chef - [chef] Re: Re: Clarification on Windows Rights

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: Clarification on Windows Rights

From: Paul Morton - BIA < >
To: " " < >
Cc: " " < >
Subject: [chef] Re: Re: Clarification on Windows Rights
Date: Fri, 1 Mar 2013 16:45:09 -0800
Accept-language: en-US
Acceptlanguage: en-US

David you are saying that if the permissions match the specified explicit permissions, the resource modifies the explicit permissions anyhow (to what they are already set to)?

If that is the case, it seems silly. This should be a no-op.

On Mar 1, 2013, at 4:28 PM, "Adam Edwards" < "> > wrote:

David, the behavior you're describing is not what I would expect. If the rights match, this should be a no-op and no action taken.

Can you say more about what you're seeing — is it information from the chef-client log that indicates the resource was updated, or are you using auditing to monitor the files during a chef-client run, or something else?

-Adam

From: David Petzel < "> >
Reply-To: " "> " < "> >
Date: Thursday, February 28, 2013 6:05 PM
To: " "> " < "> >
Subject: [chef] Clarification on Windows Rights

Ohai,
I was hoping someone might be able to clarify something for me on Windows rights: http://wiki.opscode.com/display/chef/Improved+Windows+File+Security

When you specify rights, they are considered a complete description of all explicit rights on a file: all existing explicit rights will be removed and the new ones added. (Inherited rights will remain on the file).

Initially I had read this is as "if the existing permissions don't match, they will all be blown away and replaced with what you defined", however my testing is showing it doesn't care if the specified rights are identical to what is in place (IE on chef run #2). Instead the permissions are reset every single run. This was also discussed here: http://lists.opscode.com/sympa/arc/chef/2012-10/msg00215.html

So could someone clarify if resetting permissions even when they don't need changing is indeed the "intended" behavior? If so how are folks achieving idempotent behavior on template resources that are leverage windows rights? The post in the other thread which uses the file resource wrapper could possibly work (I have not tested yet), but obviously not declaring each template I need via two resources would be preferred.

This is running chef-client 10.12, and I'm ideally I'm looking for a solution that works on that version as a wholesale upgrade is a little of scope of this particular use case.

Thanks

[chef] Re: Clarification on Windows Rights, Adam Edwards, 03/01/2013
- [chef] Re: Re: Clarification on Windows Rights, Paul Morton - BIA, 03/01/2013
  - [chef] Re: Re: Re: Clarification on Windows Rights, Pete Cheslock, 03/01/2013
    - [chef] Re: Re: Re: Re: Clarification on Windows Rights, David Petzel, 03/02/2013