Our customer will only use Puppet if all necessary operations are possible running Puppet without root privileges. Actually Puppet agent validates the user attribute of exec ressource that way, that it's fully unsupported if running without root user. Doing so, the following error message is printed and execution aborted:
Unfortunately many modules use this exec attribute so we had to rewrite or modify them all which makes Puppets great effort of prebuild model code quite useless.
Using such modules and running Puppet without root should be possible if the given exec user is the same user already running the agent. In that case no user change so no root privileges are necessary.
So in my opinion the user attribute validation shouldn't fail if the executing user isn't root and the given exec user is the actually running.