Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-2113

Only take ownership / reset Windows permissions once

    XMLWordPrintable

    Details

    • Template:
    • Acceptance Criteria:
      Hide
      • Running the installer a second time after perms are reset should default to not changing permissions
      • The PowerShell script should emit log messages that indicate whether actions were performed
      • Manual verification sufficient
      Show
      Running the installer a second time after perms are reset should default to not changing permissions The PowerShell script should emit log messages that indicate whether actions were performed Manual verification sufficient
    • Team:
      Windows
    • Story Points:
      1
    • Sprint:
      Windows 2018-08-01, Windows 2018-08-08
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      The puppet agent installer now idempotently sets permissions on the install folder on Windows. Previously it would run takeown and icacls against the folder recursively, potentially taking many minutes to run.
    • QA Risk Assessment:
      Needs Assessment

      Description

      As part of PA-2019, code was added to the installer to reset permissions on C:\ProgramData\PuppetLabs by calling a combination of takeown and icacls.

      On hosts that have many filebucket'd files, this can take > 10 minutes, even on extremely fast hardware.

      Therefore, ensure that actions are skipped when not necessary.

       

      At first, it was thought that the installer could use the remembered property pattern that is used for saving other installer state. Instead, discussion led the team to instead use the file system itself as the source of truth.

       

      For instance, before recursively calling takeown against C:\ProgramData\puppetlabs, if the state is as desired, do not perform the action.  There are clearly times this won't work as desired if the parent directory matches the desired state, but children have been manipulated. However, such cases should be rare. Further, to address that problem, additional consideration should be given to the following:

      • An MSI property that overrides the heuristic used to determine whether to call permissions resetting code (in other words, can resetting be forced by supplying an MSI property)
      • Should the MSI repair mode automatically imply that the permissions reset code is run

       

      This ticket is blocked on refactoring the 7 custom actions to a single PowerShell action in PA-2112

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ethan Ethan Brown
              Reporter:
              ethan Ethan Brown
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support