[PUP-3719] Group resource non-authoritative by default (Breaking change) Created: 2014/12/01  Updated: 2019/04/04  Resolved: 2015/01/23

Status: Closed
Project: Puppet
Component/s: Types and Providers
Affects Version/s: None
Fix Version/s: PUP 4.0.0

Type: Bug Priority: Major
Reporter: Rob Reynolds Assignee: Unassigned
Resolution: Done Votes: 0
Labels: docs_reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Blocks
blocks ENTERPRISE-182 Ability to add a member to a group, i... Closed
Relates
relates to PUP-2628 Ability to add a member to a group, i... Closed
relates to PUP-3653 Unable to create/force empty Windows ... Closed
relates to PUP-6542 Group resource emits misleading chang... Closed
relates to PUP-3883 Support for user resource with a DOMA... Closed
Template:
Story Points: 1
Sprint: Platform Client 2014-11-26, Platform Client 2015-01-07, Platform Client 2015-01-21
QA Contact: Eric Thompson

 Description   

The auth_membership group parameter controls whether puppet ensures the group contains exactly the members specified, and no more, or contains at least the members specified. By default, the group parameter defaults to the former, which is opposite to the auth_membership user parameter. This makes the group parameter difficult to use in practice, because you need to know what the complete set of group members should be. For example, on Windows the local Administrators group may contain a combination of local and domain user/group accounts, and that may vary across different types of machines.

We should change the auth_membership group parameter to default to false so that it is consistent with the user parameter.



 Comments   
Comment by Josh Cooper [ 2015/01/06 ]

Merged in 0617e752f

Comment by Eric Thompson [ 2015/01/12 ]

verified in windows2012r2-r64 at SHA: c874855 with:

Administrator@k9xljvzfb807ry6 ~
$ cmd /c puppet resource group Users
group { 'Users':
  ensure  => 'present',
  gid     => 'S-1-5-32-545',
  members => ['INTERACTIVE', 'Authenticated Users', 'sshd', 'cyg_server', 'Administrator'],
}
 
Administrator@k9xljvzfb807ry6 ~
$ cmd /c puppet apply -e 'group{ "Users": members => "IUSR" }'
Notice: Compiled catalog for k9xljvzfb807ry6.delivery.puppetlabs.net in environment production in 0.69 seconds
Notice: /Stage[main]/Main/Group[Users]/members: members changed 'NT AUTHORITY\INTERACTIVE,NT AUTHORITY\Authenticated Users,K9XLJVZFB807RY6\sshd,K9XLJVZFB807RY6\cyg_server,K9XLJVZFB807RY6\Administrator' to 'NT AUTHORITY\IUSR'
Notice: Applied catalog in 0.06 seconds
 
Administrator@k9xljvzfb807ry6 ~
$ cmd /c puppet resource group Users
group { 'Users':
  ensure  => 'present',
  gid     => 'S-1-5-32-545',
  members => ['INTERACTIVE', 'Authenticated Users', 'sshd', 'cyg_server', 'Administrator', 'IUSR'],
}
 
Administrator@k9xljvzfb807ry6 ~
$ cmd /c puppet apply -e 'group{ "Users": members => "INTERACTIVE", auth_membership=>true }'
Notice: Compiled catalog for k9xljvzfb807ry6.delivery.puppetlabs.net in environment production in 0.70 seconds
Notice: /Stage[main]/Main/Group[Users]/members: members changed 'NT AUTHORITY\INTERACTIVE,NT AUTHORITY\Authenticated Users,K9XLJVZFB807RY6\sshd,K9XLJVZFB807RY6\cyg_server,K9XLJVZFB807RY6\Administrator,NT AUTHORITY\IUSR' to 'NT AUTHORITY\INTERACTIVE'
Notice: Applied catalog in 0.08 seconds
 
Administrator@k9xljvzfb807ry6 ~
$ cmd /c puppet resource group Users
group { 'Users':
  ensure  => 'present',
  gid     => 'S-1-5-32-545',
  members => ['INTERACTIVE'],
}

Generated at Mon Sep 23 13:04:35 PDT 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.