On Monday, October 28, 2013 4:36:09 PM UTC-5, Josh Cooper wrote: > > > > > On Mon, Oct 28, 2013 at 12:59 PM, John Bollinger > <john.bo...@stjude.org<javascript:> > > wrote: > >> But I think you need to do it. Individual ACEs are for the most part >> what users want to manage. In fact, consider that every file on an NTFS >> file system has an ACL no matter what. >> > > Not completely true. It can have a NULL ACL which grants permission to > everyone. > >
You're right, my mistake on that point. > > I'm not convinced ACEs should be separate resources, because they don't > exist outside of an ACL. > Files don't exist outside their parent directories, but Puppet does not use a single resource to model the entire filesystem. File_lines don't exist outside their File, but stdlib provides it anyway. File fragments don't exist outside the file assembled from them, but the Concat module provides them anyway. Experience proves that separately modeling pieces of a larger physical resource can be a powerful and effective approach. > For example, consider properties that extend Puppet::Property::List, like > the `groups` property for the `user` resource. You specify either the > complete or minimum list of groups the user should belong to, as opposed to > specifying each user's group and whether the user should be present/absent > from the group. > Ok, I'll retract my claim that you "need" to model ACEs as their own resources, which was a bit of an overstatement. I acknowledge that it is possible to create an Acl resource type that models an ACL and a subset of its ACEs, all in one resource. I don't think the model Bob first floated does an adequate, usable, job of that, but potential improvements have already come out of this discussion. Nevertheless, I maintain that an all-in-one model is an inferior choice for the target space, in part because it centralizes the model to an unneeded and unwanted degree, and in part because it requires complex parameter values which will present a practical usage barrier for folks to overcome. > Yes, the order of ACEs needs to be specified, and is one reason why permissions cannot be modeled solely using ACEs. No. I acknowledge that there is a role for a resource type modeling an overall ACL, but not because of the need to manage ACE order within. Again, look at the Concat module, which does not rely on the umbrella Concat resource type to manage the order of fragments. John -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/5bb3e321-11e2-454b-804a-4d630b13b418%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
