[Puppet-dev] Puppet and Windows ACLs (Access Control Lists)

Fri, 25 Oct 2013 13:10:57 -0700 

tl;dr: Windows manages permissions in a way that doesn't always translate
well to mode. We're putting together a solution for this. Jump in the
discussion.


I wanted to get this conversation started. We've put a lot of thought into
how the model should look and focused on ease of use up to more advanced
scenarios.

However I don't feel that what we have is complete. If you are familiar
with Windows, we'd love to get your feedback. If you are not familiar with
Windows, we'd still love to get your feedback.

A couple of notes to start it off:

1. This is currently planned to be a module on the forge.
2. We have some changes to make to core puppet to better enable handing
windows permissions (changes around how mode is applied on Windows now when
not explicitly specified).
3. We tried to map somewhat close to the way Windows ACLs/DACLs/ACEs work.
4. We've also attempted to leave room for future expansion or application
on POSIX systems. Note: this is not a primary goal, so unless there is a
design consideration on the model, it's probably not something we will
approach with this current effort.

The format could look something like the following:

acl { 'c:/windows/temp/tempfile.txt':
  ensure => present,
  permissions => {
    'Administrators' => ['full']
    'bob' => ['mwrx'],
    'SomeDomain\Lisa' => [x10000000,'allow','inherit','one_level'],
    'S-5-1-18' => ['wrx','deny','inherit_objects_only','inherit_only']
  },
}

acl { 'c:/windows/temp/locked_dir':
  ensure => exact,
  permissions => {
    'Administrators' => ['full']
  },
}

Before you have an opportunity to look at the proposal and comment on
specifics, how self-documenting is the above model?  What would you add or
remove?

-- 
Rob Reynolds
Developer, Puppet Labs

Join us at PuppetConf 2014, September 23-24 in San Francisco

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-dev+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-dev@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-dev.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to