Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
Start using this module
Add this module to your Puppetfile:
mod 'puppetlabs-acl', '5.0.2'
Learn more about managing modules with a PuppetfileDocumentation
acl
Table of Contents
- Module Description - What does the module do?
- Setup - The basics of getting started with acl
- Usage - The custom type available for configuration
- Manage a basic ACL with all parameters expressed
- Manage multiple permissions at once
- Same target, multiple resources
- Identify users and groups with SID or FQDN
- Use multiple resources to manage the same target
- Protect a target from inherited permissions
- Purge unmanaged explicit permissions
- Protect a target and purge all unmanaged permissions
- Set ACE mask_specific rights
- Explicitly deny permissions
- Set ACE inheritance
- Set ACE propagation
- Remove ACE permissions
- Use same identity, multiple ACEs
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - Known issues in acl
- License
- Development - Guide for contributing to the module
Module Description
The acl module lets you use Puppet to manage Access Control Lists (ACLs) on Windows.
Windows uses Access Control Lists (ACLs) to store permissions information. An ACL is typically made up of a series of Access Control Entries (ACEs), representing individual permissions. The acl module adds a type and provider to let you manage all that information through Puppet.
Setup
Install this module with the following command:
$ puppet module install [--modulepath <path>] puppetlabs/acl
The above command also includes the optional argument to specify your Puppet server's modulepath
as the location to install the module.
Beginning with acl
For a basic implementation of the acl module, provide a target ACL and at least one permission:
acl { 'c:/tempperms':
permissions => [
{ identity => 'Administrator', rights => ['full'] },
{ identity => 'Users', rights => ['read','execute'] }
],
}
Usage
A typical ACL is made up of access control entries (ACEs), which represent individual permissions. Each ACE comprises a defined trustee (an identity, representing a user, group, or system process), a set of rights, an inheritance and propagation strategy, and an allowed/denied status.
Windows processes ACEs in order of appearance within the ACL. It expects them to be pre-sorted by allowed/denied status in the following order:
- 'explicit deny'
- 'explicit allow'
- 'inherited deny'
- 'inherited allow'
The acl
type does not enforce the above order, and applies the ACEs based on order of appearance in your manifest. If that differs from the ordering above, node users who view or update the ACL through the Windows Security graphical interface receive a warning message: "The permissions on [filename] are incorrectly ordered, which may cause some entries to be ineffective."
Note: You cannot specify inherited ACEs in a manifest; you can only specify whether to allow upstream inheritance to flow into the managed ACL.
Manage a basic ACL with all parameters expressed
The fully expressed ACL in the sample below produces the same settings as the minimal sample in the Setup section, without relying on defaults.
acl { 'c:/tempperms':
target => 'c:/tempperms',
purge => false,
permissions => [
{ identity => 'Administrator', rights => ['full'], perm_type=> 'allow', child_types => 'all', affects => 'all' },
{ identity => 'Users', rights => ['read','execute'], perm_type=> 'allow', child_types => 'all', affects => 'all' }
],
owner => 'Administrators', #Creator_Owner specific, doesn't manage unless specified
group => 'Users', #Creator_Group specific, doesn't manage unless specified
inherit_parent_permissions => true,
}
Manage multiple permissions at once
The permissions
parameter is passed as an array, allowing it to accept multiple ACEs in the form of hashes.
acl { 'c:/tempperms':
permissions => [
{ identity => 'Administrators', rights => ['full'] },
{ identity => 'Administrator', rights => ['modify'] },
{ identity => 'Authenticated Users', rights => ['write','read','execute'] },
{ identity => 'Users', rights => ['read','execute'] }
{ identity => 'Everyone', rights => ['read'] }
],
inherit_parent_permissions => false,
}
- Each ACE should have a unique combination of
identity
,perm_type
,child_types
, andaffects
values. If you create multiple ACEs that differ only inrights
, the module can't tell them apart and wrongly reports that the resource is out of sync.
Wrong:
acl { 'c:/tempperms':
permissions => [
{ identity => 'SYSTEM', rights => ['read']},
{ identity => 'SYSTEM', rights => ['write']}
],
}
Right:
acl { 'c:/tempperms':
permissions => [
{ identity => 'SYSTEM', rights => ['read','write']}
],
}
Note: When you run puppet resource acl some_path
, Puppet might list some permissions with the read-only element is_inherited => 'true'
. If you use the resource
output in a manifest, Puppet ignores those permissions. To indicate they should be enforced on the target directly, remove the is_inherited
property or set is_inherited => false'
.
For more detail, see the Reference section on permissions
.
Identify users and groups with SID or FQDN
You can identify a user or group using a security identifier (SID) or a fully qualified domain name (FQDN).
acl { 'c:/tempperms':
permissions => [
{ identity => 'NT AUTHORITY\SYSTEM', rights => ['modify'] },
{ identity => 'BUILTIN\Users', rights => ['read','execute'] },
{ identity => 'S-1-5-32-544', rights => ['write','read','execute'] }
],
}
Use multiple resources to manage the same target
You can manage the same target across multiple ACL resources, as long as each resource has a unique title.
Warning: Use this feature with care; it can get confusing quickly. Do not set purge => 'true'
on any of the resources that apply to the same target. Doing so causes thrashing in reports, as the permissions are added and removed on every catalog application.
acl { 'c:/tempperms':
permissions => [
{ identity => 'Administrator', rights => ['full'] }
],
}
acl { 'tempperms_Users':
target => 'c:/tempperms',
permissions => [
{ identity => 'Users', rights => ['read','execute'] }
],
}
Protect a target from inherited permissions
Removing upstream inheritance is known as "protecting" the target. When an item is protected without purge => true
, the inherited ACEs are copied into the target as unmanaged ACEs.
acl { 'c:/tempperms':
permissions => [
{ identity => 'Administrators', rights => ['full'] },
{ identity => 'Users', rights => ['full'] }
],
inherit_parent_permissions => false,
}
Purge unmanaged explicit permissions
You cannot purge inherited permissions; you can only purge explicit permissions. To lock down a folder to managed explicit ACEs, set purge => true
. This only removes other explicit ACEs from the folder that are unmanaged by this resource. All inherited ACEs remain (see next example).
acl { 'c:/tempperms':
purge => true,
permissions => [
{ identity => 'Administrators', rights => ['full'] },
{ identity => 'Users', rights => ['full'] }
],
}
Protect a target and purge all unmanaged permissions
To fully restrict a target's permissions to the ones specified in your manifest, protect it as above and set purge => 'true'
.
Warning: When removing permissions, make sure the user running Puppet always has FULL rights on the target. If Puppet loses its permission to manage a resource, you'll need to restore it manually at the node level.
acl { 'c:/tempperms':
purge => true,
permissions => [
{ identity => 'Administrators', rights => ['full'] },
{ identity => 'Users', rights => ['full'] }
],
inherit_parent_permissions => false,
}
Set ACE mask_specific rights
If none of the standard rights
values meets your specific needs, you can specify more granular rights by setting rights => ['mask_specific']
and supplying a 'mask' element with an integer representing a permissions mask. You can't combine the mask with other values, such as read permissions.
NOTE: 'mask_specific' should ONLY be used when other rights are not specific enough. If you specify 'mask_specific' with the equivalent of 'full' rights (2032127), and Puppet finds the property to be 'full', it reports making changes to the resource even though nothing is different.
acl { 'c:/tempperms':
purge => true,
permissions => [
{ identity => 'Administrators', rights => ['full'] }, #full is same as - 2032127 aka 0x1f01ff but you should use 'full'
{ identity => 'SYSTEM', rights => ['modify'] }, #modify is same as 1245631 aka 0x1301bf but you should use 'modify'
{ identity => 'Users', rights => ['mask_specific'], mask => '1180073' }, #RX WA #0x1201a9
{ identity => 'Administrator', rights => ['mask_specific'], mask => '1180032' } #RA,S,WA,Rc #1180032 #0x120180
],
inherit_parent_permissions => false,
}
More about ACE masks:
- File/Directory Access Mask Constants: http://msdn.microsoft.com/en-us/library/aa394063(v=vs.85).aspx
- Generic File Access Rights: http://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx
- Access Mask Format: http://msdn.microsoft.com/en-us/library/windows/desktop/aa374896(v=vs.85).aspx
Explicitly deny permissions
By default, each ACE grants the described permissions to the target. However, you can reverse that by setting perm_type => 'deny'
, which explicitly removes the described permissions. List your 'deny' ACEs first, before your 'allow' ACEs.
acl { 'c:/tempperms':
permissions => [
{ identity => 'SYSTEM', rights => ['full'], perm_type=> 'deny', affects => 'self_only' },
{ identity => 'Administrators', rights => ['full'] }
],
}
Set ACE inheritance
The inheritance structure of ACEs is controlled by child_types
, which determine how files and sub-folders inherit each ACE.
acl { 'c:/tempperms':
purge => true,
permissions => [
{ identity => 'SYSTEM', rights => ['full'], child_types => 'all' },
{ identity => 'Administrators', rights => ['full'], child_types => 'containers' },
{ identity => 'Administrator', rights => ['full'], child_types => 'objects' },
{ identity => 'Users', rights => ['full'], child_types => 'none' }
],
inherit_parent_permissions => false,
}
Set ACE propagation
ACEs have propagation rules which guide how they apply permissions to containers, objects, children, and grandchildren. Propagation is determined by affects
, which can take the value of: 'all', 'self_only', 'children_only', 'direct_children_only', and 'self_and_direct_children_only'. Microsoft has a good matrix that outlines when and why you might use each of these values.
acl { 'c:/tempperms':
purge => true,
permissions => [
{ identity => 'Administrators', rights => ['modify'], affects => 'all' },
{ identity => 'Administrators', rights => ['full'], affects => 'self_only' },
{ identity => 'Administrator', rights => ['full'], affects => 'direct_children_only' },
{ identity => 'Users', rights => ['full'], affects => 'children_only' },
{ identity => 'Authenticated Users', rights => ['read'], affects => 'self_and_direct_children_only' }
],
inherit_parent_permissions => false,
}
Remove ACE permissions
To remove permissions, set purge => listed_permissions
. This removes explicit permissions from the ACL based on their identity
, perm_type
, child_types
and affects
attributes. The example below ensures that 'Administrator' and 'Authenticated Users' are not on the ACL.
# set permissions
acl { 'c:/tempperms/remove':
purge => true,
permissions => [
{ identity => 'Administrators', rights => ['full'] },
{ identity => 'Administrator', rights => ['write'] },
{ identity => 'Users', rights => ['write','execute'] },
{ identity => 'Everyone', rights => ['execute'] },
{ identity => 'Authenticated Users', rights => ['full'] }
],
inherit_parent_permissions => false,
}
# now remove some permissions
acl { 'remove_tempperms/remove':
target => 'c:/tempperms/remove',
purge => 'listed_permissions',
permissions => [
{ identity => 'Administrator', rights => ['write'] },
{ identity => 'Authenticated Users', rights => ['full'] }
],
inherit_parent_permissions => false,
require => Acl['c:/tempperms/remove'],
}
Same identity, multiple ACEs
With Windows, you can specify the same identity
with different inheritance and propagation. Each of the resulting items is managed as a separate ACE.
acl { 'c:/tempperms':
purge => true,
permissions => [
{ identity => 'SYSTEM', rights => ['modify'], child_types => 'none' },
{ identity => 'SYSTEM', rights => ['modify'], child_types => 'containers' },
{ identity => 'SYSTEM', rights => ['modify'], child_types => 'objects' },
{ identity => 'SYSTEM', rights => ['full'], affects => 'self_only' },
{ identity => 'SYSTEM', rights => ['read','execute'], affects => 'direct_children_only' },
{ identity => 'SYSTEM', rights => ['read','execute'], child_types=>'containers', affects => 'direct_children_only' },
{ identity => 'SYSTEM', rights => ['read','execute'], child_types=>'objects', affects => 'direct_children_only' },
{ identity => 'SYSTEM', rights => ['full'], affects => 'children_only' },
{ identity => 'SYSTEM', rights => ['full'], child_types=>'containers', affects => 'children_only' },
{ identity => 'SYSTEM', rights => ['full'], child_types=>'objects', affects => 'children_only' },
{ identity => 'SYSTEM', rights => ['read'], affects => 'self_and_direct_children_only' },
{ identity => 'SYSTEM', rights => ['read'], child_types=>'containers', affects => 'self_and_direct_children_only' },
{ identity => 'SYSTEM', rights => ['read'], child_types=>'objects', affects => 'self_and_direct_children_only' }
],
inherit_parent_permissions => false,
}
Reference
Defined type: acl
The main type of the module, responsible for all its functionality.
Parameters
All of the below parameters are optional, unless otherwise noted.
group
Specifies whose permissions to manage. This identity is also known as a trustee or principal. If the identity doesn't exist on a node, Puppet creates it. Valid options: a string containing a valid identity (see below). Default: if left undefined, Puppet leaves the group as currently configured.
Valid identity formats:
- User: e.g., 'Bob' or 'TheNet\Bob'
- Group: e.g., 'Administrators' or 'BUILTIN\Administrators'
- SID (Security ID): e.g., 'S-1-5-18'
NOTE: On Windows the CREATOR GROUP inherited ACE must be set for the creator's primary group for it to be set as an ACE automatically. Group is not always widely used. By default, the group also needs to be specifically set as an explicitly managed ACE. See Microsoft's page for instructions on enabling CREATOR GROUP.
inherit_parent_permissions
Specifies whether to inherit permissions from parent ACLs. Valid options: 'true' and 'false'. Default: 'true'.
name
Provides a name for the ACL resource; also becomes the target, if target
is not set. Valid options: a string. Default: the title of your declared resource.
owner
The identity that owns the ACL. If the identity doesn't exist on a node, Puppet creates it. This identity is also known as a trustee or principal. Valid options: a string containing a valid identity (see below). Default: if left undefined, Puppet leaves the owner as currently configured.
Valid identity formats:
- User: for example, 'Bob' or 'TheNet\Bob'
- Group: for example, 'Administrators' or 'BUILTIN\Administrators'
- SID (Security ID): for example, 'S-1-5-18'
permissions
Required. Specifies one or more Access Control Entries (ACEs). Valid options: an ordered array of hashes, each containing at least the identity
and rights
elements, and any number of additional elements from the list below.
Elements in permissions
-
affects
: Optional. Determines how the downstream inheritance is propagated. Valid options: 'all', 'self_only', 'children_only', 'self_and_direct_children_only', and 'direct_children_only'. Default: 'all'. -
child_types
: Optional. Determines how an ACE is inherited downstream from the target. Valid options: 'all', 'objects', 'containers' and 'none'. Default: 'all'. -
identity
: Required. Determines whose permissions to manage. If the specified identity doesn't exist on a node, Puppet creates it. Valid options: a user (e.g., 'Bob' or 'TheNet\Bob'), group (e.g., 'Administrators' or 'BUILTIN\Administrators'), or security ID (for example, 'S-1-5-18').
-
mask
: Required ifrights => 'mask_specific'
is set. Indicates rights granted or denied to the trustee. If therights
element isn't set to 'mask_specific', themask
element has no effect. Valid options: an integer (set as a string, for example '511'), representing a permissions mask.If you want more granular detail about
mask
values, we've provided an ACL Mask Rights Addition spreadsheet in the acl module'stools
directory. -
perm_type
: Optional. Specifies whether the target should or should not have the described permissions. Valid options: 'allow' and 'deny'. Default: 'allow'.
rights
: Required.: Valid options: an array containing one or more of the following values: 'full', 'modify', 'mask_specific', 'write', 'read', and 'execute'.
NOTE: The type
element is deprecated and has been replaced with perm_type
, because the word type
will be a reserved keyword in Puppet 4.
* 'read', 'write', and 'execute' can be used together in any combination.
* 'modify' includes READ, WRITE, EXECUTE, and DELETE all in one.
* 'full' indicates all rights.
* 'full', 'modify', and 'mask_specific' values are mutually exclusive. If you use any of them, it must be the *only* `rights` value in the hash.
* If you specify 'full' or 'modify' along with other rights, e.g., `rights => ['full','read']`, the `acl` type issues a warning and removes the other items.
* If you specify 'mask_specific', you must also specify the `mask` element in the `permissions` hash with an integer representing a [permissions mask](http://msdn.microsoft.com/en-us/library/aa394063(v=vs.85).aspx).
purge
Specifies whether to remove any explicit permissions not specified in the permissions
property. Valid options: 'true', 'false', and 'listed_permissions'. Default: 'false'.
To ensure that a specific set of permissions are absent from the ACL, set purge => 'listed_permissions'
.
Note: This parameter only affects explicit permissions. To remove inherited permissions, use inherit_parent_permissions => 'false'
.
Warning: When removing permissions, make sure the user running Puppet always has FULL rights on the target. If Puppet loses its permission to manage a resource, you'll need to restore it manually at the node level.
target
Optional. The location of the ACL resource. Defaults to name
value. Valid options: a string containing an absolute path. Default: title of your declared resource.
Limitations
-
The Windows Provider does not follow Symlinks. Please explicitly manage the permissions of the target.
-
The 8.3 short filename format used in some versions of Windows is not supported.
-
We don't recommend using the acl module with Cygwin, because it can yield inconsistent results --- especially when using Cygwin SSHD with public key authentication. For example, the 'Administrator' identity might work normally on Windows 2012, but on Windows 2008 it might be translated to 'cyg_server' (or vice-versa).
-
Unicode encoding isn't supported in the
identity
,group
, orowner
parameters. -
When using SIDs for identities, autorequire tries to match to users with fully qualified names (e.g., User[BUILTIN\Administrators]) in addition to SIDs (User[S-1-5-32-544]). However, it can't match against 'User[Administrators]', because that could cause issues if domain accounts and local accounts share the same name e.g., 'Domain\Bob' and 'LOCAL\Bob'.
-
When referring to accounts in the
APPLICATION PACKAGE AUTHORITY
, with Puppet versions older than 6.22.0 or 7.5.0, use either their SID values or their unqualified names. The Windows API has well documented bugs preventing the fully qualifed account names from being used.S-1-15-2-1
orALL APPLICATION PACKAGES
, but notAPPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES
. This account may only be referenced on Windows 2012R2 (kernel 6.3) or newer.S-1-15-2-2
orALL RESTRICTED APPLICATION PACKAGES
, but notAPPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES
. This account may only be referenced on Windows 2016 (kernel 10.0) or newer.
Please log tickets and issues at our Module Issue Tracker.
License
This codebase is licensed under the Apache2.0 licensing, however due to the nature of the codebase the open source dependencies may also use a combination of AGPL, BSD-2, BSD-3, GPL2.0, LGPL, MIT and MPL Licensing.
Development
We are experimenting with a new tool for running acceptance tests. It's name is puppet_litmus this replaces beaker as the test runner. To run the acceptance tests follow the instructions here.
Puppet modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad of hardware, software, and deployment configurations that Puppet is intended to serve.
We want to keep it as easy as possible to contribute changes so that our modules work in your environment. There are a few guidelines that we need contributors to follow so that we can have a chance of keeping on top of things.
For more information, see our module contribution guide.
Contributors
To see who's already involved, see the list of contributors.
Reference
Table of Contents
Resource types
acl
: Manages access control lists (ACLs). Theacl
type is typically used when you need more complex management of permissions e.g. Windows. ACL
Resource types
acl
Manages access control lists (ACLs). The acl
type is
typically used when you need more complex management of
permissions e.g. Windows. ACLs typically contain access
control entries (ACEs) that define a trustee (identity)
with a set of rights, whether the type is allow or deny,
and how inheritance and propagation of those ACEs are
applied to the resource target and child types under it.
The order that ACEs are listed in is important on Windows
as it determines what is applied first.
Order of ACE application on Windows is explicit deny,
explicit allow, inherited deny, then inherited allow. You
cannot specify inherited ACEs in a manifest, only whether
to allow upstream inheritance to flow into the managed
target location (known as security descriptor). Please
ensure your modeled resources follow this order or Windows
will complain. NOTE: acl
type does not enforce or
complain about ACE order.
For very specific examples, see the readme[1] and learn
about the different features of the acl
type.
[1] https://github.com/puppetlabs/puppetlabs-acl/blob/main/README.md
Autorequires: If Puppet is managing the user, group or target of an acl resource, the acl type will autorequire them.
Examples:
Minimally expressed sample usage:
At a minimum, you need to provide the target and at least one permission (access control entry or ACE). It will default the other settings to sensible defaults.
acl { 'c:/tempperms':
permissions => [
{ identity => 'Administrator', rights => ['full'] },
{ identity => 'Users', rights => ['read','execute'] }
],
}
Fully expressed sample usage:
If you want you can provide a fully expressed ACL. The fully expressed acl in the sample below produces the same settings as the minimal sample above.
acl { 'c:/tempperms':
target => 'c:/tempperms',
target_type => 'file',
purge => 'false',
permissions => [
{ identity => 'Administrator', rights => ['full'], perm_type=> 'allow', child_types => 'all', affects => 'all' },
{ identity => 'Users', rights => ['read','execute'], perm_type=> 'allow', child_types => 'all', affects => 'all' }
],
owner => 'Administrators', #Creator_Owner specific, doesn't manage unless specified
group => 'Users', #Creator_Group specific, doesn't manage unless specified
inherit_parent_permissions => 'true',
}
Manage same ACL resource multiple acls sample usage:
You can manage the same target across multiple acl resources with some caveats. The title of the resource needs to be unique. It is suggested that you only do this when you would need to (can get confusing). You should not set purge => 'true' on any of the resources that apply to the same target or you will see thrashing in reports as the permissions will be added and removed every catalog application. Use this feature with care.
acl { 'c:/tempperms':
permissions => [
{ identity => 'Administrator', rights => ['full'] }
],
}
acl { 'tempperms_Users':
target => 'c:/tempperms',
permissions => [
{ identity => 'Users', rights => ['read','execute'] }
],
}
Removing upstream inheritance with purge sample usage:
acl { 'c:/tempperms':
purge => 'true',
permissions => [
{ identity => 'Administrators', rights => ['full'] },
{ identity => 'Users', rights => ['full'] }
],
inherit_parent_permissions => 'false',
}
Warning: While managing ACLs you could lock the user running
Puppet completely out of managing resources using
purge => 'true'
with inherit_parent_permissions => 'false'
.
If Puppet is locked out of managing the resource, manual
intervention on affected nodes will be required.
Properties
The following properties are available in the acl
type.
group
The group identity is also known as a trustee or principal that is said to have access to the particular acl/security descriptor. This can be in the form of:
- User - e.g.
'Bob'
or'TheNet\\Bob'
- Group e.g.
'Administrators'
or'BUILTIN\\Administrators'
- SID (Security ID) e.g.
'S-1-5-18'
.
Defaults to not specified on Windows. This allows group to stay set to whatever it is currently set to (group can vary depending on the original CREATOR GROUP). The trustee must exist on the system and will auto-require on user and group resources.
inherit_parent_permissions
Valid values: true
, false
Inherit Parent Permissions specifies whether to inherit
permissions from parent ACLs or not. The default is true
.
Default value: true
owner
The owner identity is also known as a trustee or principal that is said to own the particular acl/security descriptor. This can be in the form of:
- User - e.g.
'Bob'
or'TheNet\\Bob'
- Group e.g.
'Administrators'
or'BUILTIN\\Administrators'
- SID (Security ID) e.g.
'S-1-5-18'
.
Defaults to not specified on Windows. This allows owner to stay set to whatever it is currently set to (owner can vary depending on the original CREATOR OWNER). The trustee must exist on the system and will auto-require on user and group resources.
permissions
Permissions is an array containing Access Control Entries
(ACEs). Certain Operating Systems require these ACEs to be in
explicit order (Windows). Every element in the array is a hash
that will at the very least need identity
and rights
e.g
{ identity => 'Administrators', rights => ['full'] }
and at the
very most can include perm_type
, child_types
, affects
, and
mask
(mask should only be specified be with
rights => ['mask_specific']
) e.g. { identity => 'Administrators', rights => ['full'], type=> 'allow', child_types => 'all', affects => 'all' }
.
identity
is a group, user or ID (SID on Windows). The identity must
exist on the system and will auto-require on user and group resources.
This can be in the form of:
- User - e.g.
'Bob'
or'TheNet\\Bob'
- Group e.g.
'Administrators'
or'BUILTIN\\Administrators'
- SID (Security ID) e.g.
'S-1-5-18'
.
rights
is an array that contains 'full'
, 'modify'
,
'mask_specific'
or some combination of 'write'
, 'read'
, and
'execute'
. If you specify 'mask_specific'
you must also specify
mask
with an integer (passed as a string) that represents the
permissions mask. It is the numeric representation of the binary
flags.
perm_type
is represented as 'allow'
(default) or 'deny'
.
child_types
determines how an ACE is inherited downstream from the
target. Valid values are 'all'
(default), 'objects'
, 'containers'
or 'none'
.
affects
determines how the downstream inheritance is propagated.
Valid values are 'all'
(default), 'self_only'
, 'children_only'
,
'self_and_direct_children_only'
or 'direct_children_only'
.
Each permission (ACE) is determined to be unique based on identity, perm_type, child_types, and affects. While you can technically create more than one ACE that differs from other ACEs only in rights, acl module is not able to tell the difference between those so it will appear that the resource is out of sync every run when it is not.
While you will see is_inherited => 'true'
when running
puppet resource acl path, puppet will not be able to manage the
inherited permissions so those will need to be removed if using
that to build a manifest.
Parameters
The following parameters are available in the acl
type.
name
namevar
The name of the acl resource. Used for uniqueness. Will set the target to this value if target is unset.
provider
The specific backend to use for this acl
resource. You will seldom need to specify this --- Puppet will usually
discover the appropriate provider for your platform.
purge
Valid values: true
, false
, listed_permissions
Purge specifies whether to remove other explicit permissions
if not specified in the permissions set. This doesn't do anything
with permissions inherited from parents (to remove those you should
combine purge => 'false', inherit_parent_permissions => 'false'
-
be VERY careful in doing so, you could lock out Puppet from
managing the resource and manual intervention will be required).
This also allows you to ensure the permissions listed are not on
the ACL with purge => listed_permissions
.
The default is false
.
Default value: false
target
The location the acl resource is pointing to. In the first release of ACL, this will be a file system location. The default is the name.
target_type
Valid values: file
The type of target for the Acl resource. In the first release
of ACL, only file
is allowed. Defaults to file
.
Default value: file
Changelog
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v5.0.2 - 2024-12-10
Added
- (CAT-2158) Upgrade rexml to address CVE-2024-49761 #305 (amitkarsale)
v5.0.1 - 2024-06-27
v5.0.0 - 2023-04-19
Changed
- (CONT-686) - Add Puppet 8/Drop Puppet 6 #279 (jordanbreen28)
v4.1.2 - 2023-03-21
Fixed
- pdksync - (CONT-494) Pin github_changelog_generator and JSON gem versions #270 (david22swan)
v4.1.1 - 2022-10-03
Fixed
- Removing unsupported windows versions #265 (jordanbreen28)
- (GH-260) Update mask docs #263 (pmcmaw)
- (MODULES-10908) fix noop behavior #261 (garrettrowell)
v4.1.0 - 2022-05-23
Added
- pdksync - (FM-8922) - Add Support for Windows 2022 #253 (david22swan)
v4.0.0 - 2021-03-01
Changed
- pdksync - Remove Puppet 5 from testing and bump minimal version to 6.0.0 #229 (carabasdaniel)
v3.2.1 - 2020-11-30
Fixed
- (IAC-1089) Remove dependency on 'win32/security' gem for Puppet 7 compatibility #208 (sanfrancrisko)
v3.2.0 - 2020-08-19
Added
- pdksync - (IAC-973) - Update travis/appveyor to run on new default branch main #199 (david22swan)
Fixed
v3.1.1 - 2020-04-08
Fixed
- [MODULES-1336] Fix noop failure reports #188 (carabasdaniel)
v3.1.0 - 2019-12-03
v3.0.0 - 2019-07-23
Changed
Added
- (MODULES-9304) Add Puppet Strings docs #153 (eimlav)
- (WIN280) add skip() unless pattern to tests #145 (ThoughtCrhyme)
2.1.0 - 2018-10-11
Added
Fixed
2.0.1 - 2017-08-03
Fixed
2.0.0 - 2017-05-19
Changed
Fixed
- Fix frozen string #85 (hunner)
- Workaround frozen strings on ruby 1.9 #82 (hunner)
- (MODULES-3632) Use json_pure always #81 (hunner)
1.1.2 - 2015-12-07
1.1.1 - 2015-07-29
1.1.0 - 2015-02-17
1.0.4 - 2014-12-30
Added
- ACL Access Rights Mask Addition Worksheet #44 (ferventcoder)
Fixed
- (MODULES-1482) Fix Autorequires to only include resource title #46 (ferventcoder)
1.0.3 - 2014-08-27
Changed
Fixed
- install puppet when running against foss #37 (justinstoller)
1.0.2 - 2014-07-16
1.0.1 - 2014-05-27
1.0.0 - 2014-05-21
Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Quality checks
We run a couple of automated scans to help you assess a module’s quality. Each module is given a score based on how well the author has formatted their code and documentation and select modules are also checked for malware using VirusTotal.
Please note, the information below is for guidance only and neither of these methods should be considered an endorsement by Puppet.
Malware scan results
The malware detection service on Puppet Forge is an automated process that identifies known malware in module releases before they’re published. It is not intended to replace your own virus scanning solution.
Learn more about malware scans- Module name:
- puppetlabs-acl
- Module version:
- 5.0.2
- Scan initiated:
- December 16th 2024, 23:25:15
- Detections:
- 0 / 62
- Scan stats:
- 62 undetected
- 0 harmless
- 0 failures
- 0 timeouts
- 0 malicious
- 0 suspicious
- 14 unsupported
- Scan report:
- View the detailed scan report