Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-2502

Extend users type promise so that secondary groups can be specified as a partial set

    XMLWordPrintable

    Details

    • Type: Story
    • Status: Open
    • Priority: Medium
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:

      Description

      Currently the groups_secondary attribute only synchronizes the list of groups for the user. Meaning it could potentially add the user to new groups and also remove the user from existing groups. We live in an imperfect world where partial knowledge is always a problem, you may not know which groups the user is currently a member of which makes the outcome undesired.

      The functions requested in #CFE-2499, #CFE-2500, and #CFE-2501 would make it possible to gather enough information about the existing state to make a promise about all of the groups a user should be in.

      Another alternative would be perhaps to extend the promise type to allow a group change that would only add or only remove the groups specified instead of synchronizing them.

      Syntax Proposals

      New groups_secondary_action attribute

      • Nicks primary group is nickanderson
      • Nick is currently a part of users

      This promise should ensure that Nick is also a member of the admin group because the group action is "include". usermod -a G should be used to ensure that the admin group is appended to the users groups. The result should be that Nick is in the nickanderson group (primary) and additionally part of users and admin groups.

      bundle agent main
      {
        users:
      
          "nickanderson"
            policy => "present", 
            group => "nickanderson",
            groups_secondary_action => "include",
            groups_secondary => { "admin" };
      
      }
      

      • Nicks primary group is nickanderson
      • Nick is currently a part of users and admin groups

      This promise should ensure that Nick is not a member of the users group because the group action is "exclude". The result should be that Nick is in the nickanderson group (primary) and additionally part of the admin group.

      bundle agent main
      {
        users:
      
          "nickanderson"
            policy => "present", 
            group => "nickanderson",
            groups_secondary_action => "exclude",
            groups_secondary => { "users" };
      
      }
      

      • Nicks primary group is nickanderson
      • Nick is currently a part of developers group

      This promise should ensure that Nick is a member of the users group because the group action is "set". The result should be that Nick is in the nickanderson group (primary) and additionally part of the users and admin groups.

      bundle agent main
      {
        users:
      
          "nickanderson"
            policy => "present", 
            group => "nickanderson",
            groups_secondary_action => "set", # DEFAULT VALUE
            groups_secondary => { "users", "admin" };
      
      }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                a10042 Nick Anderson
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Summary Panel