AM8/6/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Team: Platform OS Night's Watch

Mihai Buzgau (JIRA)

unread,
Aug 6, 2019, 9:55:03 AM8/6/19
to puppe...@googlegroups.com

Mihai Buzgau (JIRA)

unread,
Aug 7, 2019, 5:11:03 AM8/7/19
to puppe...@googlegroups.com

Mihai Buzgau (JIRA)

unread,
Aug 7, 2019, 5:11:05 AM8/7/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR NW - Triage 2019-08-21

Mihai Buzgau (JIRA)

unread,
Aug 21, 2019, 5:17:08 AM8/21/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: NW - 2019-08-21 , NW - 2019-09-03

Gabriel Nagy (JIRA)

unread,
Aug 28, 2019, 4:28:03 AM8/28/19
to puppe...@googlegroups.com

Gabriel Nagy (JIRA)

unread,
Aug 28, 2019, 4:36:03 AM8/28/19
to puppe...@googlegroups.com
Gabriel Nagy commented on New Feature PUP-9465
 
Re: group resource type misunderstands/misuses libuser

James Ralston I checked the reasoning behind the libuser code in puppet, it was introduced here: https://github.com/puppetlabs/puppet/pull/1442

Some applications require local accounts and the useradd/groupadd commands currently used by the provider will not create a local account if they already exist remotely. The libuser commands luseradd/lgroupadd will allow a local name to duplicate a remote name. So these commands are used to force the local account creation. 

That's where the forcelocal/libuser misunderstanding comes from. We'll investigate this further.

Gabriel Nagy (JIRA)

unread,
Aug 28, 2019, 9:44:03 AM8/28/19
to puppe...@googlegroups.com
Gabriel Nagy commented on New Feature PUP-9465

James Ralston it seems that the only valid use-case for having this provider is being able to benefit from the manages_members feature to manage the membership of an arbitrary group with a single group resource.

I'm not sure this warrants a separate provider, this can be accomplished in the existing provider with a conditional feature like:

has_feature :manages_members if Puppet.features.libuser?

and then handle the "members" property.

Thoughts?

Mihai Buzgau (JIRA)

unread,
Sep 4, 2019, 5:17:10 AM9/4/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: NW - 2019-08-21, NW - 2019-09-03 , NW - 2019-09-18

Gabriel Nagy (JIRA)

unread,
Sep 4, 2019, 7:18:03 AM9/4/19
to puppe...@googlegroups.com
Gabriel Nagy commented on New Feature PUP-9465
 
Re: group resource type misunderstands/misuses libuser

This makes me think we won't ever want to default this provider: https://bugzilla.redhat.com/show_bug.cgi?id=1028544#c2

with libuser itself probably being obsoleted within the next few years

I believe it's right to implement it since the way this is being handled right now is wrong (using binaries from 2 different packages - shadow and libuser - in the same provider).

We shouldn't prefer libuser if both groupadd and libuser are present since libuser doesn't have 1:1 parity with groupadd regarding its functionalities. For example, libuser doesn't support NIS accounts.

James Ralston (JIRA)

unread,
Sep 4, 2019, 5:36:03 PM9/4/19
to puppe...@googlegroups.com
James Ralston commented on New Feature PUP-9465

Gabriel Nagy, I agree that using binaries from 2 different packages in the same provider seems wrong. That's the primary reason why I think there should be two separate providers, even though there is a lot of overlap between the functionality of the providers.

Upon reflection, I will walk back my "If both the libuser provider and the groupadd provider are available, prefer the libuser provider" assertion. But I'm not sure that the minor differences in functionality are appropriate selection criteria to prefer one provider over the other, either. As you noted, libuser doesn't support NIS (which shadow supports). But shadow doesn't support LDAP (which libuser supports).

How about this: for any system where groupadd is currently the default provider, it should remain the default provider, even if the libuser provider is available. This will make the libuser provider available for those who specifically want it (most likely for the manages_members feature), but it will avoid potential disruption by exposing Puppet users to subtle differences between the groupadd and libuser providers.

But I still think that once the libuser provider is available, the forcelocal parameter should be deprecated, and should emit a warning that 1) the forcelocal parameter will be removed in a future Puppet release, and 2) to use the libuser provider instead if the goal is have the manages_members feature.

Finally, I wouldn't put much stock in the 2013 comment 2 in Red Hat BZ#1028544 about libuser going away. A lot of what libuser was planned to do was subsumed by the sssd project, which is why development on libuser has slowed. But both the shadow project and the libuser project are active.

As another metric, Red Hat Enterprise Linux 8 shipped with libuser. Since libuser was created by Red Hat developers and is maintained by Red Hat developers, that means libuser isn't going anywhere for the lifetime of RHEL8, which doesn't end until May 2029. And libuser is still in Fedora, which is (essentially) the upstream for RHEL.

Gabriel Nagy (JIRA)

unread,
Sep 5, 2019, 3:48:03 AM9/5/19
to puppe...@googlegroups.com
Gabriel Nagy commented on New Feature PUP-9465

James Ralston, makes sense.

The thing is, groupadd is currently not being defaulted to any platform, in fact it's the only suitable provider for Linux, so that's why it gets picked. When we introduce the new libuser provider, we have to explicitly default groupadd to avoid having libuser getting picked up by mistake.

Gabriel Nagy (JIRA)

unread,
Sep 5, 2019, 9:56:02 AM9/5/19
to puppe...@googlegroups.com
Gabriel Nagy commented on New Feature PUP-9465

I've put up a PR here: https://github.com/puppetlabs/puppet/pull/7695

The only changes to the groupadd provider are the deprecation warnings, directing Puppet users to the separate libuser provider.

Next steps would be to actually remove the libuser feature and the forcelocal parameter for Puppet 7.

Gabriel Nagy (JIRA)

unread,
Sep 5, 2019, 10:53:04 AM9/5/19
to puppe...@googlegroups.com
Gabriel Nagy commented on New Feature PUP-9465

In addition to that, the forcelocal parameter is also being used by the useradd provider. We'd also have to implement a libuser provider for the user type.

Mihai Buzgau (JIRA)

unread,
Sep 18, 2019, 10:13:08 AM9/18/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18 , NW - 2019-10-02

Mihai Buzgau (JIRA)

unread,
Oct 2, 2019, 4:40:09 AM10/2/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02 , NW - 2019-10-16

Mihai Buzgau (JIRA)

unread,
Oct 16, 2019, 4:24:09 AM10/16/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02, NW - 2019-10-16 , NW - 2019-10-30

Mihai Buzgau (JIRA)

unread,
Oct 30, 2019, 5:00:13 AM10/30/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02, NW - 2019-10-16, NW - 2019-10-30 , NW - 2019-11-13

Mihai Buzgau (JIRA)

unread,
Nov 14, 2019, 5:28:08 AM11/14/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02, NW - 2019-10-16, NW - 2019-10-30, NW - 2019-11-13 , 2019-11-27

Mihai Buzgau (JIRA)

unread,
Nov 27, 2019, 4:51:09 AM11/27/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02, NW - 2019-10-16, NW - 2019-10-30, NW - 2019-11-13, 2019-11-27 , 2019-12-11

Gabriel Nagy (JIRA)

unread,
Dec 4, 2019, 8:49:04 AM12/4/19
to puppe...@googlegroups.com
Gabriel Nagy commented on New Feature PUP-9465
 
Re: group resource type misunderstands/misuses libuser

Melissa Stone any thoughts on this? With forcelocal implementation also requested for AIX (PUP-7113) I would work towards uncoupling the forcelocal parameter from the libuser feature (which is a Linux-only package), and implement a separate libuser provider for the user type.

Melissa Stone (JIRA)

unread,
Dec 5, 2019, 5:53:05 PM12/5/19
to puppe...@googlegroups.com
Melissa Stone commented on New Feature PUP-9465

It's been a long time since I thought about any of this, but what you're both saying sounds logical. It sounds like, from a user perspective, you're functionally replacing `forcelocal => true` with `provider => 'libuser'`?

With the request to make a `forcelocal` flag available on AIX, you wouldn't be deprecating that param specifically, but where it's currently used to enable `libuser` calls? This would mean we wouldn't be able to make `forcelocal` available on AIX until Puppet 7

Mihai Buzgau (JIRA)

unread,
Dec 11, 2019, 4:33:05 AM12/11/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02, NW - 2019-10-16, NW - 2019-10-30, NW - 2019-11-13, 2019-11-27, 2019-12-11 , 2019-12-24

Mihai Buzgau (JIRA)

unread,
Jan 7, 2020, 4:26:06 AM1/7/20
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02, NW - 2019-10-16, NW - 2019-10-30, NW - 2019-11-13, 2019-11-27, 2019-12-11, 2019-12-24 , NW - 2020-01-22

Mihai Buzgau (JIRA)

unread,
Jan 22, 2020, 4:39:08 AM1/22/20
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02, NW - 2019-10-16, NW - 2019-10-30, NW - 2019-11-13, 2019-11-27, 2019-12-11, 2019-12-24, NW - 2020-01-22 , NW - 2020-02-05

Mihai Buzgau (JIRA)

unread,
Feb 5, 2020, 5:38:07 AM2/5/20
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02, NW - 2019-10-16, NW - 2019-10-30, NW - 2019-11-13, 2019-11-27, 2019-12-11, 2019-12-24, NW - 2020-01-22, NW - 2020-02-05 , NW - 2020-02-19

Gabriel Nagy (JIRA)

unread,
Feb 10, 2020, 8:04:04 AM2/10/20
to puppe...@googlegroups.com
Gabriel Nagy updated an issue
Change By: Gabriel Nagy
Release Notes Summary: The `groupadd` provider can now manage members using the `members` resource parameter.
Release Notes: New Feature

Luchian Nemes (JIRA)

unread,
Feb 13, 2020, 9:29:04 AM2/13/20
to puppe...@googlegroups.com
Luchian Nemes updated an issue
Change By: Luchian Nemes
Fix Version/s: PUP 6.13.0

Kate Medred (JIRA)

unread,
Feb 18, 2020, 12:14:07 PM2/18/20
to puppe...@googlegroups.com
Kate Medred updated an issue
Change By: Kate Medred
Labels: group libuser linux resolved-issue-added user
Reply all
Reply to author
Forward
0 new messages