Hi Damian,
On Mon, Jan 28, 2013 at 2:01 PM, <[email protected]> wrote:
> Hi Josh,
>
> First of all thanks for the quick reply.
>
> The main priorities to make Puppet usable on Windows for us would be:
>
> 1> Control complete state of the DACL for grant (we don't use deny).
> 2> Control inheritance on DACL (at the same time as being able to control
> other DACL grant entries for that object).
> 3> Control inheritance on SACL (we only set this at a higher level).
It sounds like you're wanting to model the security descriptor, and
not just the DACL.
> 4> Set user account on Service.
>
> It would also be good to have the following (although don't think it would
> be a showstopper for adoption):
> 5> Control ACL on local SMB shares.
> 6> Control ACL on registry.
>
Ideally the type should be applicable to any windows securable object,
e.g. desktops, services, etc.
> And finally the nice to haves:
> 7> (Nice to have) Set DACL on parent directory but inherit permissions on
> all children when using source param with multiple levels of hierarchy.
> 8> (Nice to have) Set DACL on parent directory but inherit permissions on
> all children when using recurse param.
>
> Off the top of my head (not fully worked out all our requirements with the
> devs yet) I don't think we control access to any other types of windows
> object (e.g. service)
>
> I did start having a dig in the Puppet code for the file type and all of the
> building blocks are already there. I'm not sure how much effort it would be
> to write an ntfsfile class but I have started having a play with writing my
> own (in my spare time) but I've never written Ruby before so a reasonable
> learning curve (not least just to understand the mass of file and windows
> provider Puppet code let alone Ruby!). The permission setting methods are
> all there (e.g. set_acl and get_acl from security.rb including the protected
> parameter that i couldn't see a way of setting anywhere).
I'd recommend using the win32-security gem[1] as a starting point and
adding whatever methods aren't yet implemented, using the puppet code
for comparison. Ideally, I'd like to see all of the ACL manipulation
done in win32-security and not in puppet.
> My plan was to
> replace the mode param on file.rb with a dacl param that could take some
> form of friendly dacl description. The get_mode and set_mode methods could
> then be changed to translate between friendly dacl and real dacl rather than
> POSIX mode and dacl.
>
> The friendly DACL would use something like the following to describe each
> ACE:
> ntfsfile { 'myfile.txt' :
> require => file,
> dacl => [
> ['user1', grant, [FULL_CONTROL]],
> ['user2', grant, [FILE_READ]],
> ['group1', grant, [FILE_READ, FILE_WRITE,
> CHANGE_PERMISSIONS]],
> ['user3', deny, [FILE_READ, FILE_WRITE, FILE_EXECUTE]]
> ],
> inheritparent => false,
> source => 'puppet://modules/something/file.txt',
> }
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> Visit this group at http://groups.google.com/group/puppet-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
Josh
[1] https://github.com/djberg96/win32-security
--
Josh Cooper
Developer, Puppet Labs
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
