Not using the service user in settings when it's unavailable

This gets us most of the way toward fixing #2460 - we can
now have the certificate information owned by the service
user when it's available, thus making it so that puppetmasterd
(not running as root) can read it.

Signed-off-by: Luke Kanies <luke@madstop.com>

2 files changed, 15 insertions, 1 deletions

diff --git a/lib/puppet/util/settings.rb b/lib/puppet/util/settings.rb
index c49fbf3cb..625bab42a 100644
--- a/lib/puppet/util/settings.rb
+++ b/lib/puppet/util/settings.rb
@@ -465,6 +465,16 @@ class Puppet::Util::Settings
         return sectionlist, sections
     end
 
+    def service_user_available?
+        return @service_user_available if defined?(@service_user_available)
+
+        return @service_user_available = false unless user_name = self[:user]
+
+        user = Puppet::Type.type(:user).new :name => self[:user], :check => :ensure
+
+        return @service_user_available = user.exists?
+    end
+
     def set_value(param, value, type)
         param = param.to_sym
         unless setting = @config[param]
diff --git a/lib/puppet/util/settings/file_setting.rb b/lib/puppet/util/settings/file_setting.rb
index 7ddc4697c..22e408a95 100644
--- a/lib/puppet/util/settings/file_setting.rb
+++ b/lib/puppet/util/settings/file_setting.rb
@@ -35,10 +35,14 @@ class Puppet::Util::Settings::FileSetting < Puppet::Util::Settings::Setting
 
     def owner
         return unless defined?(@owner) && @owner
-        return "root" if @owner == "root"
+        return "root" if @owner == "root" or ! use_service_user?
         @settings[:user]
     end
 
+    def use_service_user?
+        @settings[:mkusers] or @settings.service_user_available?
+    end
+
     # Set the type appropriately.  Yep, a hack.  This supports either naming
     # the variable 'dir', or adding a slash at the end.
     def munge(value)