Resource Type: macgroup

Defined in:
lib/puppet/type/macgroup.rb
Providers:
default

Overview

A drop-in replacement for the built-in Puppet Type: Group

A custom Puppet type for configuring and managing OS X groups.

Similar to the built-in Puppet type, Macgroup can manage user membership and other attributes of DSLocal group records.

However, unlike the built-in Puppet type, it also supports management of nestedgroups records, aka “Groups-in-Group”.

USAGE ====

macgroup { ‘foo’:

ensure => present,
realname => 'FooGroup',
comment => 'Installed by Puppet',
users => ['foo', 'bar', 'baz'],
nestedgroups => ["ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050", 'group_two'],
strict => true,

}

Properties

  • comment

    String that describes the group’s purpose.

    Corresponds to the Comment/comment attribute.

    Default is :absent.

  • ensure (defaults to: present)

    The basic property that the resource should be in.

    Supported values:
    • present
    • absent
  • gid

    The numeric ID for the Group.

    Corresponds to the PrimaryGroupID/gid attribute.

    If you create a new group and do not specify a GID, one will be selected for you. However, this is not recommended as it cannot guarantee GID specification across a collection of machines. For example, if the same resource were applied to two different machines, the GID could not be guaranteed to be the same on both, unless you were to configure this parameter.

    By the same token, if you do specify a GID parameter, you must ensure that the GID will not collide with existing groups on the machine – especially built-ins.

    Default is :absent.

    Supported values:
    • /^\d+$/
  • nestedgroups

    A list of groups you want nested inside the group.

    Corresponds to the NestedGroups/nestedgroups attribute.

    Note: this attribute lists membership according the record’s GeneratedUID, not the record’s’ name like the user list.

    Membership is managed wholesale, that is, it’s purged prior to modification unless you set strict => false.

    Please see the documentation on :strict before using this feature.

    To specify nested groups, you pass an Array of:

    a) Group Names (ie. “admin”, “staff”, etc.) b) GeneratedUIDs (ie. “ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050”, etc.) c) A mix of both (ie. “ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050”, “staff”)

    When you provide a list of group names, the Macgroup type will attempt to resolve the record to its associated GeneratedUID. This is IMPORTANT to keep in mind when referring to external node records (ie. LDAP or AD). If it cannot resolve the record name to GeneratedUID, the Magroup type will generate a warning and skip configuration of the unresolvable record.

    Like the user membership control, this “warn and continue” style of resource management is sub-optimal, but provides greater resilience during temporary outages.

    For this reason, it is recommended that you list nestegroups according to their respective GeneratedUIDs and NOT the record names as this will provide the greatest stability (and less log noise).

    Note: an empty list is not the same as an absent one. An absent list implies that the attribute is unmanaged, while an empty list is managed and will create and empty list… Use caution.

    Default is :absent (no management)

  • realname

    Optional string value that declares the group’s RealName.

    Corresponds to the RealName/realname attribute.

    Default is :absent.

  • users

    The list of users you want added to the group.

    Corresponds to the GroupMembership/users attribute.

    Membership is managed wholesale, that is, it’s purged prior to modification unless you set strict => false.

    Please see the documentation on :strict before using this feature.

    To specify users, you pass an Array of user names. The provider will warn about an invalid user account, but it will apply the configuration anyway. This is to prevent temporary OpenDirectory or network outages from wreaking havoc with your Puppet config.

    Note: an empty list is not the same as an absent one. An absent list implies that the attribute is unmanaged, while an empty list is managed and will create and empty list… Use caution.

    Default is :absent (no management)

Parameters

  • name (namevar)

    The resource name.

    Corresponds to the RecordName/name attribute.

  • provider

    The specific backend to use for this ‘macgroup` resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.

  • strict (defaults to: true)

    How to handle membership in the users and nestedgroups arrays.

    A Boolean value that informs the provider whether to merge the specified members into the record, or replace them outright.

    This parameter controls the behavior of BOTH the users and nestedgroups arrays.

    By default, the users and nestedgroups arrays will be PURGED and replaced by whatever you specify in the resource (ie. strict => true).

    Still, this isn’t always what you want. Sometimes, you simply want to ensure that the users/groups you specify in the resource are members, and ignore any other records in the list(s).

    To accomplish this, you can set the strict parameter to false.

    Default is :true (purge)

    Supported values:
    • true
    • false