Exclusive parameter has no effect on the resource

voxpupuli / puppet-groupmembership

Manage a group's members with Puppet

Apache License 2.0

3 stars 2 forks source link

Exclusive parameter has no effect on the resource #36

Open jamesps-ebi opened 3 months ago

jamesps-ebi commented 3 months ago

Affected Puppet, Ruby, OS and module versions/distributions

Puppet: 7.29.1
Ruby:
Distribution: Ubuntu 22.04
Module version: 2.0.0

How to reproduce (e.g Puppet code you use)

  $_members = [ 'admin1' ]

  groupmembership { 'sudo':
    members   => $_members,
    exclusive => false,
  }

What are you seeing

If a group has un-managed members, this module will remove them regardless of whether you have the exclusive parameter set to true or false.

What behaviour did you expect instead

The groupmembership type should not purge un-managed members if exclusive parameter is set to false

Output log

Any additional information you'd like to impart

TheMeier commented 3 months ago

Hmmm looking at https://github.com/voxpupuli/puppet-groupmembership/blob/472b42285e1e4f127032dcab1eff965a85de9908/lib/puppet/provider/groupmembership/gpasswd.rb#L11 which seems to be the relevant implementation, I cannot find a -m switch in the man pages for gpasswd. This code is 9 years old! Apart from maintenance, typo fixes and the likes this module has not seen any changes in a couple of years.

IMHO we should deprecate this modul in favour of just using https://www.puppet.com/docs/puppet/8/types/user.html and https://www.puppet.com/docs/puppet/8/types/group

TheMeier commented 3 months ago

jamesps-ebi commented 3 months ago

Yeh I see your point. #26 would also be an issue here because even if the exclusive parameter DID work, it would just fail to execute the command with -m option.

Unfortunately, the native Puppet group resource doesn't seem to support managing group memberships on Linux OS.

You can assign individual users to groups using the user resource, but can't specify a declarative member list for a group itself.

TheMeier commented 3 months ago

How about something like this:

$groups = {
  'g1' => { 'users' => ['u1', 'u2'] },
  'g2' => { 'users' => ['u2', 'u3'] },
  'g3' => { 'users' => ['u3', 'u1'] },
}

$users = [
  'u1',
  'u2',
  'u3',
]

$users.each |$index, $user| {
  $my_groups = $groups.map |$group_name, $group_members| { if $user in $group_members['users'] { $group_name } }.filter |$x| { $x != undef }
  notice("create user ${user} with groups ${my_groups}")
}