Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9465

group resource type should support lgroupadd provider on Linux

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Normal
    • Resolution: Cannot Reproduce
    • Affects Version/s: PUP 6.1.0
    • Fix Version/s: None
    • Component/s: Types and Providers
    • Labels:
    • Template:
    • Team:
      Platform OS
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: 6.1.0
      Puppet Server Version: 6.1.0
      OS Name/Version: Red Hat Enterprise Linux 7

      The group resource type supports the groupadd provider, but not the lgroupadd provider.

      lgroupadd (and lgroupmod and lgroupdel) are part of the libuser library/package. While libuser is essentially a rewrite of the groupadd, groupmod, and groupdel programs from the shadow-utils package (because Red Hat tends toward NIH syndrome), lgroupmod has one important advantage over groupmod: lgroupmod can manipulate group members directly.

      E.g., you can do this:

      $ lgroupmod --member-add user1,user2,user3 somegroup
      

      In contrast, groupmod cannot do this. Instead, you have to do this:

      $ usermod -a -G somegroup user1
      $ usermod -a -G somegroup user2
      $ usermod -a -G somegroup user3
      

      This is why the groupadd provider for the group resource type lacks the manages_members feature.

      The implication of this is that in Puppet, if you want to have a class manage the contents of a group, the only way to do it (using default resource types) is to manage user resources for each user who should be a member of the group. But this doesn't scale, because if any other module is attempting to manage a user resource type for the same user, the resources will clash.

      In contrast, if support were added for the lgroupadd provider, the manages_members feature could be enabled for it. This would permit managing the membership of an arbitrary group by managing a single group resource for the group, instead of managing individual user resources.

      Granted, this could create the state where a Puppet user resource using the useradd provider could "fight" with a Puppet group resource using the lgroupadd provider. But this potential for conflict already exists in other places in Puppet (e.g., augeas resources can cheerfully fight with file resources). So I don't think the potential for conflict is a reason to avoid adding the lgroupadd provider.

      So, in summary, I think Puppet should add support for the lgroupadd provider (and company) for the group resource type on platforms where the libuser library/package is available: Fedora, Red Hat, CentOS, and potentially others.

      Yay or nay?

      (I may be able to work on adding this provider myself, but I don't want to spend the time on a merge request if Puppet is philosophically opposed to adding support for the lgroupadd provider.)

        Attachments

          Activity

            jsd-sla-details-panel

              People

              • Assignee:
                Unassigned
                Reporter:
                ralston James Ralston
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: