Hi Josh, Did PuppetLabs ever get anywhere with ticket 13249. I'm guessing not as it hasn't been updated for months. I see that PE 3 is now available and that there has been plenty of activity on the Windows side of things (we are about to start a trial with it on some of our Windows estate as Windows support especially MCollective is much better). Do you have any sort of timescale for this ticket. I'd like to vote on it but the "gatekeepers" of our PE login details are not letting me near it (the sysadmins own it, we're an app development department and having some fun and games with them trying to do continuous deployment type stuff!).
If you have any early release type versions of this I might be able to help out with some testing etc. Damian >> Josh quote >> This is on our Windows roadmap, filed as https://projects.puppetlabs.com/issues/13249. Recently, the priority has increased as we've been hearing similar comments from other users. With that said, I'm curious what use cases you're looking to solve. Are you looking to specify the complete state of the DACL, e.g. grant permissions to these accounts, deny to these, control inheritance? Or a partial state, e.g. ensure administrators has full control and ignore other ACEs that are present. Or is it a compliance issue, e.g. ensure only administrators can write? >> On Friday, March 8, 2013 9:06:57 PM UTC, Josh Cooper wrote: > > Hi Damian, > > On Mon, Jan 28, 2013 at 2:01 PM, <damian....@gmail.com <javascript:>> > wrote: > > Hi Josh, > > > > First of all thanks for the quick reply. > > > > The main priorities to make Puppet usable on Windows for us would be: > > > > 1> Control complete state of the DACL for grant (we don't use deny). > > 2> Control inheritance on DACL (at the same time as being able to > control > > other DACL grant entries for that object). > > 3> Control inheritance on SACL (we only set this at a higher level). > > It sounds like you're wanting to model the security descriptor, and > not just the DACL. > > > 4> Set user account on Service. > > > > It would also be good to have the following (although don't think it > would > > be a showstopper for adoption): > > 5> Control ACL on local SMB shares. > > 6> Control ACL on registry. > > > > Ideally the type should be applicable to any windows securable object, > e.g. desktops, services, etc. > > > And finally the nice to haves: > > 7> (Nice to have) Set DACL on parent directory but inherit permissions > on > > all children when using source param with multiple levels of hierarchy. > > 8> (Nice to have) Set DACL on parent directory but inherit permissions > on > > all children when using recurse param. > > > > Off the top of my head (not fully worked out all our requirements with > the > > devs yet) I don't think we control access to any other types of windows > > object (e.g. service) > > > > I did start having a dig in the Puppet code for the file type and all of > the > > building blocks are already there. I'm not sure how much effort it would > be > > to write an ntfsfile class but I have started having a play with writing > my > > own (in my spare time) but I've never written Ruby before so a > reasonable > > learning curve (not least just to understand the mass of file and > windows > > provider Puppet code let alone Ruby!). The permission setting methods > are > > all there (e.g. set_acl and get_acl from security.rb including the > protected > > parameter that i couldn't see a way of setting anywhere). > > I'd recommend using the win32-security gem[1] as a starting point and > adding whatever methods aren't yet implemented, using the puppet code > for comparison. Ideally, I'd like to see all of the ACL manipulation > done in win32-security and not in puppet. > > > My plan was to > > replace the mode param on file.rb with a dacl param that could take some > > form of friendly dacl description. The get_mode and set_mode methods > could > > then be changed to translate between friendly dacl and real dacl rather > than > > POSIX mode and dacl. > > > > The friendly DACL would use something like the following to describe > each > > ACE: > > ntfsfile { 'myfile.txt' : > > require => file, > > dacl => [ > > ['user1', grant, [FULL_CONTROL]], > > ['user2', grant, [FILE_READ]], > > ['group1', grant, [FILE_READ, FILE_WRITE, > > CHANGE_PERMISSIONS]], > > ['user3', deny, [FILE_READ, FILE_WRITE, FILE_EXECUTE]] > > ], > > inheritparent => false, > > source => 'puppet://modules/something/file.txt', > > } > > > > > > > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Puppet Users" group. > > To post to this group, send email to > > puppet...@googlegroups.com<javascript:>. > > > To unsubscribe from this group, send email to > > puppet-users...@googlegroups.com <javascript:>. > > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > Josh > > [1] https://github.com/djberg96/win32-security > -- > Josh Cooper > Developer, Puppet Labs > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
