Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-2215

Local group management promise



    • Type: Epic
    • Status: Open
    • Priority: High
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Epic Name:
      Groups Promises


      A natural complement to the "users: promise":https://docs.cfengine.com/docs/3.7/reference-promise-types-users.html to manage local groups.

      Acceptance Criteria

      • Groups presence and absence can be managed on all supported platforms
      • Group members can be managed on all supported platforms
      • Documentation for groups promise type
      • core examples for groups promise type


      bundle agent my_group
            policy => "present", # Whether the group is present or absent, not the members in it
            gid => "5",
            members => nickanderson_group_members;
            members => developers;
      body members nickanderson_group_members
         only => { "nickanderson" };
      body members developers
        include => { "nickanderson", "lars" }; # Mutually exclusive with only
        exclude => { "thomas", "ole" };        # Mutually exclusive with only
      • If group with same name and different gid exists
        • The gid should be changed?
        • Nick: I think the gid should be rectified
          • What about files that already exist with the old GID
            • Nick: That would require a separate files promise to rectify
      • If group with different name and same gid exists
        • Nick: I would expect the promsie to error/fail and be not-kept (since this spec doesnt cover the -o option to groupadd)

      Implementation notes

      • groups type promises should be actuated before users type promises in the normal order
      • Order of operations should be similar to that of other promises like edit_lines (delete, insert) "absent applied first, then present" and then exclusive becomes absent=.* plus present=whatever-I-need
      • If a group is promised without a policy then action is only taken if the group exists.
      • Each group member is evaluated individually
        • A missing member will not prevent a subsequent member from being managed properly
        • It will not be uncommon for this promise to produce multiple outcomes (both kept and not-kept at the same time)
      • When a member that does not exist is promised to be a member
        • The promise is not kept
      • When a member that does not exist is promised to be absent
        • The promise is kept
      • ERROR if gid is specified on unsupported platform
      • ERROR if system_group is specified on unsupported platform
      • ERROR if allow_duplicate_gid is specified on an unsupported platform
      • ERROR when gid attribute is used on unsupported platform (windows)


      What is the minimum groups promise?

      bundle agent main
      • policy defaults to present so by default simply listing a group name asserts that the group is present.



          Release management

            Issue Links



                larsewi Lars Erik Wik
                a10003 Eystein Maloy Stenberg
                5 Vote for this issue
                14 Start watching this issue