Non-root user functionality

Non-root users can use a subset of administrative functionality. Non-root agents can't perform any operations requiring root privileges, such as installing system packages.

*nix non-root functionality

Non-root users on *nix agents can enforce these resource types, with some caveats as noted:

• augeas
• cron: Can only view or set non-root cron jobs
  • If you run a cron job as non-root user and you use the -u flag to sets a user with root privileges, the job fails with this error message: Notice: /Stage[main]/Main/Node[nonrootuser]/Cron[illegal_action]/ensure: created must be privileged to use -u
• exec: Cannot run as another user or group
• file: Non-root user must have read/write privileges
• notify
• schedule
• service
• ssh_authorized_key
• ssh_key

Non-root users on *nix agents can inspect host, mount, and package resource types with the puppet resource <RESOURCE_TYPE> command.

Windows non-root functionality

Windows non-root agents are limited in comparison to *nix non-root agents. While you can enforce and inspect some resource types, you are limited to what the agent user has permission to do, which isn't much by default. For example, you can't create a file or directory in C:\Windows unless the agent user has permission to do so.

Non-root users on Windows agents can enforce exec and file resource types.

Non-root users on Windows agents can use the puppet resource <RESOURCE_TYPE> command to inspect these resource types:

• host
• package
• user
• group
• service