Windows ACL support
|Affected Puppet version:||Branch:|
|Keywords:||windows acl security|
Puppet’s current implementation of mapping POSIX modes to Windows ACLs has some limitations.
- Puppet can only assign permissions to owner and group, but it’s common practice on Windows systems to set full control to Administrators, LocalSystem, and Users, which is more than can be represented in our model, without creating a local group.
- Puppet doesn’t support deny access control entries
Puppet should support setting multiple access control entries, deny/allow aces, and inheritance. See http://technet.microsoft.com/en-us/library/bb727008.aspx for common permissions.
Another option would be to express permissions in terms of SDDL, but that is likely overkill.
#1 Updated by Daniel Pittman over 1 year ago
It would be ideal to address this in a portable way, which was inclusive of the needs of POSIX ACLs – zfs, Linux, and Solaris !zfs, I think would cover it there. Not necessarily the same code handling it, but any abstraction in our type system defined so that it will support the needs of all the platforms.
#5 Updated by Rob Reynolds about 1 month ago
If you are watching this issue, please feel free to jump in the recent discussion at https://groups.google.com/d/msgid/puppet-dev/7024cede-9c4b-4e0b-8be5-4d7b12c56beb%40googlegroups.com