puppet-accounts
puppet-accounts copied to clipboard
deric
Setting `inclusive` membership on users is not possible
membership can be set on a user and it can specify either that the groups listed is a minimal set or that the groups listed in an inclusive set. There does not appear to be a possibility to set that through this module and that is not great for us. Is there a reason for why that attribute cannot be set on the custom defined type?
The way how the DSL is processed now have to create accounts first, then deal with groups and its members. It might be complicated to enforce different membership levels for each user.
Currently the membership is set here.
Though, I could try to support something like this, but it will require some refactoring.
accounts::user_defaults:
membership: minimal
accounts::groups:
www-data:
members: ['john']
accounts::users:
john:
groups: ["sudo", "users"]
membership: minimal
trudy:
groups: ["sudo", "users"]
membership: inclusive
I've been thinking about this one, it's kind of complicated but it might solve multiple problems. We can either manage membership from user or group perspective. Current implementation misuses attribute_membership parameter. Ideally we should support different strategies depending on underlying provider. This module allows setting inclusive member of a group, while Puppet support the same from user's perspective. We're using
gpasswd -M user1,user2 mygroup
Probably it doesn't make sense to support both approaches at the same time, you'd have to choose.
usermod -G group1,group2 myuser