search

saz / puppet-sudo

Manage sudo with Puppet on Debian-, RedHat- and SUSE-based linux distributions and some BSDs
Other
107 stars 215 forks source link

BREAKING: Support multiple `#includedir` sudoers stanzas #191

Closed rnelson0 closed 7 years ago

rnelson0 commented 7 years ago

I have need to support multiple #includedir stanzas, which are dynamic, rather than the single stanza in the file resources used now. This PR converts the file {'/etc/sudoers/:} resource from using a static file to an ERB template. Additional stanzas can be included by updating the sudo::extra_include_dirs key with a list of directories. Here's an example of the effective differences on RHEL7:

When upgrading from 3.1.0 to 4.1.0 (just to see some changes)

Notice: /Stage[main]/Sudo/File[/etc/sudoers]/content:
--- /etc/sudoers        2016-01-26 17:29:34.358425553 +0000
+++ /tmp/puppet-file20170428-12718-16976bm      2017-04-28 20:27:28.335942664 +0000
@@ -1,3 +1,5 @@
+# file managed by puppet (unless config_file_replace=false)
+#
 ## Sudoers allows particular users to run various commands as
 ## the root user, without needing the root password.
 ##
@@ -64,7 +66,7 @@
 Defaults    always_set_home

 Defaults    env_reset
-Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
+Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
 Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
 Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
 Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"

Notice: /Stage[main]/Sudo/File[/etc/sudoers]/content: current_value {md5}aeeef04240c22b0a067a5e01809b139d, should be {md5}e7d8a1eb7e25ff8b137d06b802fc7683 (noop)

Given the following hiera global file:

---
sudo::extra_include_dirs:
  - '/some/other/path'

And going from 3.1.0 to 4.1.0+includedir branch:

Notice: /Stage[main]/Sudo/File[/etc/sudoers]/content:
--- /etc/sudoers        2016-01-26 17:29:34.358425553 +0000
+++ /tmp/puppet-file20170428-25164-1icby3o      2017-04-28 21:13:52.743898805 +0000
@@ -1,3 +1,5 @@
+# file managed by puppet (unless config_file_replace=false)
+#
 ## Sudoers allows particular users to run various commands as
 ## the root user, without needing the root password.
 ##
@@ -64,7 +66,7 @@
 Defaults    always_set_home

 Defaults    env_reset
-Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
+Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
 Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
 Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
 Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
@@ -107,5 +109,6 @@
 ## Allows members of the users group to shutdown this system
 # %users  localhost=/sbin/shutdown -h now

-## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
+## Read drop-in files
 #includedir /etc/sudoers.d
+#includedir /some/other/path

Notice: /Stage[main]/Sudo/File[/etc/sudoers]/content: current_value {md5}aeeef04240c22b0a067a5e01809b139d, should be {md5}0b78194902c33b02a7bfb82bf86fd62d (noop)
rnelson0 commented 7 years ago

I made a few tweaks today after implementing my feature branch in production. The trailing / was throwing things off, but I think I have adjusted adequately for it.

rnelson0 commented 7 years ago

The test failures for puppet 3/no future parser are because I added a type def. Puppet 3 hit EOL on 12/31/2016. I can drop the type def if there's some need to preserve Puppet 3 compatibility, though.

saz commented 7 years ago

On 03.05.2017 19:14, Rob Nelson wrote:

The test failures for puppet 3/no future parser are because I added a type def. Puppet 3 hit EOL on 12/31/2016. I can drop the type def if there's some need to preserve Puppet 3 compatibility, though. I think there are still some systems out there, which are Puppet 3 (at least I've got one :-)

If it's not a big deal for you... Planning on supporting Puppet 4 only soon.

rnelson0 commented 7 years ago

@saz Sounds good! Updated with no types so it's past_parser compatible.

I also combined two tests in travis to make the matrix a little smaller/faster (for some reason it's not using it right now, but would certainly be used on future PRs). It's what we use in Vox Pupuli projects, works pretty well.

rnelson0 commented 7 years ago

@saz Any update on this?

rnelson0 commented 7 years ago

Bump