Issue #7241 has been updated by Jeremy Huntwork.
The stable documentation already says that the parameter 'members' exists where
the feature 'manages_members' is available. I don't know if this was considered
yet, but for shadow-based systems, ensuring explicit membership for a group is
as easy as:
<pre>
gpasswd -M user1,user2,... group
</pre>
You could, therefore, enable the manages_members feature for shadow-based
systems and expect that the 'members' param for the group type is a complete
list of its secondary members, if specified. One issue I can see with doing
that is it could conflict with what may have been declared for a user with the
groups param. It does, however, fit better with the declarative nature of
puppet - group, be this way, have these secondary members.
There is another workaround that I can see: change the groups param of the user
type to be an exhaustive, complete list of secondary groups that this user
belongs to, instead of a list of groups that should be added to the user's set
of current groups, which appears to be the default behavior. If it's felt that
appending should be allowed, then add a param which can switch the list
meanings to 'append' vs 'complete'. If complete is chosen and groups == undef,
then remove the user from any secondary groups, the same as doing:
<pre>
usermod -G '' user
</pre>
As an aside, I was able to work around the current limitations by doing:
<pre>
define users::groupmng ($members) {
$group = $title
# Ensure group has only members specified
exec { "gpasswd -M ${members} ${group}":
path => ['/bin','/usr/bin','/sbin','/usr/sbin'],
require => [Group["$group"], User["${members}"]],
}
}
class users::human {
$wheel = ['...']
...
}
users::groupmng { 'wheel':
members => $users::human::wheel
}
</pre>
----------------------------------------
Feature #7241: Group membership should be a type of its own.
https://projects.puppetlabs.com/issues/7241
Author: Nigel Kersten
Status: Accepted
Priority: Normal
Assignee:
Category:
Target version: Telly
Affected Puppet version:
Keywords:
Branch:
It's very difficult right now to express declarative statements like:
* Ensure this user is not in this group, leave it alone otherwise
* Ensure this user is in this group without defining the user, leave it alone
otherwise.
I propose that we move group membership to a type of its own. That would also
allow us to abstract away the differences between different platforms, some of
which consider membership to be an attribute of the group, some of which
consider it to be an attribute of the user.
It would allow us to remove all the "authoritative" settings for user/group
membership, as they would move to this type instead.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
