Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: fix(config): remove dictsort that breaks sudoers #67

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

javierbertoli
Copy link
Member

@javierbertoli javierbertoli commented Aug 24, 2020

PR progress checklist (to be filled in by reviewers)

  • Changes to documentation are appropriate (or tick if not required)
  • Changes to tests are appropriate (or tick if not required)
  • Reviews completed

What type of PR is this?

Primary type

  • [build] Changes related to the build system
  • [chore] Changes to the build process or auxiliary tools and libraries such as documentation generation
  • [ci] Changes to the continuous integration configuration
  • [feat] A new feature
  • [fix] A bug fix
  • [perf] A code change that improves performance
  • [refactor] A code change that neither fixes a bug nor adds a feature
  • [revert] A change used to revert a previous commit
  • [style] Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.)

Secondary type

  • [docs] Documentation changes
  • [test] Adding missing or correcting existing tests

Does this PR introduce a BREAKING CHANGE?

YES.

Although it's quite possible that 'nothing will break', existing entries order will change and you might end up with a rendered file that does not match current one.

Related issues and/or pull requests

Describe the changes you're proposing

in bc62b6e dicsort was applied to the pillar entries. But in the
sudoers file order matters so, using dicsort, breaks it.

From man 5 sudoers:

When multiple entries match for a user, they are
applied in order. Where there are multiple matches, the last match
is used (which is not necessarily the most specific match).

Removed dictsort from the {users,groups,netgroups} specifications.

Pillar / config required to test the proposed changes

Debug log showing how the proposed changes work

Documentation checklist

  • Updated the README (e.g. Available states).
  • Updated pillar.example.

Testing checklist

  • Included in Kitchen (i.e. under state_top).
  • Covered by new/existing tests (e.g. InSpec, Serverspec, etc.).
  • Updated the relevant test pillar.

Additional context

@pull-assistant
Copy link

pull-assistant bot commented Aug 24, 2020

Score: 1.00

Best reviewed: commit by commit


Optimal code review plan

     fix(config): remove dictsort that breaks sudoers

Powered by Pull Assistant. Last update 7ee2569 ... 7ee2569. Read the comment docs.

@javierbertoli javierbertoli force-pushed the master branch 2 times, most recently from 8802c5b to e94e0f2 Compare August 24, 2020 19:50
@javierbertoli javierbertoli requested review from daks and myii August 24, 2020 20:00
@myii
Copy link
Member

myii commented Aug 24, 2020

@javierbertoli I'll concentrate on the map.jinja PR that @daks has put through -- hopefully he can review this PR. One minor comment for the time being: s/dicsort/dictsort/ in all places including the commit message, thanks.

in bc62b6e dictsort was applied to the pillar entries. But in the
sudoers file *order matters* so, using `dictsort`, breaks it.

From man 5 sudoers:

> When multiple entries match for a user, they are
> applied in order.  Where there are multiple matches, the last match
> is used (which is not necessarily the most specific match).

Removed `dictsort` from the {users,groups,netgroups} specifications.

BREAKING CHANGE: sudoers entries' order will change and might break
existing configuration. You should check your pillars and rendering.
@daks
Copy link
Member

daks commented Aug 25, 2020

If I understand correctly:

  • in 2018 was introduced (bc62b6e) the |dictsort filter to make the formula application 'idempotent' (the generated file won't change at every state apply)
  • this filter orders the dict automatically in an order which can be different of the user will
  • sudo entries order is very important!

I understand the need to this PR but it will make the formula application not idempotent again, which is not critical (I think other formulas have this problem too) but not ideal neither.

I think one way to solve this problem would be to move from dictionaries to lists for data which needs a specific order but it's a more important change.

I'm interested in your opinion on that topic.

@javierbertoli
Copy link
Member Author

@daks You're right, lists seems a more stable approach.

It's a breaking change, anyway, so we'd rather fix it the best way, right? 😄

I'll give it a try.

@javierbertoli javierbertoli changed the title fix(config): remove dicsort that breaks sudoers WIP: fix(config): remove dicsort that breaks sudoers Aug 25, 2020
@myii myii changed the title WIP: fix(config): remove dicsort that breaks sudoers WIP: fix(config): remove dictsort that breaks sudoers Aug 25, 2020
@tacerus tacerus mentioned this pull request Jan 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants