[chef] Re: Re: Re: Re: Clarification on Windows Rights

Chronological Thread 
  • From: David Petzel < >
  • To:
  • Subject: [chef] Re: Re: Re: Re: Clarification on Windows Rights
  • Date: Sat, 2 Mar 2013 11:44:28 -0500

Thanks All,
 Yes I am saying that if the permissions match, the resource modifies anyhow (to what they are already set to)

I'm basing this statement on a few things:
1) There is an info level log statement, something to the extent of "changed permissions on XYZ" (Sorry I don't have the exact output handy
2) We have a updated_resources handler in the run_list that reports the resource as changed every run
3) The template is configured to notify a service restart. This service restart is triggered every run based on that notification.

Now to be fair, I have not actually trace the system calls to validate the permissions are actually being reset each run, but I was figuring it was a safe assumption based on the observations above.

Thanks for other post by the way, I have worked around the issue for now using your template (without rights) --> notifying a file resource (with rights, but a default action of nothing), so I'm getting around the issue, albeit with more resources in my recipe than I really need.

On Fri, Mar 1, 2013 at 8:03 PM, Pete Cheslock < " target="_blank"> > wrote:
I was the one who mentioned it before in the linked conversation.  It's been a while - but I remember when I did that test in the debug logging on chef the log showed it removing and readding the permissions.  I believe it was something on the windows side that had to be done for it to work correctly.  On the linux side it would be a no-op.

On Fri, Mar 1, 2013 at 7:45 PM, Paul Morton - BIA < " target="_blank"> > wrote:
David you are saying that if the permissions match the specified explicit permissions, the resource modifies the explicit permissions anyhow (to what they are already set to)?

If that is the case, it seems silly. This should be a no-op.

On Mar 1, 2013, at 4:28 PM, "Adam Edwards" < " target="_blank"> > wrote:

David, the behavior you're describing is not what I would expect. If the rights match, this should be a no-op and no action taken.

Can you say more about what you're seeing — is it information from the chef-client log that indicates the resource was updated, or are you using auditing to monitor the files during a chef-client run, or something else?


I was hoping someone might be able to clarify something for me on Windows rights: http://wiki.opscode.com/display/chef/Improved+Windows+File+Security

When you specify rights, they are considered a complete description of all explicit rights on a file: all existing explicit rights will be removed and the new ones added. (Inherited rights will remain on the file).

Initially I had read this is as "if the existing permissions don't match, they will all be blown away and replaced with what you defined", however my testing is showing it doesn't care if the specified rights are identical to what is in place (IE on chef run #2). Instead the permissions are reset every single run. This was also discussed here: http://lists.opscode.com/sympa/arc/chef/2012-10/msg00215.html

So could someone clarify if resetting permissions even when they don't need changing is indeed the "intended" behavior? If so how are folks achieving idempotent behavior on  template resources that are leverage windows rights? The post in the other thread which uses the file resource wrapper could possibly work (I have not tested yet), but obviously not declaring each template I need via two resources would be preferred.

This is running chef-client 10.12, and I'm ideally I'm looking for a solution that works on that version as a wholesale upgrade is a little of scope of this particular use case.


Archive powered by MHonArc 2.6.16.