Clarification on Windows Rights


#1

Ohai,
I was hoping someone might be able to clarify something for me on Windows
rights: http://wiki.opscode.com/display/chef/Improved+Windows+File+Security

When you specify rights, they are considered a complete description of all
explicit rights on a file
: all existing explicit rights will be removed
and the new ones added. (Inherited rights will remain on the file).

Initially I had read this is as “if the existing permissions don’t match,
they will all be blown away and replaced with what you defined”, however my
testing is showing it doesn’t care if the specified rights are identical to
what is in place (IE on chef run #2). Instead the permissions are reset
every single run. This was also discussed here:
http://lists.opscode.com/sympa/arc/chef/2012-10/msg00215.html

So could someone clarify if resetting permissions even when they don’t need
changing is indeed the “intended” behavior? If so how are folks
achieving idempotent behavior on template resources that are leverage
windows rights? The post in the other thread which uses the file resource
wrapper could possibly work (I have not tested yet), but obviously not
declaring each template I need via two resources would be preferred.

This is running chef-client 10.12, and I’m ideally I’m looking for a
solution that works on that version as a wholesale upgrade is a little of
scope of this particular use case.

Thanks


#2

David, the behavior you’re describing is not what I would expect. If the rights match, this should be a no-op and no action taken.

Can you say more about what you’re seeing — is it information from the chef-client log that indicates the resource was updated, or are you using auditing to monitor the files during a chef-client run, or something else?

-Adam

From: David Petzel <davidpetzel@gmail.commailto:davidpetzel@gmail.com>
Reply-To: "chef@lists.opscode.commailto:chef@lists.opscode.com" <chef@lists.opscode.commailto:chef@lists.opscode.com>
Date: Thursday, February 28, 2013 6:05 PM
To: "chef@lists.opscode.commailto:chef@lists.opscode.com" <chef@lists.opscode.commailto:chef@lists.opscode.com>
Subject: [chef] Clarification on Windows Rights

Ohai,
I was hoping someone might be able to clarify something for me on Windows rights: http://wiki.opscode.com/display/chef/Improved+Windows+File+Security

When you specify rights, they are considered a complete description of all explicit rights on a file: all existing explicit rights will be removed and the new ones added. (Inherited rights will remain on the file).

Initially I had read this is as “if the existing permissions don’t match, they will all be blown away and replaced with what you defined”, however my testing is showing it doesn’t care if the specified rights are identical to what is in place (IE on chef run #2). Instead the permissions are reset every single run. This was also discussed here: http://lists.opscode.com/sympa/arc/chef/2012-10/msg00215.html

So could someone clarify if resetting permissions even when they don’t need changing is indeed the “intended” behavior? If so how are folks achieving idempotent behavior on template resources that are leverage windows rights? The post in the other thread which uses the file resource wrapper could possibly work (I have not tested yet), but obviously not declaring each template I need via two resources would be preferred.

This is running chef-client 10.12, and I’m ideally I’m looking for a solution that works on that version as a wholesale upgrade is a little of scope of this particular use case.

Thanks


#3

David you are saying that if the permissions match the specified explicit permissions, the resource modifies the explicit permissions anyhow (to what they are already set to)?

If that is the case, it seems silly. This should be a no-op.

On Mar 1, 2013, at 4:28 PM, “Adam Edwards” <adamed@opscode.commailto:adamed@opscode.com> wrote:

David, the behavior you’re describing is not what I would expect. If the rights match, this should be a no-op and no action taken.

Can you say more about what you’re seeing — is it information from the chef-client log that indicates the resource was updated, or are you using auditing to monitor the files during a chef-client run, or something else?

-Adam

From: David Petzel <davidpetzel@gmail.commailto:davidpetzel@gmail.com>
Reply-To: "chef@lists.opscode.commailto:chef@lists.opscode.com" <chef@lists.opscode.commailto:chef@lists.opscode.com>
Date: Thursday, February 28, 2013 6:05 PM
To: "chef@lists.opscode.commailto:chef@lists.opscode.com" <chef@lists.opscode.commailto:chef@lists.opscode.com>
Subject: [chef] Clarification on Windows Rights

Ohai,
I was hoping someone might be able to clarify something for me on Windows rights: http://wiki.opscode.com/display/chef/Improved+Windows+File+Security

When you specify rights, they are considered a complete description of all explicit rights on a file: all existing explicit rights will be removed and the new ones added. (Inherited rights will remain on the file).

Initially I had read this is as “if the existing permissions don’t match, they will all be blown away and replaced with what you defined”, however my testing is showing it doesn’t care if the specified rights are identical to what is in place (IE on chef run #2). Instead the permissions are reset every single run. This was also discussed here: http://lists.opscode.com/sympa/arc/chef/2012-10/msg00215.html

So could someone clarify if resetting permissions even when they don’t need changing is indeed the “intended” behavior? If so how are folks achieving idempotent behavior on template resources that are leverage windows rights? The post in the other thread which uses the file resource wrapper could possibly work (I have not tested yet), but obviously not declaring each template I need via two resources would be preferred.

This is running chef-client 10.12, and I’m ideally I’m looking for a solution that works on that version as a wholesale upgrade is a little of scope of this particular use case.

Thanks


#4

I was the one who mentioned it before in the linked conversation. It’s
been a while - but I remember when I did that test in the debug logging on
chef the log showed it removing and readding the permissions. I believe it
was something on the windows side that had to be done for it to work
correctly. On the linux side it would be a no-op.

On Fri, Mar 1, 2013 at 7:45 PM, Paul Morton - BIA pmorton@biaprotect.comwrote:

David you are saying that if the permissions match the specified explicit
permissions, the resource modifies the explicit permissions anyhow (to what
they are already set to)?

If that is the case, it seems silly. This should be a no-op.

On Mar 1, 2013, at 4:28 PM, “Adam Edwards” adamed@opscode.com wrote:

David, the behavior you’re describing is not what I would expect. If the
rights match, this should be a no-op and no action taken.

Can you say more about what you’re seeing — is it information from the
chef-client log that indicates the resource was updated, or are you using
auditing to monitor the files during a chef-client run, or something else?

-Adam

From: David Petzel davidpetzel@gmail.com
Reply-To: "chef@lists.opscode.com" chef@lists.opscode.com
Date: Thursday, February 28, 2013 6:05 PM
To: "chef@lists.opscode.com" chef@lists.opscode.com
Subject: [chef] Clarification on Windows Rights

Ohai,
I was hoping someone might be able to clarify something for me on Windows
rights:
http://wiki.opscode.com/display/chef/Improved+Windows+File+Security

When you specify rights, they are considered a complete description of
all explicit rights on a file
: all existing explicit rights will be
removed and the new ones added. (Inherited rights will remain on the file).

Initially I had read this is as “if the existing permissions don’t
match, they will all be blown away and replaced with what you defined”,
however my testing is showing it doesn’t care if the specified rights are
identical to what is in place (IE on chef run #2). Instead the permissions
are reset every single run. This was also discussed here:
http://lists.opscode.com/sympa/arc/chef/2012-10/msg00215.html

So could someone clarify if resetting permissions even when they don’t
need changing is indeed the “intended” behavior? If so how are folks
achieving idempotent behavior on template resources that are leverage
windows rights? The post in the other thread which uses the file resource
wrapper could possibly work (I have not tested yet), but obviously not
declaring each template I need via two resources would be preferred.

This is running chef-client 10.12, and I’m ideally I’m looking for a
solution that works on that version as a wholesale upgrade is a little of
scope of this particular use case.

Thanks


#5

Thanks All,
Paul,
Yes I am saying that if the permissions match, the resource modifies
anyhow (to what they are already set to)

Adam,
I’m basing this statement on a few things:

  1. There is an info level log statement, something to the extent of
    "changed permissions on XYZ" (Sorry I don’t have the exact output handy
  2. We have a updated_resources handler in the run_list that reports the
    resource as changed every run
  3. The template is configured to notify a service restart. This service
    restart is triggered every run based on that notification.

Now to be fair, I have not actually trace the system calls to validate the
permissions are actually being reset each run, but I was figuring it was a
safe assumption based on the observations above.

Pete,
Thanks for other post by the way, I have worked around the issue for now
using your template (without rights) --> notifying a file resource (with
rights, but a default action of nothing), so I’m getting around the issue,
albeit with more resources in my recipe than I really need.

On Fri, Mar 1, 2013 at 8:03 PM, Pete Cheslock petecheslock@gmail.comwrote:

I was the one who mentioned it before in the linked conversation. It’s
been a while - but I remember when I did that test in the debug logging on
chef the log showed it removing and readding the permissions. I believe it
was something on the windows side that had to be done for it to work
correctly. On the linux side it would be a no-op.

On Fri, Mar 1, 2013 at 7:45 PM, Paul Morton - BIA pmorton@biaprotect.comwrote:

David you are saying that if the permissions match the specified explicit
permissions, the resource modifies the explicit permissions anyhow (to what
they are already set to)?

If that is the case, it seems silly. This should be a no-op.

On Mar 1, 2013, at 4:28 PM, “Adam Edwards” adamed@opscode.com wrote:

David, the behavior you’re describing is not what I would expect. If the
rights match, this should be a no-op and no action taken.

Can you say more about what you’re seeing — is it information from the
chef-client log that indicates the resource was updated, or are you using
auditing to monitor the files during a chef-client run, or something else?

-Adam

From: David Petzel davidpetzel@gmail.com
Reply-To: "chef@lists.opscode.com" chef@lists.opscode.com
Date: Thursday, February 28, 2013 6:05 PM
To: "chef@lists.opscode.com" chef@lists.opscode.com
Subject: [chef] Clarification on Windows Rights

Ohai,
I was hoping someone might be able to clarify something for me on Windows
rights:
http://wiki.opscode.com/display/chef/Improved+Windows+File+Security

When you specify rights, they are considered a complete description of
all explicit rights on a file
: all existing explicit rights will be
removed and the new ones added. (Inherited rights will remain on the file).

Initially I had read this is as “if the existing permissions don’t
match, they will all be blown away and replaced with what you defined”,
however my testing is showing it doesn’t care if the specified rights are
identical to what is in place (IE on chef run #2). Instead the permissions
are reset every single run. This was also discussed here:
http://lists.opscode.com/sympa/arc/chef/2012-10/msg00215.html

So could someone clarify if resetting permissions even when they don’t
need changing is indeed the “intended” behavior? If so how are folks
achieving idempotent behavior on template resources that are leverage
windows rights? The post in the other thread which uses the file resource
wrapper could possibly work (I have not tested yet), but obviously not
declaring each template I need via two resources would be preferred.

This is running chef-client 10.12, and I’m ideally I’m looking for a
solution that works on that version as a wholesale upgrade is a little of
scope of this particular use case.

Thanks