Puppet

Martin,

Why not just not mention roles if you don’t want any… :/ If you put [], what is the desired behavior? If I treat it like absent, it will obliterate existing roles. Do you think the best behavior is to honor the membership setting?

I’ll have a patch pretty quick once I have desired behavior defined.

The reason I use “[]” is that I want to make sure the user doesn’t have any roles at all, i.e. remove existing ones.

I think I see your point, i.e. the default is an empty set, which will always obliterate existing roles. But if you only do it when

role_membership => inclusive

is used, it should be ok, as “minimum” is the default. Right? :)

This is an easy fix – just munge the ‘should=’ method in the role parameter to treat an empty array as ‘[:absent]’.

It’s slightly more complicated because it is inheriting from a List property and has the concept of ‘membership’.

Martin,

Can you confirm that [] will actually get rid of roles that you don’t want? Looking at the code, I believe it will not unless you set the membership to inclusive. That also seems like the proper behavior, it should only remove roles when membership is inclusive.

What behavior do you get when you specify [:absent]?

I’ll get my Solaris VMs warmed up. I think there is definitely a subtle bug/missed scope. I’ll fix it this weekend once we agree on the proper behavior.

Yes, using:

roles => [],
role_membership => inclusive

removes all roles for that user – which is the behavior I want, I just want to get rid of the message it displays when the role list already is empty:

notice: ... defined 'roles' as ''

Since it will be reported over and over again every 30 minutes.

This fix should also be applied to authorizations & profiles

I’ve just tested the fix and it works as expected:

• when membership is “inclusive” everything is cleared on the first run and sequent runs are silent
• when membership is “minimum” it leaves the current values alone