On Mar 17, 2010, at 5:26 PM, Trevor Vaughan wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I agree with David.
Also:
- - I would make the defined attributes completely authoritative. If
I'm
setting up sudoers, I want to define the entire file from top to
bottom,
I specifically don't want to have cruft left around. This could
perhaps
be an added on 'purge => "true"' option...
Use the 'resources' type for this.
On an unrelated note, we need to come up with a better way to do
this. :/ Some kind of site-wide policy, maybe, that says "remove
unmanaged instances of resource types X, Y, and Z" or something.
- - I would place your file into a temp file and then run 'visudo -c
-f
<temp_file>' on it. Fail with an error if it fails and *do not*
replace
the existing sudoers. This ensures that a typo won't hork your entire
installation.
Entirely a great idea.
Trevor
On 03/17/2010 04:51 AM, David Schmitt wrote:
On 3/17/2010 5:25 AM, Dan Bode wrote:
Hi All,
I have been working on a type/provider for sudoers and would
appreciate
any feedback.
It can be found at:
http://github.com/bodepd/puppet-sudo
There are some slight limitations documented in the README.
Plenty of examples in the tests directory to get people started.
It's a pretty interesting example of how to push the boundaries of
parsedfile.
I anxiously await your criticisms :)
uuuh, shiny :-)
* It'd probably be nice to build the default file from resources
in an
optional class instead of shipping a default that has to be
overridden
and cannot be cleaned by the type (it has continuation lines).
* Overloading the type with the three different types of records
confuses me. Perhaps defines for each of the three types could
improve
the situation?
* I'm sure you could improve on the design of the "Puppet NAMEVAR"
stuff on users entries. I guess the problem there is that the
"meat" of
the sudoers file are (user, command) tuples which can be either
specified from the command side (by a module) or the user side (by
the
site configuration). What about the following structure:
| # site configuration
| sudo_user_alias { 'sw_managers': users => [ 'dan', 'dave' ]; }
|
| # rpm module
| sudo_cmd_alias { 'SOFTWARE': commands => [ '/bin/rpm', ... ]; }
| sudo_permission { 'SOFTWARE': users => [ 'sw_managers' ]; }
Best Regards, David
- --
Trevor Vaughan
Vice President, Onyx Point, Inc.
email: [email protected]
phone: 410-541-ONYX (6699)
- -- This account not approved for unencrypted sensitive information
--
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkuhcz8ACgkQyWMIJmxwHpQm8gCdFnqE6qjIdLqM8VkQL+F+EL+X
Gd8AoMJIj1SandIEe/T9iwXP0ChbKgpU
=p035
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google
Groups "Puppet Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to [email protected]
.
For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en
.
--
A government that robs Peter to pay Paul can always depend on the
support of Paul. -- George Bernard Shaw
---------------------------------------------------------------------
Luke Kanies -|- http://reductivelabs.com -|- +1(615)594-8199
--
You received this message because you are subscribed to the Google Groups "Puppet
Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
