On Wed, Mar 17, 2010 at 6:21 PM, Luke Kanies <[email protected]> wrote:
> On Mar 17, 2010, at 5:26 PM, Trevor Vaughan wrote: > > -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I agree with David. >> >> Also: >> >> - - I would make the defined attributes completely authoritative. If I'm >> setting up sudoers, I want to define the entire file from top to bottom, >> I specifically don't want to have cruft left around. This could perhaps >> be an added on 'purge => "true"' option... >> > > Use the 'resources' type for this. > > On an unrelated note, we need to come up with a better way to do this. :/ > Some kind of site-wide policy, maybe, that says "remove unmanaged instances > of resource types X, Y, and Z" or something. > > > - - I would place your file into a temp file and then run 'visudo -c -f >> <temp_file>' on it. Fail with an error if it fails and *do not* replace >> the existing sudoers. This ensures that a typo won't hork your entire >> installation. >> > > Entirely a great idea. I agree that this should be implemented. what hook can I use to implement functionality that occurs after everything has been flushed? > > > Trevor >> >> On 03/17/2010 04:51 AM, David Schmitt wrote: >> >>> On 3/17/2010 5:25 AM, Dan Bode wrote: >>> >>>> Hi All, >>>> >>>> I have been working on a type/provider for sudoers and would appreciate >>>> any feedback. >>>> >>>> It can be found at: >>>> >>>> http://github.com/bodepd/puppet-sudo >>>> >>>> There are some slight limitations documented in the README. >>>> >>>> Plenty of examples in the tests directory to get people started. >>>> >>>> It's a pretty interesting example of how to push the boundaries of >>>> parsedfile. >>>> >>>> I anxiously await your criticisms :) >>>> >>>> >>> >>> uuuh, shiny :-) >>> >>> * It'd probably be nice to build the default file from resources in an >>> optional class instead of shipping a default that has to be overridden >>> and cannot be cleaned by the type (it has continuation lines). >>> >>> * Overloading the type with the three different types of records >>> confuses me. Perhaps defines for each of the three types could improve >>> the situation? >>> >>> * I'm sure you could improve on the design of the "Puppet NAMEVAR" >>> stuff on users entries. I guess the problem there is that the "meat" of >>> the sudoers file are (user, command) tuples which can be either >>> specified from the command side (by a module) or the user side (by the >>> site configuration). What about the following structure: >>> >>> | # site configuration >>> | sudo_user_alias { 'sw_managers': users => [ 'dan', 'dave' ]; } >>> | >>> | # rpm module >>> | sudo_cmd_alias { 'SOFTWARE': commands => [ '/bin/rpm', ... ]; } >>> | sudo_permission { 'SOFTWARE': users => [ 'sw_managers' ]; } >>> >>> >>> >>> Best Regards, David >>> >> >> - -- >> Trevor Vaughan >> Vice President, Onyx Point, Inc. >> email: [email protected] >> phone: 410-541-ONYX (6699) >> >> - -- This account not approved for unencrypted sensitive information -- >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.9 (GNU/Linux) >> >> iEYEARECAAYFAkuhcz8ACgkQyWMIJmxwHpQm8gCdFnqE6qjIdLqM8VkQL+F+EL+X >> Gd8AoMJIj1SandIEe/T9iwXP0ChbKgpU >> =p035 >> -----END PGP SIGNATURE----- >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Developers" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]<puppet-dev%[email protected]> >> . >> For more options, visit this group at >> http://groups.google.com/group/puppet-dev?hl=en. >> >> > > -- > A government that robs Peter to pay Paul can always depend on the > support of Paul. -- George Bernard Shaw > > --------------------------------------------------------------------- > Luke Kanies -|- http://reductivelabs.com -|- +1(615)594-8199 > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<puppet-dev%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
