Details
-
Type:
Epic
-
Status: Open
-
Priority:
High
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Epic Name:Groups Promises
Description
A natural complement to the "users: promise":https://docs.cfengine.com/docs/3.7/reference-promise-types-users.html to manage local groups.
Acceptance Criteria
- Groups presence and absence can be managed on all supported platforms
- Group members can be managed on all supported platforms
- Documentation for groups promise type
- core examples for groups promise type
Examples
bundle agent my_group
{
groups:
"nickanderson-group"
policy => "present", # Whether the group is present or absent, not the members in it
gid => "5",
members => nickanderson_group_members;
"developers"
members => developers;
}
body members nickanderson_group_members
{
only => { "nickanderson" };
}
body members developers
{
include => { "nickanderson", "lars" }; # Mutually exclusive with only
exclude => { "thomas", "ole" }; # Mutually exclusive with only
}
- If group with same name and different gid exists
- The gid should be changed?
- Nick: I think the gid should be rectified
- What about files that already exist with the old GID
- Nick: That would require a separate files promise to rectify
- What about files that already exist with the old GID
- If group with different name and same gid exists
- Nick: I would expect the promsie to error/fail and be not-kept (since this spec doesnt cover the -o option to groupadd)
Implementation notes
- groups type promises should be actuated before users type promises in the normal order
- Order of operations should be similar to that of other promises like edit_lines (delete, insert) "absent applied first, then present" and then exclusive becomes absent=.* plus present=whatever-I-need
- If a group is promised without a policy then action is only taken if the group exists.
- Each group member is evaluated individually
- A missing member will not prevent a subsequent member from being managed properly
- It will not be uncommon for this promise to produce multiple outcomes (both kept and not-kept at the same time)
- When a member that does not exist is promised to be a member
- The promise is not kept
- When a member that does not exist is promised to be absent
- The promise is kept
- ERROR if gid is specified on unsupported platform
- ERROR if system_group is specified on unsupported platform
- ERROR if allow_duplicate_gid is specified on an unsupported platform
- ERROR when gid attribute is used on unsupported platform (windows)
Q/A
What is the minimum groups promise?
bundle agent main
{
groups:
"mygroup";
}
- policy defaults to present so by default simply listing a group name asserts that the group is present.
