On Jun 1, 2011, at 2:05 AM, Brice Figureau wrote:
> On Tue, 2011-05-31 at 19:59 -0700, Luke Kanies wrote:
>> On May 28, 2011, at 8:11 AM, Brice Figureau wrote:
>>
>>> It is impossible to set an owner/group different than root or service
>>> for any file/directory settings (both from defaults or by speficying
>>> those in the configuration file).
>>> This has been introduced in commit 06fcec to prevent users to
>>> set invalid values.
>>> But for some settings, it might be interesting to use other owners
>>> and groups than root/service.
>>>
>>> This patch allows individual settings to remove this restriction by
>>> adding :allow_any_owners_groups boolean property to their defaults.
>>> If this property is false or not present, the default behavior is
>>> used. If this property is true, any combination of owner and groups
>>> is allowed.
>>
>> What's the motivation for this?
>>
>> The reason I switched this in the first place is that we never
>> actually set anything to any values other than 'root' and the system
>> user, whatever it was.
>>
>> Do you have settings that specifically need to be another value?
>
> Check the second patch in the serie.
>
> We introduced the lastrunfile settings that points to a file containing
> a summary of the last puppet agent run. This is the perfect file to be
> consummed by mcollective mc puppetd or any monitoring system.
> Unfortunately, my original version of this feature created a 0660
> root:root file, making this feature a little bit unuseful.
>
> Second problem, despite being a file setting, using the "{mode =
> 0644, ...}" syntax has no effect on this file (the FileSetting system
> only runs when the agent starts).
So are we not writing it with the correct modes, then?
The Settings class provides a method for making files, I think, that handles
all of the modes correctly and such; maybe the "right" answer is to fix the
writing of the summary to use that method?
> So I wanted to fix this specific problem and at the same time support
> file settings owner/group change through the configuration file. It
> proved to not be possible because the only owner/group we support is
> root and the service user.
>
> So instead of adding specific settings like "lastrunfileowner" or
> "lastrunfilegroup", I decided to instead fix our FileSetting
> implementation and have a way to relax the AllowedOwners/Groups. Note
> that I was careful to relax those constraints only on the settings that
> needed it (namely the one I cared about: lastrunfile). The other
> settings are unaffected and if you try to make your cacert.pem file
> owner to be "nobody" that won't work as you designed it.
>
> I can backtrack and remove this attempt at fixing the problem. The only
> remaining solution I'll have for a useful lastrunfile is to make it 0644
> (the good thing is that the patch is then simple).
I guess my only real concern about the patch is that it enables something that
I'm afraid will be a one-off. If we're very confident this won't be the only
example, then I'm fine, but I'd prefer to avoid it if possible.
--
I take my children everywhere, but they always find their way
back home. --Robert Orben
---------------------------------------------------------------------
Luke Kanies -|- http://puppetlabs.com -|- http://about.me/lak
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
