Jira (PUP-3745) Group membership should be a type of its own.

[redmine.exporter (JIRA)]

redmine.exporter created an issue

Puppet / PUP-3745 Group membership should be a type of its own. Issue Type: New Feature Assignee: Unassigned Created: 2014/12/05 6:16 AM Labels: redmine Priority: Normal Reporter: redmine.exporter It's very difficult right now to express declarative statements like: Ensure this user is not in this group, leave it alone otherwise Ensure this user is in this group without defining the user, leave it alone otherwise. I propose that we move group membership to a type of its own. That would also allow us to abstract away the differences between different platforms, some of which consider membership to be an attribute of the group, some of which consider it to be an attribute of the user. It would allow us to remove all the "authoritative" settings for user/group membership, as they would move to this type instead. Add Comment

This message was sent by Atlassian JIRA (v6.3.7#6337-sha1:2ed701e)

[Zach Leslie (JIRA)]

Zach Leslie commented on PUP-3745

Re: Group membership should be a type of its own. I've taken a stab at the problem. https://github.com/xaque208/puppet-groupmembership I expect to be adding more providers soon.

Add Comment

This message was sent by Atlassian JIRA (v6.4.5#64020-sha1:78acd6c)

[Corey Osman (JIRA)]

Corey Osman commented on PUP-3745

Re: Group membership should be a type of its own.

Is this module usable yet? I would agree with Nigel. I want to define users, and then I want to define their groups based on which software is deployed. I usually don't know those two pieces up front which is why I can't do everything at once. Additionally, since we are using centrify many times the user doesn't even exist yet until the first login.

Add Comment

This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc)

[Sean McDonald (JIRA)]

Sean McDonald updated an issue

Puppet / PUP-3745

Group membership should be a type of its own.

Change By: Sean McDonald Labels: redmine  triaged

Add Comment

This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)

[Josh Cooper (JIRA)]

Josh Cooper commented on PUP-3745

Re: Group membership should be a type of its own. We've made improvements to user and group providers so that we can do things like define a group and ensure it contains a list of members without managing the user itself. There are other tickets about ensuring this works consistently for specific providers, e.g. directoryservice. I'm closing this as won't fix.

Add Comment

[Moses Mendoza (JIRA)]

Moses Mendoza updated an issue

Puppet / PUP-3745

Group membership should be a type of its own.

Change By: Moses Mendoza Labels: redmine  triaged

Add Comment

[Alexander Fisher (JIRA)]

Alexander Fisher commented on PUP-3745

Re: Group membership should be a type of its own. Josh Cooper What improvements? I want to be able to add users to a group, only if the user exists (my users are defined in freeipa, but I want to add them to a local group). You specifically suggest this is possible. I don't think it is, (on Linux at least). On Linux, 'members' is not available for the 'group' type as 'manage_members' is not a provider feature of 'groupadd'. https://docs.puppet.com/puppet/latest/type.html#group-provider-features You can't use the user type either. Even if you don't specify ensure => present, the user gets created if you try and manage other properties such as 'groups'. https://github.com/puppetlabs/puppet/blob/8009f02fe1f6c4d966dfb20c950855f2d67a203f/lib/puppet/type/user.rb#L79-L87 I was discussing this with Hunter (Hunner) Haugen on IRC last night. I think he was going to reopen this ticket. Thanks, Alex

Add Comment

[Hunter (Hunner) Haugen (JIRA)]

Hunter (Hunner) Haugen commented on PUP-3745

Re: Group membership should be a type of its own.

Josh Cooper The group type does have a :manages_members feature https://github.com/puppetlabs/puppet/blob/4.10.1/lib/puppet/type/group.rb#L16 but the groupadd provider does not support it: https://github.com/puppetlabs/puppet/blob/4.10.1/lib/puppet/provider/group/groupadd.rb#L11 To approach it from the user resource side, it can manage group membership but also defaults to managing the ensure of the user: https://github.com/puppetlabs/puppet/blob/4.10.1/lib/puppet/type/user.rb#L79-L87 Assuming ensure => present on resource management is common with respect to puppet types as ensurable does default to this when properties are managed: https://github.com/puppetlabs/puppet/blob/4.10.1/lib/puppet/property/ensure.rb#L94-L103 So there is no way to assign users to groups without also managing the ensure of a user with the groupadd provider.

Add Comment

[Hunter (Hunner) Haugen (JIRA)]

Hunter (Hunner) Haugen commented on PUP-3745

Re: Group membership should be a type of its own.

As mentioned, this is not solved so reopening. If we are not going to provide such a mechanism, then feel free to re-close won'tfix with a comment.

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper commented on PUP-3745

Re: Group membership should be a type of its own.

Thanks Hunter (Hunner) Haugen and Alexander Fisher, I was conflating behavior of different providers. How hard would it be to add manages_members feature to the groupadd provider? It would be nice to have the auth_membership logic be consistent (so that you can either ensure the group contains at least the specified members, or the group only contains those members and nothing more).

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-3745

Group membership should be a type of its own.

Change By: Josh Cooper Team: Agent

Add Comment

[Hunter (Hunner) Haugen (JIRA)]

Hunter (Hunner) Haugen commented on PUP-3745

Re: Group membership should be a type of its own. It looks like gpasswd supports setting/adding/removing users WRT groups, and the provider can enumerate a groups members. So pretty easy?

Add Comment

[Owen Rodabaugh (JIRA)]

Owen Rodabaugh updated an issue

Puppet / PUP-3745

Group membership should be a type of its own.

Change By: Owen Rodabaugh CS Priority: Reviewed

Add Comment

This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db)

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-3745 Group membership should be a type of its own.

Change By: Geoff Nichols Labels: redmine type_and_provider

Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Branan Riley (JIRA)]

Branan Riley updated an issue

Puppet / PUP-3745 Group membership should be a type of its own.

Change By: Branan Riley Labels: group redmine type_and_provider user

Add Comment

[Branan Riley (JIRA)]

Branan Riley updated an issue

Puppet / PUP-3745 Group membership should be a type of its own.

Change By: Branan Riley Labels: group redmine triaged type_and_provider user

Add Comment

[Victor Engmark (JIRA)]

Victor Engmark commented on PUP-3745

Re: Group membership should be a type of its own. `groupadd` at least on Arch Linux (from shadow-utils 4.6) supports `-r`/`–system`. Is this all that's needed to change the support matrix?

Add Comment

[Bogdan Irimie (Jira)]

Bogdan Irimie updated an issue

Puppet / PUP-3745

Group membership should be a type of its own.

Change By: Bogdan Irimie Sprint:

Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

[Bogdan Irimie (Jira)]

Bogdan Irimie updated an issue

Puppet / PUP-3745 Group membership should be a type of its own.

Change By: Bogdan Irimie Sprint: ready for triage

Add Comment

[Alexander Fisher (Jira)]

Alexander Fisher commented on PUP-3745

Re: Group membership should be a type of its own. Looks like this was solved in https://github.com/puppetlabs/puppet/pull/7953

Add Comment