Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chown passwd file #1

Closed
deric opened this issue Aug 26, 2013 · 11 comments
Closed

chown passwd file #1

deric opened this issue Aug 26, 2013 · 11 comments
Assignees
@leinaddm

Comments

@deric
Copy link

deric commented Aug 26, 2013

It would be cool to pass a parameter which would change ownership of the created file.
@ghost ghost assigned leinaddm Aug 27, 2013
@leinaddm
Copy link
Owner

I don't think that's a good idea. If we had that parameter each htpasswd user resource could specify a different owner and the final owner would randomly change between the specified ones.

@deric
Copy link
Author

deric commented Aug 30, 2013

I don't get it. Currently the owner would be user under which you run puppet. For security reasons it's a good idea to restrict the file to a specific user or group, eg. www-data

@leinaddm
Copy link
Owner

leinaddm commented Sep 1, 2013

@deric: I agree it's a good idea to restrict the file to a specific user or group. And what I usually do when using this module is specify a file resource that just sets the owner/group and permissions for the file.

Adding the owner as a property for the type would be a problem because you could have the following two definitions (maybe in two different modules) and then the ownership of the file would depend on the order in which the two modules are included.

htpasswd { 'user1':
  cryptpasswd => 'MrC7Aq3qPKPaK',  # encrypted password
  target      => '/etc/httpd/conf/htpasswd',
  owner       => 'www-data',
}

htpasswd { 'user2':
  cryptpasswd => 'MrC7Aq3qPKPaK',  # encrypted password
  target      => '/etc/httpd/conf/htpasswd',
  owner       => 'root',
}

@deric
Copy link
Author

deric commented Sep 2, 2013

Ok, your're right. We would need a resource for declaring file first and then another one for a single record. Using file is much easier.

   file { "/etc/httpd/conf/htpasswd":
     owner => www-data,
     group => www-data,
     mode  => 644
  }

@deric deric closed this as completed Sep 2, 2013
@leinaddm leinaddm mentioned this issue Aug 18, 2014
Closed
@Felixoid
Copy link

Felixoid commented Sep 24, 2019
edited
Loading

Hey @leinaddm

I'm not sure why, but your suggestion with using the dedicated file resource doesn't work from the first run. It looks like this:

Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for hostname
Info: Applying configuration version '1569363192'
Notice: /Stage[main]/Htpasswd[grafana]/ensure: created
Notice: /Stage[main]/Htpasswd[mikhail.shiryaev]/ensure: created
Notice: Applied catalog in 27.70 seconds

Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for hostname
Info: Applying configuration version '1569363299'
Notice: /Stage[main]/File[/etc/htpasswd/graphite]/owner: owner changed 'root' to 'www-data'
Notice: /Stage[main]/File[/etc/htpasswd/graphite]/group: group changed 'root' to 'www-data'
Notice: /Stage[main]/File[/etc/htpasswd/graphite]/mode: mode changed '0600' to '0440'
Notice: Applied catalog in 28.64 seconds

With the following manifest:

    if !defined(File['/etc/htpasswd/graphite']) {
        file { '/etc/htpasswd/graphite':
            owner => 'www-data',
            group => 'www-data',
            mode  => '0440',
        }
    }

    htpasswd { $user:
        ensure      => 'present',
        cryptpasswd => $secret,
        target      => '/etc/htpasswd/graphite',
    }

@deric deric mentioned this issue Sep 25, 2019
Open
@deric
Copy link
Author

deric commented Sep 25, 2019
edited
Loading

I guess the main problem is, that htpasswd is using file resource but not requiring it (which goes against the way how Puppet works).
As a workaround you can try chaining it:

file { '/etc/htpasswd/graphite':
    owner => 'www-data',
    group => 'www-data',
    mode  => '0440',
}
htpasswd { $user:
    ensure      => 'present',
    cryptpasswd => $secret,
    target      => '/etc/htpasswd/graphite',
    require     => File['/etc/htpasswd/graphite'],
}

Which means that firstly would be created empty file with proper permission, then content written. (I haven't tested the code).

@Felixoid
Copy link

For us the other way around helps:
Htpasswd <| |> -> File['/etc/htpasswd/graphite']

@deric
Copy link
Author

deric commented Sep 25, 2019

@Felixoid That's basically the same except all htpasswd resources will require File['/etc/htpasswd/graphite'] even when belong to other file. It could lead to errors in larger codebase.

@Felixoid
Copy link

Felixoid commented Sep 25, 2019
edited
Loading

@deric that's not the same, File requires Htpasswd, not another way around. And yes, we are aware of possible issues on the big amount of resources, thank you.

I've checked your option, it doesn't work. The File should be applied after the Htpasswd resource.

file { '/etc/htpasswd/graphite':
    owner => 'www-data',
    group => 'www-data',
    mode  => '0440',
}
htpasswd { $user:
    ensure      => 'present',
    cryptpasswd => $secret,
    target      => '/etc/htpasswd/graphite',
    before      => File['/etc/htpasswd/graphite'],
}

@deric
Copy link
Author

deric commented Sep 25, 2019

@Felixoid Oh, sorry I've overlooked that. Normally it should be the other way round (when autorequire is defined on the type and files are managed properly).

@Felixoid
Copy link

Maybe, puppet's Parsedfile doesn't implement File type? I'm not able to even read ruby on the level the puppet it's written, unfortunately

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@leinaddm leinaddm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@deric @leinaddm @Felixoid