Hi John,
On Thu, Aug 1, 2013 at 6:00 AM, jcbollinger <john.bollin...@stjude.org>wrote: > > > On Wednesday, July 31, 2013 8:22:01 AM UTC-5, cha...@lyricalsoftware.comwrote: >> >> >> Hopefully my $0.02 can we worth something here ;) I'd argue that it's >> really a separate resource type - since the ACL is related to the user >> space. If you're going to extend it to multiple providers (solaris as per >> your example) it's really similar in idea to RBAC. In fact, if you look at >> Windows ACLs, RBAC, and set/get facl you pretty much have a new type. Or >> at least that's what I'd hope :) >> > > > And of course some Solaris is by no means the only Unix-y OS with ACL > support. It is available on Linux, too, at least for the most frequently > used filesystems, and I'm sure there are others. I'm inclined to agree > that a type aimed at broad ACL / RBAC support would be a win. > Yep, I agree. Now, how exactly to map the type across different implementations? Windows ACLs support inheritance. An ACL can be marked as protected, breaking inheritance, and for directories, everything below it. ACEs specify a subject (SID) and the rights that are granted/denied. This is a bitfield, though users are more typically used to saying "Full Control" or "Read & Execute". Windows ACEs can either be allow or deny, the order matters, and if no ACEs match, access is denied. An ACE for a directory can be marked as object-inherit and/or container-inherit. This doesn't affect the effective permissions on the directory, only files and subdirectories, respectively. How are these similar & different to Unix-y ACLs? Josh -- Josh Cooper Developer, Puppet Labs *Join us at PuppetConf 2013, August 22-23 in San Francisco - * http://bit.ly/pupconf13* **Register now and take advantage of the Final Countdown discount - save 15%!* -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
