I think to illustrate is better to make it more clear, let me get back to you on this, once I look it over.
On Wednesday, April 30, 2014 9:21:48 AM UTC-7, Rob Reynolds wrote: > > > > On Tue, Apr 29, 2014 at 5:45 PM, Joaquin Menchaca > <[email protected]<javascript:> > > wrote: > >> What is most important to me is to have the ability to set ACLS on >> existing resources, such as file, service, and registry (and other >> objects). >> > > We are starting with file, once we have that solid, we'll accept other > target types - > https://github.com/puppetlabs/puppetlabs-acl#acl-access-control-list > > Can you read over that and see if you believe that we should do anything > more complex with SDDLs? > > >> >> For now, it would be an immediate boon to apply the, oh so ugly, SDDL for >> a given resource, like a service. Later, we can have an SDDL builder, that >> has some comfortable readable language, ala subinacle styled ACEs, that >> builds the SDDL that will be applied to the attribute level. This can be >> similar to how ERB is used in the content("stuff"). >> >> I think if you take this approach, you avoid gross complexity of trying >> to merge how Windows works and how Puppet works, and avoid feature-scope >> creep. It also gives the opportunity to add immediate value to existing >> puppet, and and more robust features later. >> >> If a particular resource that needs an ACL applied, such as certificate >> store or active directory OU, one needs to implement an actual resource for >> that type in PuppetForce. If you have ACL resource modifying various >> objects, it will get overly complex, and you are just re-implementing the >> wheel as far as existing resources already, and you are breaking the whole >> model. You'll be doing an anti-pattern for Puppet, and making a lot of >> future hurt, especially from the crowd that may bicker that Puppet should >> work like Windows... >> >> By having an attribute for the SDDL, one can manage resources in the >> scope of how puppet currently managers resources, rather than having two >> cross scopes from opposing models of maintaining resources. >> >> Also, if there is a utility function, like like ERB's content(" "), then >> sys admins around the world will rejoice, as they no longer have to do >> nasties like this below: >> >> sc sdset <SERVICE_NAME> >> "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2103278432-2794320136-1883075150-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" >> >> cacl c:\tools /s >> "D:PAI(D;OICI;FA;;;BG)(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BU)" >> >> setprinter \\”Print_Server_Name”\printer1 3 >> pSecurityDescriptor="O:BAG:DUD:(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2604)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;CIIO;RC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;LCSWSDRCWDWO;;;PU)(A;OIIO;RPWPSDRCWDWO;;;PU)" >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/aa39f4f3-a1aa-405f-8307-3c4f08fba2de%40googlegroups.com<https://groups.google.com/d/msgid/puppet-users/aa39f4f3-a1aa-405f-8307-3c4f08fba2de%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Rob Reynolds > Developer, Puppet Labs > > *Join us at **PuppetConf 2014 <http://puppetconf.com>**, September > 23-24 in San Francisco* > *Register by May 30th to take advantage of the Early Adopter discount > <http://links.puppetlabs.com/puppetconf-early-adopter> **—**save $349!* > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/e7c4245f-505f-4ccf-9116-e98cf3dff8ce%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
