I think to illustrate is better to make it more clear, let me get back to you on this, once I look it over.
On Wednesday, April 30, 2014 9:21:48 AM UTC-7, Rob Reynolds wrote: > > > > On Tue, Apr 29, 2014 at 5:45 PM, Joaquin Menchaca > <joaqu...@gmail.com<javascript:> > > wrote: > >> What is most important to me is to have the ability to set ACLS on >> existing resources, such as file, service, and registry (and other >> objects). >> > > We are starting with file, once we have that solid, we'll accept other > target types - > https://github.com/puppetlabs/puppetlabs-acl#acl-access-control-list > > Can you read over that and see if you believe that we should do anything > more complex with SDDLs? > > >> >> For now, it would be an immediate boon to apply the, oh so ugly, SDDL for >> a given resource, like a service. Later, we can have an SDDL builder, that >> has some comfortable readable language, ala subinacle styled ACEs, that >> builds the SDDL that will be applied to the attribute level. This can be >> similar to how ERB is used in the content("stuff"). >> >> I think if you take this approach, you avoid gross complexity of trying >> to merge how Windows works and how Puppet works, and avoid feature-scope >> creep. It also gives the opportunity to add immediate value to existing >> puppet, and and more robust features later. >> >> If a particular resource that needs an ACL applied, such as certificate >> store or active directory OU, one needs to implement an actual resource for >> that type in PuppetForce. If you have ACL resource modifying various >> objects, it will get overly complex, and you are just re-implementing the >> wheel as far as existing resources already, and you are breaking the whole >> model. You'll be doing an anti-pattern for Puppet, and making a lot of >> future hurt, especially from the crowd that may bicker that Puppet should >> work like Windows... >> >> By having an attribute for the SDDL, one can manage resources in the >> scope of how puppet currently managers resources, rather than having two >> cross scopes from opposing models of maintaining resources. >> >> Also, if there is a utility function, like like ERB's content(" "), then >> sys admins around the world will rejoice, as they no longer have to do >> nasties like this below: >> >> sc sdset <SERVICE_NAME> >> "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2103278432-2794320136-1883075150-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" >> >> cacl c:\tools /s >> "D:PAI(D;OICI;FA;;;BG)(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BU)" >> >> setprinter \\”Print_Server_Name”\printer1 3 >> pSecurityDescriptor="O:BAG:DUD:(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2604)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;CIIO;RC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;LCSWSDRCWDWO;;;PU)(A;OIIO;RPWPSDRCWDWO;;;PU)" >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users...@googlegroups.com <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/aa39f4f3-a1aa-405f-8307-3c4f08fba2de%40googlegroups.com<https://groups.google.com/d/msgid/puppet-users/aa39f4f3-a1aa-405f-8307-3c4f08fba2de%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Rob Reynolds > Developer, Puppet Labs > > *Join us at **PuppetConf 2014 <http://puppetconf.com>**, September > 23-24 in San Francisco* > *Register by May 30th to take advantage of the Early Adopter discount > <http://links.puppetlabs.com/puppetconf-early-adopter> **—**save $349!* > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/e7c4245f-505f-4ccf-9116-e98cf3dff8ce%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
