[PUP-1727] directoryservice group provider for OS X should allow groups to be members of a group Created: 2014/02/18 Updated: 2018/05/21
|Labels:||group, macos, redmine, type_and_provider|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
Unlike many other systems, OS X considers group membership to be an attribute of the group, not the members, and so we have a situation where in Puppet the provider can manage group membership.
It turns out that we can only manage users as members of this group, but it's perfectly valid to have nested groups in OS X.
We should support this.
This came up because of someone wanting to use the Puppet group type to manage Service ACLs in OS X, which are simply groups with a specific naming scheme. The vast majority of the time when you wish to do this, you want to nest groups inside the SACL.
There are a few unanswered questions about how we'd do this, as the provider simply doesn't know whether a given string refers to a user or a group, and it needs to execute different commands in each scenario.
We also don't really want to have to supply Puppet resource references, as some of these groups may be in a remote directoryservice node, and thus unsuitable for being managed by Puppet.
Perhaps we have another 'group_members' attribute? Then we need to work out whether something is a group or a user when checking status...
Anyway, while it's not clear how best to do this, I think it's something we should do.