Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Geoff Nichols assigned an issue to Unassigned Puppet / PUP-3232 User group membership duplication when group list created from multiple sources Change By: Geoff Nichols Assignee: Eric Sorenson Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Geoff Nichols updated an issue Puppet / PUP-3232 User group membership duplication when group list created from multiple sources Change By: Geoff Nichols Labels: ldap needs_decision puppet type_and_provider user Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Geoff Nichols assigned an issue to Eric Sorenson Puppet / PUP-3232 User group membership duplication when group list created from multiple sources Change By: Geoff Nichols Assignee: Kylo Ginsberg Eric Sorenson Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Reid Vandewiele commented on PUP-3232 Re: User group membership duplication when group list created from multiple sources On a system configured with two nssswitch.conf entries for passwd, the following can occur. Consider this script: #!/opt/puppetlabs/puppet/bin/ruby require 'etc' user = 'splunk' groups = [] Etc.setgrent while group = ::Etc.getgrent groups << group if group.mem.include? user end Etc.endgrent puts groups
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-3232 User group membership duplication when group list created from multiple sources Change By: Moses Mendoza Labels: needs_decision puppet triaged user Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Rob Browning updated an issue Puppet / PUP-3232 User group membership duplication when group list created from multiple sources Change By: Rob Browning Labels: needs_decision puppet triaged user Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Jarret Lavallee updated an issue Puppet / PUP-3232 User group membership duplication when group list created from multiple sources Change By: Jarret Lavallee Team: Agent Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Aaron Hicks commented on PUP-3232 Re: User group membership duplication when group list created from multiple sources The use case we had was: local admin users were being created with the same UID and GID by puppet and setting group membership using the group names user membership to group is provided by LDAP This was to preload these accounts with SSH keys and ensure consistent UID and GID across machines. So when puppet checks that a user membership it gets the admin groups duplicated (local + ldap) and tries to change it to be deduplicated which reasserts local membership but does nothing for the LDAP membership. Add Comment This message was sent by Atlassian JIRA (v6.3.7#6337-sha1:2ed701e) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Aaron Hicks commented on PUP-3232 Re: User group membership duplication when group list created from multiple sources For the original case in question, why not have two different groups, one local, one in LDAP, and both have sudo access? That violates our security policy that admin accounts are authenticated and authorised by LDAP group membership Add Comment This message was sent by Atlassian JIRA (v6.3.7#6337-sha1:2ed701e) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Kylo Ginsberg commented on an issue Re: User group membership duplication when group list created from multiple sources Adrien Thebo I'm looking for more feedback on what to do with this ticket/PR. E.g. I'm now wondering if there are valid use cases that would get broken if we fixed the immediate issue. (And also not sure how to repro the immediate issue.) Any thoughts? Add Comment Puppet / PUP-3232 User group membership duplication when group list created from multiple sources n a Puppet node that has multiple group directories (e.g. /etc/group and LDAP) puppet may end up with groups listed multiple times in a user's group list. This leads to a state of constant change where puppet detects the muliple entries and tries to remove them (when nothing is wrong). This change ensures that a user's group list only contains unique e... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Adrien Thebo commented on an issue Re: User group membership duplication when group list created from multiple sources This change makes me a bit nervous because we're assuming that groups that have the same name also have the same GID and user list, which isn't necessarily the case. Deduplicating the groups by name will mask the issue, but are we assuming that we should only return the first group indicated by NSS? For the original case in question, why not have two different groups, one local, one in LDAP, and both have sudo access? Add Comment Puppet / PUP-3232 User group membership duplication when group list created from multiple sources n a Puppet node that has multiple group directories (e.g. /etc/group and LDAP) puppet may end up with groups listed multiple times in a user's group list. This leads to a state of constant change where puppet detects the muliple entries and tries to remove them (when nothing is wrong). This change ensures that a user's group list only contains unique e... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Adrien Thebo updated an issue Puppet / PUP-3232 User group membership duplication when group list created from multiple sources Change By: Adrien Thebo Component/s: CatalogApplication Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Kylo Ginsberg commented on an issue Re: User group membership duplication when group list created from multiple sources Aaron Hicks first, sorry for the delay in getting to this ticket and PR. I got to look at it a little bit this afternoon. Re the spec failure: that is because that test is testing a different code path, the one used by `listbynames` (in turn used by `instances`). So that spec test could be addressed by adding a `.uniq` to `listbynames`. (It also means that the test change in the PR isn't testing the code changed in the PR). But the larger question I have is whether there are valid use cases for multiple entries from different user providers? I.e. is automatic de-duplication always desirable? And in your use case above, i.e. a state of constant change where puppet detects the multiple entries and tries to remove them - can you provide more info on what is happening (perhaps an agent run with --debug)? I haven't rigged up the dual groups/ldap scenario you've described to experiment with this so I'm missing why puppet is trying to remove entries. Add Comment Puppet / PUP-3232 User group membership duplication when group list created from multiple sources n a Puppet node that has multiple group directories (e.g. /etc/group and LDAP) puppet may end up with groups listed multiple times in a user's group list. This leads to a state of constant change where puppet detects the muliple entries and tries to remove them (when nothing is wrong). This change ensures that a user's group list only contains unique e...
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Rob Reynolds updated an issue Puppet / PUP-3232 User group membership duplication when group list created from multiple sources Change By: Rob Reynolds Assignee: KyloGinsberg Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Aaron Hicks commented on an issue Re: User group membership duplication when group list created from multiple sources I've added at test to `spec/unit/type/user_spec.rb` which reveals that there are multiple causes of this issue. Add Comment Puppet / PUP-3232 User group membership duplication when group list created from multiple sources n a Puppet node that has multiple group directories (e.g. /etc/group and LDAP) puppet may end up with groups listed multiple times in a user's group list. This leads to a state of constant change where puppet detects the muliple entries and tries to remove them (when nothing is wrong). This change ensures that a user's group list only contains unique e... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Aaron Hicks commented on an issue Re: User group membership duplication when group list created from multiple sources I think that may have been the wrong thing to do. I've modified the group list in `spec/unit/provider/nameservice_spec.rb` to duplicate the `bin` group, and this is not being deduplicated. Changes: https://github.com/puppetlabs/puppet/commit/995faf615df82a82a2507f10fd74bd3d13dd764b Test output: https://travis-ci.org/puppetlabs/puppet/jobs/35070431 I'm not sure if this means the test is correct, as I read the test as evaluating the output of `getgrent` rather than the groups list returned by `nameserver.rb` Add Comment Puppet / PUP-3232 User group membership duplication when group list created from multiple sources n a Puppet node that has multiple group directories (e.g. /etc/group and LDAP) puppet may end up with groups listed multiple times in a user's group list. This leads to a state of constant change where puppet detects the muliple entries and tries to remove them (when nothing is wrong). This change ensures that a user's group list only contains unique e... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede)
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Aaron Hicks created an issue Puppet / PUP-3232 User group membership duplication when group list created from multiple sources Issue Type: Bug Assignee: Unassigned Created: 10/Sep/14 6:52 PM Environment: Where a node is configured to use group information from multiple sources. Labels: puppet user Priority: Normal Reporter: Aaron Hicks n a Puppet node that has multiple group directories (e.g. /etc/group and LDAP) puppet may end up with groups listed multiple times in a user's group list. This leads to a state of constant change where puppet detects the muliple entries and tries to remove them (when nothing is wrong). This change ensures that a user's group list only contains unique entries and no duplicates. (We have local groups as a fail-over when LDAP is unavailable as we use groups for sudo authentication) Solution provided with PR on GitHub: https://github.com/puppetlabs/puppet/pull/3027
Jira (PUP-3232) User group membership duplication when group list created from multiple sources
Title: Message Title Kylo Ginsberg updated an issue Puppet / PUP-3232 User group membership duplication when group list created from multiple sources Change By: Kylo Ginsberg Component/s: Community Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.