The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Feature #13249

Windows ACL support

Added by Josh Cooper over 2 years ago. Updated 8 months ago.

Status:AcceptedStart date:03/20/2012
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Affected Puppet version: Branch:
Keywords:windows acl security

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This ticket is now tracked at: https://tickets.puppetlabs.com/browse/PUP-1458


Description

Puppet’s current implementation of mapping POSIX modes to Windows ACLs has some limitations.

  • Puppet can only assign permissions to owner and group, but it’s common practice on Windows systems to set full control to Administrators, LocalSystem, and Users, which is more than can be represented in our model, without creating a local group.
  • Puppet doesn’t support deny access control entries

Puppet should support setting multiple access control entries, deny/allow aces, and inheritance. See http://technet.microsoft.com/en-us/library/bb727008.aspx for common permissions.

Another option would be to express permissions in terms of SDDL, but that is likely overkill.


Related issues

Related to Puppet - Feature #1033: support for file system acls on the file type Closed
Duplicated by Puppet - Bug #22051: Windows mode bits are not handled symmetrically Duplicate

History

#1 Updated by Anonymous over 2 years ago

It would be ideal to address this in a portable way, which was inclusive of the needs of POSIX ACLs – zfs, Linux, and Solaris !zfs, I think would cover it there. Not necessarily the same code handling it, but any abstraction in our type system defined so that it will support the needs of all the platforms.

#2 Updated by Josh Cooper about 2 years ago

  • Keywords set to windows acl security

#5 Updated by Rob Reynolds 11 months ago

If you are watching this issue, please feel free to jump in the recent discussion at https://groups.google.com/d/msgid/puppet-dev/7024cede-9c4b-4e0b-8be5-4d7b12c56beb%40googlegroups.com

#6 Updated by Eric Badger 8 months ago

Redmine Issue #13249 has been migrated to JIRA:

https://tickets.puppetlabs.com/browse/PUP-1458

#7 Updated by Rob Reynolds 8 months ago

Will link the actual issue link. Prior to the Jira migrator, some tickets were created in both places… PUP-260

Also available in: Atom PDF