Hi John,
On Thu, Aug 1, 2013 at 6:00 AM, jcbollinger <[email protected]>wrote: > > > On Wednesday, July 31, 2013 8:22:01 AM UTC-5, [email protected]: >> >> >> Hopefully my $0.02 can we worth something here ;) I'd argue that it's >> really a separate resource type - since the ACL is related to the user >> space. If you're going to extend it to multiple providers (solaris as per >> your example) it's really similar in idea to RBAC. In fact, if you look at >> Windows ACLs, RBAC, and set/get facl you pretty much have a new type. Or >> at least that's what I'd hope :) >> > > > And of course some Solaris is by no means the only Unix-y OS with ACL > support. It is available on Linux, too, at least for the most frequently > used filesystems, and I'm sure there are others. I'm inclined to agree > that a type aimed at broad ACL / RBAC support would be a win. > Yep, I agree. Now, how exactly to map the type across different implementations? Windows ACLs support inheritance. An ACL can be marked as protected, breaking inheritance, and for directories, everything below it. ACEs specify a subject (SID) and the rights that are granted/denied. This is a bitfield, though users are more typically used to saying "Full Control" or "Read & Execute". Windows ACEs can either be allow or deny, the order matters, and if no ACEs match, access is denied. An ACE for a directory can be marked as object-inherit and/or container-inherit. This doesn't affect the effective permissions on the directory, only files and subdirectories, respectively. How are these similar & different to Unix-y ACLs? Josh -- Josh Cooper Developer, Puppet Labs *Join us at PuppetConf 2013, August 22-23 in San Francisco - * http://bit.ly/pupconf13* **Register now and take advantage of the Final Countdown discount - save 15%!* -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
