Issue #19005 has been updated by John Moser.
Stefan Schulte wrote:
> I would not consider this a bug directly. It often makes sense so pass undef
> as a parameter to explicitly say you do not want to manage a property.
Interesting. This seems to be correct behavior for this case; however that is
complicated by the fact that Puppet's default membership is 'minimum' and this
is explicitly 'inclusive'. In that sense to say that if groups are not
defined, then I did not define any groups, thus this user should be in none.
In default, managed => minimum and so an undefined or empty set should do
nothing.
This becomes highly relevant in hiera, where you might have a yaml:
---
users:
baker:
uid: '1000'
group: 'users'
charlie:
uid: '1001'
group: 'users'
groups:
- 'sudo'
- 'admin'
If you were to call
user { managed => minimum }
create_resources(user, hiera('users'))
Suddenly you would get unexpected behavior. Thus you would need a ' groups:
[ ]' line for users in no groups.
This is a design decision. We can call it a bug or we can call it intended
behavior.
Warning on variables that have not been defined (not that have been set =
undef, i.e. are undefined) seems like a feature request.
----------------------------------------
Bug #19005: Useradd does not remove groups when 'inclusive'
https://projects.puppetlabs.com/issues/19005#change-82374
Author: John Moser
Status: Needs More Information
Priority: High
Assignee: John Moser
Category:
Target version:
Affected Puppet version: 3.0.2
Keywords:
Branch:
This is not a duplicate of #2249
I have some such block:
user { $title:
ensure => present,
name => $name,
gid => $gid,
groups => $totalgroups,
uid => $uid,
comment => $comment,
shell => $shell,
managehome => true,
membership => inclusive, # have tried in quotes too
password => $password,
tag => 'definedusers',
}
After repeated runs, it won't remove users from groups they don't belong in.
See:
$ cat /etc/group|grep sudo
sudo:x:27:baker,charlie
$ puppet agent --test
Notice: /Stage[main]//Node[common]/Create_user_type[echo]/User[echo]/groups:
groups changed 'puppet' to
'adm,cdrom,dip,lpadmin,plugdev,puppet,sambashare,sudo'
$ cat /etc/group|grep sudo
sudo:x:27:baker,charlie,echo
Puppet has added the user to sudo. I'll remove this from Hiera.
$ vi common.yaml
...
$ puppet agent --test
$ cat /etc/group|grep sudo
sudo:x:27:baker,charlie,echo
Puppet has NOT removed the user from
$ sudo usermod -G puppet echo
$ cat /etc/group|grep sudo
sudo:x:27:baker,charlie
$ puppet agent --test
$ cat /etc/group|grep sudo
sudo:x:27:baker,charlie
However puppet has not added the user back, either. It seems that the docs say
this should not happen:
membership
Whether specified groups should be considered the complete list
(inclusive) or the minimum
list (minimum) of groups to which the user belongs. Defaults to minimum.
Valid values are
inclusive, minimum.
-- http://docs.puppetlabs.com/references/latest/type.html#user
As shown above, the membership is "inclusive".
This breaks expected security-related behavior so priority is rather high.
$ puppet --version
3.0.2
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
