Issue #8418 has been updated by Daniel Pittman.
I am concerned about this proposal: at least one use of audit is to verify that
a machine is compliant with the expected state.
If we had this resource:
<pre>
file { "/etc/sudoers": owner => 'root', group => 'root', source =>
'puppet:///sudoers', audit => all }
</pre>
…I would (reasonably) expect that this would audit the state on disk:
1. Is the owner root?
2. Is the group root?
3. Is the content equivalent to the content on my master?
If we don't audit `source`, wouldn't this result in question three being
silently ignored? That would be bad.
(...and, yes, clearly changes to the file on the server could cause the inspect
to fail; this is the same issue we have with caching catalogs currently, and
which the static compiler would resolve.)
----------------------------------------
Bug #8418: puppet auditing shouldn't audit parameters
https://projects.puppetlabs.com/issues/8418
Author: Nigel Kersten
Status: Accepted
Priority: Normal
Assignee:
Category:
Target version: 2.6.x
Affected Puppet version:
Keywords:
Branch:
<pre>
file { "/etc/ssh/ssh_config":
ensure => file,
source => "puppet:///modules/base/ssh_config",
audit => all,
}
root@debian5-1:~# puppet inspect
err: /Stage[main]/Base/File[/etc/ssh/ssh_config]: Could not inspect
File[/etc/ssh/ssh_config]; skipping: Could not retrieve information from
source(s) puppet:///modules/base/ssh_config at
/etc/puppet/env/dev/modules/base/manifests/init.pp:35
</pre>
We shouldn't be auditing parameters, only properties.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
