On Jun 1, 2011, at 2:05 AM, Brice Figureau wrote: > On Tue, 2011-05-31 at 19:59 -0700, Luke Kanies wrote: >> On May 28, 2011, at 8:11 AM, Brice Figureau wrote: >> >>> It is impossible to set an owner/group different than root or service >>> for any file/directory settings (both from defaults or by speficying >>> those in the configuration file). >>> This has been introduced in commit 06fcec to prevent users to >>> set invalid values. >>> But for some settings, it might be interesting to use other owners >>> and groups than root/service. >>> >>> This patch allows individual settings to remove this restriction by >>> adding :allow_any_owners_groups boolean property to their defaults. >>> If this property is false or not present, the default behavior is >>> used. If this property is true, any combination of owner and groups >>> is allowed. >> >> What's the motivation for this? >> >> The reason I switched this in the first place is that we never >> actually set anything to any values other than 'root' and the system >> user, whatever it was. >> >> Do you have settings that specifically need to be another value? > > Check the second patch in the serie. > > We introduced the lastrunfile settings that points to a file containing > a summary of the last puppet agent run. This is the perfect file to be > consummed by mcollective mc puppetd or any monitoring system. > Unfortunately, my original version of this feature created a 0660 > root:root file, making this feature a little bit unuseful. > > Second problem, despite being a file setting, using the "{mode = > 0644, ...}" syntax has no effect on this file (the FileSetting system > only runs when the agent starts).
So are we not writing it with the correct modes, then? The Settings class provides a method for making files, I think, that handles all of the modes correctly and such; maybe the "right" answer is to fix the writing of the summary to use that method? > So I wanted to fix this specific problem and at the same time support > file settings owner/group change through the configuration file. It > proved to not be possible because the only owner/group we support is > root and the service user. > > So instead of adding specific settings like "lastrunfileowner" or > "lastrunfilegroup", I decided to instead fix our FileSetting > implementation and have a way to relax the AllowedOwners/Groups. Note > that I was careful to relax those constraints only on the settings that > needed it (namely the one I cared about: lastrunfile). The other > settings are unaffected and if you try to make your cacert.pem file > owner to be "nobody" that won't work as you designed it. > > I can backtrack and remove this attempt at fixing the problem. The only > remaining solution I'll have for a useful lastrunfile is to make it 0644 > (the good thing is that the patch is then simple). I guess my only real concern about the patch is that it enables something that I'm afraid will be a one-off. If we're very confident this won't be the only example, then I'm fine, but I'd prefer to avoid it if possible. -- I take my children everywhere, but they always find their way back home. --Robert Orben --------------------------------------------------------------------- Luke Kanies -|- http://puppetlabs.com -|- http://about.me/lak -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.