On Tue, Apr 29, 2014 at 5:45 PM, Joaquin Menchaca <[email protected]>wrote:
> What is most important to me is to have the ability to set ACLS on > existing resources, such as file, service, and registry (and other > objects). > We are starting with file, once we have that solid, we'll accept other target types - https://github.com/puppetlabs/puppetlabs-acl#acl-access-control-list Can you read over that and see if you believe that we should do anything more complex with SDDLs? > > For now, it would be an immediate boon to apply the, oh so ugly, SDDL for > a given resource, like a service. Later, we can have an SDDL builder, that > has some comfortable readable language, ala subinacle styled ACEs, that > builds the SDDL that will be applied to the attribute level. This can be > similar to how ERB is used in the content("stuff"). > > I think if you take this approach, you avoid gross complexity of trying to > merge how Windows works and how Puppet works, and avoid feature-scope > creep. It also gives the opportunity to add immediate value to existing > puppet, and and more robust features later. > > If a particular resource that needs an ACL applied, such as certificate > store or active directory OU, one needs to implement an actual resource for > that type in PuppetForce. If you have ACL resource modifying various > objects, it will get overly complex, and you are just re-implementing the > wheel as far as existing resources already, and you are breaking the whole > model. You'll be doing an anti-pattern for Puppet, and making a lot of > future hurt, especially from the crowd that may bicker that Puppet should > work like Windows... > > By having an attribute for the SDDL, one can manage resources in the scope > of how puppet currently managers resources, rather than having two cross > scopes from opposing models of maintaining resources. > > Also, if there is a utility function, like like ERB's content(" "), then > sys admins around the world will rejoice, as they no longer have to do > nasties like this below: > > sc sdset <SERVICE_NAME> > "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2103278432-2794320136-1883075150-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" > > cacl c:\tools /s > "D:PAI(D;OICI;FA;;;BG)(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BU)" > > setprinter \\"Print_Server_Name"\printer1 3 > pSecurityDescriptor="O:BAG:DUD:(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2604)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;CIIO;RC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;LCSWSDRCWDWO;;;PU)(A;OIIO;RPWPSDRCWDWO;;;PU)" > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/aa39f4f3-a1aa-405f-8307-3c4f08fba2de%40googlegroups.com<https://groups.google.com/d/msgid/puppet-users/aa39f4f3-a1aa-405f-8307-3c4f08fba2de%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Rob Reynolds Developer, Puppet Labs *Join us at **PuppetConf 2014 <http://puppetconf.com>**, September 23-24 in San Francisco* *Register by May 30th to take advantage of the Early Adopter discount <http://links.puppetlabs.com/puppetconf-early-adopter> **--**save $349!* -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CAMJiBK4_CdvktQkQgHXL3RYNT55a3Ch%2B1FixumVApZkWCYx4pw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
