What is most important to me is to have the ability to set ACLS on existing
resources, such as file, service, and registry (and other objects).
For now, it would be an immediate boon to apply the, oh so ugly, SDDL for a
given resource, like a service. Later, we can have an SDDL builder, that
has some comfortable readable language, ala subinacle styled ACEs, that
builds the SDDL that will be applied to the attribute level. This can be
similar to how ERB is used in the content("stuff").
I think if you take this approach, you avoid gross complexity of trying to
merge how Windows works and how Puppet works, and avoid feature-scope
creep. It also gives the opportunity to add immediate value to existing
puppet, and and more robust features later.
If a particular resource that needs an ACL applied, such as certificate
store or active directory OU, one needs to implement an actual resource for
that type in PuppetForce. If you have ACL resource modifying various
objects, it will get overly complex, and you are just re-implementing the
wheel as far as existing resources already, and you are breaking the whole
model. You'll be doing an anti-pattern for Puppet, and making a lot of
future hurt, especially from the crowd that may bicker that Puppet should
work like Windows...
By having an attribute for the SDDL, one can manage resources in the scope
of how puppet currently managers resources, rather than having two cross
scopes from opposing models of maintaining resources.
Also, if there is a utility function, like like ERB's content(" "), then
sys admins around the world will rejoice, as they no longer have to do
nasties like this below:
sc sdset <SERVICE_NAME>
"D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2103278432-2794320136-1883075150-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
cacl c:\tools /s
"D:PAI(D;OICI;FA;;;BG)(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BU)"
setprinter \\”Print_Server_Name”\printer1 3
pSecurityDescriptor="O:BAG:DUD:(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2604)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;CIIO;RC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;LCSWSDRCWDWO;;;PU)(A;OIIO;RPWPSDRCWDWO;;;PU)"
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/aa39f4f3-a1aa-405f-8307-3c4f08fba2de%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
