Hi Damian,
On Mon, Jan 28, 2013 at 2:01 PM, <damian.folw...@gmail.com> wrote:
> Hi Josh,
>
> First of all thanks for the quick reply.
>
> The main priorities to make Puppet usable on Windows for us would be:
>
> 1> Control complete state of the DACL for grant (we don't use deny).
> 2> Control inheritance on DACL (at the same time as being able to control
> other DACL grant entries for that object).
> 3> Control inheritance on SACL (we only set this at a higher level).
It sounds like you're wanting to model the security descriptor, and
not just the DACL.
> 4> Set user account on Service.
>
> It would also be good to have the following (although don't think it would
> be a showstopper for adoption):
> 5> Control ACL on local SMB shares.
> 6> Control ACL on registry.
>
Ideally the type should be applicable to any windows securable object,
e.g. desktops, services, etc.
> And finally the nice to haves:
> 7> (Nice to have) Set DACL on parent directory but inherit permissions on
> all children when using source param with multiple levels of hierarchy.
> 8> (Nice to have) Set DACL on parent directory but inherit permissions on
> all children when using recurse param.
>
> Off the top of my head (not fully worked out all our requirements with the
> devs yet) I don't think we control access to any other types of windows
> object (e.g. service)
>
> I did start having a dig in the Puppet code for the file type and all of the
> building blocks are already there. I'm not sure how much effort it would be
> to write an ntfsfile class but I have started having a play with writing my
> own (in my spare time) but I've never written Ruby before so a reasonable
> learning curve (not least just to understand the mass of file and windows
> provider Puppet code let alone Ruby!). The permission setting methods are
> all there (e.g. set_acl and get_acl from security.rb including the protected
> parameter that i couldn't see a way of setting anywhere).
I'd recommend using the win32-security gem[1] as a starting point and
adding whatever methods aren't yet implemented, using the puppet code
for comparison. Ideally, I'd like to see all of the ACL manipulation
done in win32-security and not in puppet.
> My plan was to
> replace the mode param on file.rb with a dacl param that could take some
> form of friendly dacl description. The get_mode and set_mode methods could
> then be changed to translate between friendly dacl and real dacl rather than
> POSIX mode and dacl.
>
> The friendly DACL would use something like the following to describe each
> ACE:
> ntfsfile { 'myfile.txt' :
> require => file,
> dacl => [
> ['user1', grant, [FULL_CONTROL]],
> ['user2', grant, [FILE_READ]],
> ['group1', grant, [FILE_READ, FILE_WRITE,
> CHANGE_PERMISSIONS]],
> ['user3', deny, [FILE_READ, FILE_WRITE, FILE_EXECUTE]]
> ],
> inheritparent => false,
> source => 'puppet://modules/something/file.txt',
> }
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
Josh
[1] https://github.com/djberg96/win32-security
--
Josh Cooper
Developer, Puppet Labs
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
