Issue #7241 has been updated by Daniel Pittman.
> Nigel Kersten wrote:
>> I propose that we move group membership to a type of its own. That would
>> also allow us to abstract away the differences between different platforms,
>> some of which consider membership to be an attribute of the group, some of
>> which consider it to be an attribute of the user.
>
> I’m not very comfortable with this. I do agree that it would be useful to
> abstract away operating system differences, but I don’t see why it is
> necessary to introduce a new resource type to do so. Why can the User and /
> or Group providers not be made smarter instead? Just choose one of those
> resource types as the Puppet-level locus for managing group membership. This
> is more or less the standard Puppet approach: system differences are
> accommodated at the provider level.
>
> As for ensuring group non-membership, that can be accomplished by adding a
> parameter to (say) User. For example:
>
> user { "untrusted":
> excluded_groups => [ 'extra_privileged' ]
> }
So, the problem with this approach is that you can't reasonably
express "only this membership set" in a useful way, unless we
introduce something even "smarter" like glob / regex matching in that
parameter. Otherwise, consider the case where someone creates a new,
local group, "frobnitz", and adds "untrusted" to it. If "frobnitz"
gates access to something, it is probably ... not desirable that
"untrusted" get it. :)
This is suggesting something analogous to building firewall rules: if
you try to express what *shouldn't* be, you will end up with an
infinitely long list, or end up missing something. Better to
whitelist what is permitted, in the cases where that is the applicable
model. (eg: some, but not all, security models for group membership
of users. :)
----------------------------------------
Feature #7241: Group membership should be a type of its own.
https://projects.puppetlabs.com/issues/7241
Author: Nigel Kersten
Status: Accepted
Priority: Normal
Assignee:
Category:
Target version: Telly
Affected Puppet version:
Keywords:
Branch:
It's very difficult right now to express declarative statements like:
* Ensure this user is not in this group, leave it alone otherwise
* Ensure this user is in this group without defining the user, leave it alone
otherwise.
I propose that we move group membership to a type of its own. That would also
allow us to abstract away the differences between different platforms, some of
which consider membership to be an attribute of the group, some of which
consider it to be an attribute of the user.
It would allow us to remove all the "authoritative" settings for user/group
membership, as they would move to this type instead.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
