user: return actual system groups instead of input parameter (#86553)

The user module's 'groups' return value was returning the groups specified in the module input rather than the actual groups the user belongs to on the system. When using append=true, this meant pre-existing groups were missing from the output. Now queries the system for the user's actual group membership after modification, which matches the documented behavior of "List of groups of which the user is a member." Fixes #80669 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
3 months ago · 52b7d4d092
parent 7d281b2a7c
commit 52b7d4d092
4 changed files with 64 additions and 4 deletions
--- a/changelogs/fragments/80669-user-return-actual-groups.yml
+++ b/changelogs/fragments/80669-user-return-actual-groups.yml
@ -0,0 +1,3 @@
+bugfixes:
+  - user - return the actual system groups the user belongs to instead of only the
+    groups specified in the module input (https://github.com/ansible/ansible/issues/80669).
--- a/lib/ansible/modules/user.py
+++ b/lib/ansible/modules/user.py
@ -422,8 +422,8 @@ group:
  type: int
  sample: 1001
 groups:
-  description: List of groups of which the user is a member.
-  returned: When O(groups) is not empty and O(state) is V(present)
+  description: Comma-separated list of groups of which the user is a member.
+  returned: When user exists and O(state) is V(present)
  type: str
  sample: 'chrony,apache'
 home:
@ -3502,8 +3502,7 @@ def main():
        result['comment'] = info[4]
        result['home'] = info[5]
        result['shell'] = info[6]
-        if user.groups is not None:
-            result['groups'] = user.groups
+        result['groups'] = ','.join(user.user_group_membership())

        # handle missing homedirs
        info = user.user_info()
--- a/test/integration/targets/user/tasks/main.yml
+++ b/test/integration/targets/user/tasks/main.yml
@ -18,6 +18,7 @@
 - import_tasks: test_expires_min_max.yml
 - import_tasks: test_expires_warn.yml
 - import_tasks: test_ssh_key_passphrase.yml
+- import_tasks: test_returned_groups.yml
 - include_tasks: test_password_lock.yml
 - include_tasks: test_password_lock_new_user.yml
 - include_tasks: test_local.yml
--- a/test/integration/targets/user/tasks/test_returned_groups.yml
+++ b/test/integration/targets/user/tasks/test_returned_groups.yml
@ -0,0 +1,57 @@
+# Test that the user module returns the actual groups a user belongs to
+# See: https://github.com/ansible/ansible/issues/80669
+
+- name: remove test user for groups return test
+  user:
+    name: ansibulluser_groups
+    state: absent
+
+- name: create test user with initial groups
+  user:
+    name: ansibulluser_groups
+    groups:
+      - daemon
+      - bin
+    state: present
+  register: user_groups_create
+
+- name: validate groups on initial creation
+  assert:
+    that:
+      - "'bin' in user_groups_create.groups"
+      - "'daemon' in user_groups_create.groups"
+
+- name: append a group to the test user
+  user:
+    name: ansibulluser_groups
+    groups:
+      - sys
+    append: true
+    state: present
+  register: user_groups_append
+
+- name: validate groups after append includes all groups
+  assert:
+    that:
+      - "'bin' in user_groups_append.groups"
+      - "'daemon' in user_groups_append.groups"
+      - "'sys' in user_groups_append.groups"
+
+- name: run user module with no groups param
+  user:
+    name: ansibulluser_groups
+    state: present
+  register: user_groups_noarg
+
+- name: validate groups returned even when groups param is not set
+  assert:
+    that:
+      - user_groups_noarg.groups is defined
+      - "'bin' in user_groups_noarg.groups"
+      - "'daemon' in user_groups_noarg.groups"
+      - "'sys' in user_groups_noarg.groups"
+
+- name: clean up test user
+  user:
+    name: ansibulluser_groups
+    state: absent