Bug #9347
closedsudo management isn't update-safe
Added by Florian Heigl about 8 years ago. Updated over 7 years ago.
Description
If you extend the list of allowed sudo commands, rudder will add another line with the second permission set.
also, it adds it's own entries in the last line, after the #include statement. that's not proper, can you make it so it adds its stuff before #include since that is the last line by convention (no technical need, just style)
Updated by Benoît PECCATTE about 8 years ago
Yes, this is due to a limitation in how we write techniques and how cfengine convergence works.
To make sure a technique is update-safe, we are thinking at how to solve this but it needs long term changes.
To work around the limitations, the best thing is to use templates.
Updated by François ARMAND over 7 years ago
- Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
- User visibility set to Getting started - demo | first install | level 1 Techniques
- Priority set to 72
Updated by François ARMAND over 7 years ago
We should have an edit zone for rudder, and cleanly managed everything in that zone.
Updated by Nicolas CHARLES over 7 years ago
- Effort required set to Medium
- Priority changed from 72 to 70
- editing within a Rudder zone - striclty enforcing content there (but what about lines not in this zone, should they be moved within the zone when commands are managed ?). Question is: how do we know which Directives will trigger a change if several directives are editing this zone ?
- extending list of commands: we need to be able that we are extending a line (so partial match?); or strictly enforce the content (see previous point)
Feedback is welcome on the expected behaviour
Estimated effort is more than a day (something in between checkGenericFileContent + ensure_key_value_parameters)
Updated by Benoît PECCATTE over 7 years ago
- Assignee set to Nicolas CHARLES
- Priority changed from 70 to 69
Updated by Nicolas CHARLES over 7 years ago
- Target version set to 3.1.21
We should use file_ensure_block_in_section to create and edit section
Updated by Nicolas CHARLES over 7 years ago
Nicolas CHARLES wrote:
We should use file_ensure_block_in_section to create and edit section
Actually, this would prevent detecting which command has been edited
So we could either create a new generic method that would have name of section as class parameter, or find another solution :/
Updated by Nicolas CHARLES over 7 years ago
To have a correct fix with generic method, we need to have composite keys for reporting, and this is quite a big change (it could only be in master for ncf), even if located only in ncf
So to have a suitable fix in Rudder 3.1, we'll create an ad-hoc code, like a generic method, in sudo technique, to edit section with proper reporting
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.21 to 3.1.22
- Priority changed from 69 to 68
Updated by Nicolas CHARLES over 7 years ago
- Status changed from New to In progress
Updated by Nicolas CHARLES over 7 years ago
there a huge question mark here.
We are moving from managing file like
# User privilege specification root ALL=(ALL:ALL) ALL %admin ALL=(ALL) ALL %sudo ALL=(ALL:ALL) ALL
to
# User privilege specification root ALL=(ALL:ALL) ALL # Configuration name Name 1 %admin ALL=(ALL) ALL # End Configuration name Name 1 # Configuration name Name 2 %sudo ALL=(ALL:ALL) ALL # End Configuration name Name 2
without having duplicate lines
an idea would be to create a globally managed section
#Managed by Rudder #End of section Managed by Rudder
and work in this section, and purge all duplicated line in and out this section; but resulting code gets pretty complex
(but it's doable)
Updated by Nicolas CHARLES over 7 years ago
Updated by Nicolas CHARLES over 7 years ago
Updated by Nicolas CHARLES over 7 years ago
Decided solution:
we check if expected line is there - if it is, but not in the section (and the section doesn't exist somewhere else), we wrap it around the section.
Otherwise, if section is there, we edit it
otherwise, we add the section
Updated by Nicolas CHARLES over 7 years ago
- Status changed from In progress to Pending technical review
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/1176
- Priority changed from 68 to 67
Updated by Nicolas CHARLES over 7 years ago
- Status changed from Pending technical review to In progress
- Pull Request deleted (
https://github.com/Normation/rudder-techniques/pull/1176)
it's still in progress (i did a rudder-dev wip, don't know why it created a PR)
Updated by Nicolas CHARLES over 7 years ago
- Related to User story #11145: Add bundle in library to edit section, and enforce its content, as well as deleteing line matching regexp in all file added
Updated by Nicolas CHARLES over 7 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Nicolas CHARLES to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/1178
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.22 to 3.1.23
- Priority changed from 67 to 66
Updated by Nicolas CHARLES over 7 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-techniques|30280beaaa8c59d4173aff027a309a2c9df99bc6.
Updated by Vincent MEMBRÉ over 7 years ago
- Status changed from Pending release to Released
- Priority changed from 66 to 65