Last modified: 2014-10-01 15:33:15 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T73480, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 71480 - Prevent puppet from creating local user when they are defined in LDAP
Prevent puppet from creating local user when they are defined in LDAP
Status: NEW
Product: Wikimedia Labs
Classification: Unclassified
Infrastructure (Other open bugs)
unspecified
All All
: Unprioritized normal
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-09-30 21:14 UTC by Antoine "hashar" Musso (WMF)
Modified: 2014-10-01 15:33 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Antoine "hashar" Musso (WMF) 2014-09-30 21:14:24 UTC 
We had a few LDAP rolling upgrades over the past few days. When puppet realize a User type, it apparently detects a provider of the user.  When LDAP works, it does not create the user, but whenever LDAP does not, puppet fallbacks to adduser and creates a local user.

An example is the beta cluster which recently had a local 'mwdeploy' user being created by puppet on deployment-rsync01 and deployment-bastion.  The process we run (such as scap) ends up altering / creating files with the local UID and whenever LDAP comes back we have a few permissions errors all over the place.

Puppet User supports a 'provider' attribute which can be set to 'ldap'.  Bryan suggested to use hiera to set that on labs.

Ref:
https://docs.puppetlabs.com/references/latest/type.html#user-attribute-provider
Comment 1 Antoine "hashar" Musso (WMF) 2014-10-01 13:43:25 UTC 
A second though, maybe the l10nupdate and mwdeploy User definitions in puppet should be given UID/GID that matches the one from LDAP.
Comment 2 Bryan Davis 2014-10-01 15:33:15 UTC 
(In reply to Antoine "hashar" Musso from comment #1)
> A second though, maybe the l10nupdate and mwdeploy User definitions in
> puppet should be given UID/GID that matches the one from LDAP.

Renumbering is going to be a pain, but it would less painful to ensure that the gid/uid pairs used in LDAP match the gid/uid pairs found in the production cluster. It's interesting to me that the mwdeploy user and group do not have explicit uid/gid in puppet. I wonder how that actually works in practice across production.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links