[PUP-1727] directoryservice group provider for OS X should allow groups to be members of a group Created: 2014/02/18  Updated: 2018/05/21

Status: Accepted
Project: Puppet
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Normal
Reporter: redmine.exporter Assignee: Unassigned
Resolution: Unresolved Votes: 2
Labels: group, macos, redmine, type_and_provider
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Team: Platform OS

 Description   

Unlike many other systems, OS X considers group membership to be an attribute of the group, not the members, and so we have a situation where in Puppet the provider can manage group membership.

It turns out that we can only manage users as members of this group, but it's perfectly valid to have nested groups in OS X.

We should support this.

This came up because of someone wanting to use the Puppet group type to manage Service ACLs in OS X, which are simply groups with a specific naming scheme. The vast majority of the time when you wish to do this, you want to nest groups inside the SACL.

There are a few unanswered questions about how we'd do this, as the provider simply doesn't know whether a given string refers to a user or a group, and it needs to execute different commands in each scenario.

We also don't really want to have to supply Puppet resource references, as some of these groups may be in a remote directoryservice node, and thus unsuitable for being managed by Puppet.

Perhaps we have another 'group_members' attribute? Then we need to work out whether something is a group or a user when checking status...

Anyway, while it's not clear how best to do this, I think it's something we should do.


Generated at Thu Jul 18 13:18:59 PDT 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.