Hi Josh,
First of all thanks for the quick reply.
The main priorities to make Puppet usable on Windows for us would be:
1> Control complete state of the DACL for grant (we don't use deny).
2> Control inheritance on DACL (at the same time as being able to control
other DACL grant entries for that object).
3> Control inheritance on SACL (we only set this at a higher level).
4> Set user account on Service.
It would also be good to have the following (although don't think it would
be a showstopper for adoption):
5> Control ACL on local SMB shares.
6> Control ACL on registry.
And finally the nice to haves:
7> (Nice to have) Set DACL on parent directory but inherit permissions on
all children when using source param with multiple levels of hierarchy.
8> (Nice to have) Set DACL on parent directory but inherit permissions on
all children when using recurse param.
Off the top of my head (not fully worked out all our requirements with the
devs yet) I don't think we control access to any other types of windows
object (e.g. service)
I did start having a dig in the Puppet code for the file type and all of
the building blocks are already there. I'm not sure how much effort it
would be to write an ntfsfile class but I have started having a play with
writing my own (in my spare time) but I've never written Ruby before so a
reasonable learning curve (not least just to understand the mass of file
and windows provider Puppet code let alone Ruby!). The permission setting
methods are all there (e.g. set_acl and get_acl from security.rb including
the protected parameter that i couldn't see a way of setting anywhere). My
plan was to replace the mode param on file.rb with a dacl param that could
take some form of friendly dacl description. The get_mode and set_mode
methods could then be changed to translate between friendly dacl and real
dacl rather than POSIX mode and dacl.
The friendly DACL would use something like the following to describe each
ACE:
ntfsfile { 'myfile.txt' :
require => file,
dacl => [
['user1', grant, [FULL_CONTROL]],
['user2', grant, [FILE_READ]],
['group1', grant, [FILE_READ, FILE_WRITE,
CHANGE_PERMISSIONS]],
['user3', deny, [FILE_READ, FILE_WRITE, FILE_EXECUTE]]
],
inheritparent => false,
source => 'puppet://modules/something/file.txt',
}
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
