[PUP-5276] User Purge on Windows Created: 2015/09/23  Updated: 2017/05/18  Resolved: 2017/05/15

Status: Closed
Project: Puppet
Component/s: Types and Providers
Affects Version/s: PUP 4.2.2
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Curtis Ruck Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: manage-user-group, trivial, windows
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Windows 2012 R2 is the puppet agent system.

Epic Link: User Phase 1 Type/Provider Improvements
Team: Agent
QA Contact: Eric Thompson


When running resources

{'user': purge=>true}

it logs an error:

Error: /Stage[main]/Windows/Resources[user]: Failed to generate additional resources using 'generate': comparison of String with 499 Failed.

This appears to be that the resources type, in user_check, assumes that current_uid will always be an integer value.

Comment by Curtis Ruck [ 2015/09/23 ]

Running with unless_system_user=>false removes the error, so shouldn't this be default on Windows?

Comment by Kylo Ginsberg [ 2015/09/23 ]

Ping Ethan Brown.

Comment by Ethan Brown [ 2015/09/28 ]

Curtis Ruck Looking at the code for resources at https://github.com/puppetlabs/puppet/blob/master/lib/puppet/type/resources.rb, I don't think that that type is particularly designed to place nicely on Windows.

Could you detail your use case to see if there's a better way of going about your desired behavior?

Comment by Curtis Ruck [ 2015/09/28 ]

We extensively utilize resources/purge to ensure configuration drift is kept under control. To that end we manage users, groups, firewall rules, database users/roles/grants/tablespaces/objects/etc, packages, registry keys, files, etc... a large number of these types are custom, and running across linux and windows.

At last count we had about 20 different resources types with purge=>true defined.

I've historically found the resources type very frustrating as that it isn't extensible for type specific filters. I.e. you've baked user type details in the resources type, instead of in a provider.

Short term, making unless_system_user=>false the default (for windows) would easily allow other Windows users to manage local users without incident.

Long term, i'd prefer resources to be deprecated, and the implementation migrated into a new type that allows for extensible logic for managing purges. For example, in our databases (Oracle and SQL Server), we want to purge all users/roles that do not have a specific role granted, if not explicitly defined. I wouldn't care if custom type/providers just implemented a extended a base provider, that allows for custom logic for their types.

Comment by Moses Mendoza [ 2016/09/22 ]

duplicated by PUP-6716

Generated at Fri Aug 07 09:41:13 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.