Issue #13875 has been updated by Jeff Weiss. Status changed from Accepted to Needs Decision Assignee set to Daniel Pittman
barttenbrinke has a patch for this. Here's a snip from the [pull request conversation](https://github.com/puppetlabs/puppet/pull/628): In order to fix this properly, I've added an extra option to puppet: unless_uid. You van specify specific Uids here or even Ranges of UIDS. Uids that match these ranges will not be purged, even though purge => true. This way Puppet still automatically revokes access to the servers for Devs and Devops that are removed, while allowing Devs to deploy their own application application. Example: <code> <pre> class users::resources { resources { 'user': purge => true, unless_system_user => true, unless_uid => [10_000..20_000]; } } </pre> </code> Unless_uid accepts Integers, Ranges or Arrays with both. I also added specs for both the old and the new check_user behavior, as the old behaviour was not specced. barttenbrinke has a contribution ready to go. Thoughts? ---------------------------------------- Feature #13875: Allow specified UIDs to be excluded from purge https://projects.puppetlabs.com/issues/13875#change-60202 Author: Jeff Weiss Status: Needs Decision Priority: Normal Assignee: Daniel Pittman Category: Target version: Affected Puppet version: Keywords: Branch: >From barttenbrinke: Currently there are only two options for user management: purge => true or purge => false. Purge true works great if all your apps are deployed via puppet, but when you have a mix of puppet system uids and application uids, you are forced to turn purge off. This has the undesired side-effect that users that are managed through puppet will never revoked for the servers that have purge disabled. At our company Devops deploys the servers & frameworks using Puppet so that Devs can take over and deploy applications on their own. Each of these application runs under its own uid. For this reason we have to run with purge => false, which is something we don't want. The only option available to alter this behavior is "unless_system_user => true", but this just protects users with a UID < 500 and that is not where I want to have my application UIDs. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
