Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10778

User resource is not idempotent on AIX

    XMLWordPrintable

    Details

    • Template:
      PUP Bug Template
    • Team:
      Night's Watch
    • Method Found:
      Customer Feedback
    • Zendesk Ticket IDs:
      41908
    • Zendesk Ticket Count:
      1
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      The AIX user resource now allows for `password` lines with arbitrary whitespace in the `passwd` file.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: 6.17
      Puppet Server Version: 6.12.1
      OS Name/Version: AIX 7.2

      When using a user resource on AIX and setting the password, the password is updated every agent run. This happens when a user stanza contains a tab in the password line.

      This is because the regex in https://github.com/puppetlabs/puppet/blob/main/lib/puppet/provider/user/aix.rb#L181 does not account for tabs or multiple spaces.

      Reproduction:

      1. In an AIX 7.2 node add a user resource.

      user{'testing':
        ensure => present,
        password => 'test',
      }
      

      2. Edit the /etc/security/passwd file to add a tab to the password line.

      testing:
              password        = test
              lastupdate = 1605112051
      

      3. Apply the user resource multiple times and confirm that the password it changed b every run.

      [0] [AIX] root@aix72-9:~ # puppet apply user.pp 
      Notice: Compiled catalog for aix72-9.delivery.puppetlabs.net in environment production in 0.02 seconds
      Notice: /Stage[main]/Main/User[testing]/password: changed [redacted] to [redacted]
      Notice: Applied catalog in 0.22 seconds
      [0] [AIX] root@aix72-9:~ # puppet apply user.pp 
      Notice: Compiled catalog for aix72-9.delivery.puppetlabs.net in environment production in 0.02 seconds
      Notice: /Stage[main]/Main/User[testing]/password: changed [redacted] to [redacted]
      Notice: Applied catalog in 0.22 seconds
      [0] [AIX] root@aix72-9:~ # puppet apply user.pp 
      Notice: Compiled catalog for aix72-9.delivery.puppetlabs.net in environment production in 0.02 seconds
      Notice: /Stage[main]/Main/User[testing]/password: changed [redacted] to [redacted]
      Notice: Applied catalog in 0.22 seconds
      

      Desired Behavior:
      The password should be set once unless the password changed.

      Actual Behavior:

      The detection of the current password has an incorrect regex and updates the password every agent run.

      Proposed Fix
      Change the regex in https://github.com/puppetlabs/puppet/blob/main/lib/puppet/provider/user/aix.rb#L181 to be /password\s+=\s+(\S+)/

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            jarret.lavallee Jarret Lavallee
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support