对于 Desired State Configuration File 资源,为什么 Credential 起作用,而 PsDscRunAsCredential 不起作用?
For a Desired State Configuration File resource, why does Credential work, and PsDscRunAsCredential does not?
我正在尝试学习如何将凭据与 PowerShell Desired State Configuration 一起使用,但我无法完全理解资源的 Credential 和 PsDscRunAsCredential 属性之间的区别。
作为一个简单的测试用例,我正在尝试将文件夹及其内容从文件共享复制到目标节点上的本地文件夹。目标节点的计算机帐户无权访问共享,因此我提供了具有访问权限的凭据。如果我将凭据分配给文件资源的 Credential 属性,它就可以工作。如果我使用 PsDscRunAsCredential 属性,我会在它尝试访问文件共享时收到 "access is denied" 错误。
Configuration FileWithCredential {
Import-DscResource -ModuleName PSDesiredStateConfiguration
Node $AllNodes.NodeName {
# copy files from a file share to a new folder on the target node
File CopyFileShareFolder {
Ensure = 'Present'
Type = 'Directory'
Recurse = $true
SourcePath = '\fileshare\folder\subfolder\stuff_I_want_to_copy'
DestinationPath = 'c:\ps\DSC\filesharedestination'
# If I use Credential instead of PsDscRunAsCredential, it works
# Credential = Get-Credential -UserName ourdomain\myaccout -Message 'Enter Password'
PsDscRunAsCredential = Get-Credential -UserName ourdomain\myaccout -Message 'Enter Password'
}
}
}
$ConfigData = @{
AllNodes = @(
@{
NodeName = 'target-server'
PsDscAllowDomainUser = $true
PsDscAllowPlainTextPassword = $true
}
)
}
我正在 Windows 10 机器上编译 MOF,并将配置推送到 Server 2016 机器。两者都是 运行 PowerShell 5.1.
PS C:\Users\me\Documents\pscode\dsc_test2> FileWithCredential -ConfigurationData $ConfigData
PS C:\Users\me\Documents\pscode\dsc_test2> Start-DscConfiguration .\FileWithCredential\ -Verbose -Wait -Force
我知道 PsDscRunAsCredential 是新的,我假设有理由比旧的 Credential 更喜欢它,但我无法弄清楚真正的区别是什么。它们基本上可以互换吗?如果没有,我缺少什么可以使 "run as" 凭据起作用?
注意:我了解允许使用纯文本密码的安全风险,但现在我只是想了解如何传递凭据并确保它们有效。学习如何安全地这样做是我的下一个清单。
见文章ConfigData Credentials,具体
DSC configuration resources run as Local System by default. However,
some resources need a credential, for example when the Package
resource needs to install software under a specific user account.
Earlier resources used a hard-coded Credential property name to handle
this. WMF 5.0 added an automatic PsDscRunAsCredential property for all
resources. For information about using PsDscRunAsCredential, see
Running DSC with user credentials. Newer resources and custom
resources can use this automatic property instead of creating their
own property for credentials.
看来我的预感是对的;将我的评论变成答案:
I just had a thought: the File resource is.. somewhat special. It's
one of the only resources implemented as binary. It has some strange
quirks like not returning a ModuleName when you run
Get-DscResource. Maybe it's implemented in a way that the LCM cannot
change its context. It would be interesting to turn on debugging for
DSC, then break into the
debugger
and check out your context, try to access the share and local file
system, etc.
在 运行 测试中,File 资源似乎(无论出于何种原因)无法正确支持 PsDscRunAsCredential.
这是一个使用 Invoke-DscResource 的演示,将 File 与 Script 进行比较,结果文件的所有者不同。
对于 File,所有者始终是 SYSTEM。
使用 Script,当 运行 没有凭据(预期)时,所有者是 SYSTEM,但是当 运行 有凭据时,所有者是不同的(在我的情况是,所有者成为本地 Administrators 组,因为我提供的凭据是本地管理员)。
$cred = Get-Credential
$module = 'PsDesiredStateConfiguration'
$fprop = @{
DestinationPath = "$env:USERPROFILE\delme.txt"
Contents = "Hello"
}
$sprop = @{
GetScript = { @{} }
TestScript = { $false }
SetScript = [ScriptBlock]::Create("'Hello'|sc '$env:USERPROFILE\delme.txt'")
}
$cprop = @{ PsDscRunAsCredential = $cred }
function Assert-FileTest { Get-Item -LiteralPath $fprop.DestinationPath | % { $_.GetAccessControl().Owner | Write-Verbose -Verbose ; $_ } | Remove-Item -Force }
Invoke-DscResource -Name File -ModuleName $module -Method Set -Property $fprop -Verbose
Assert-FileTest
Invoke-DscResource -Name File -ModuleName $module -Method Set -Property ($fprop + $cprop) -Verbose
Assert-FileTest
Invoke-DscResource -Name Script -ModuleName $module -Method Set -Property $sprop -Verbose
Assert-FileTest
Invoke-DscResource -Name Script -ModuleName $module -Method Set -Property ($sprop + $cprop) -Verbose
Assert-FileTest
@briantist 指出 File 是一种特殊的资源是正确的……它在 C++ 中作为 WMI 资源实现。其他 in-the-box 资源是
在 PowerShell 中实现(Log 除外,它在 DSC 引擎本身内部实现)。
WMI 资源没有流行起来,文件是唯一以这种方式实现的资源。
PsDscRunAsCredential 是为 PowerShell 资源实现的,但不是为 WMI 资源实现的。这就是它不适用于文件的原因。
此外,File 的凭据 属性 比 PsDscRunAsCredential 更受限制:它仅用于访问网络共享中的文件。
我会跟进将此信息添加到我们的文档中。感谢您指出这一点。
我正在尝试学习如何将凭据与 PowerShell Desired State Configuration 一起使用,但我无法完全理解资源的 Credential 和 PsDscRunAsCredential 属性之间的区别。
作为一个简单的测试用例,我正在尝试将文件夹及其内容从文件共享复制到目标节点上的本地文件夹。目标节点的计算机帐户无权访问共享,因此我提供了具有访问权限的凭据。如果我将凭据分配给文件资源的 Credential 属性,它就可以工作。如果我使用 PsDscRunAsCredential 属性,我会在它尝试访问文件共享时收到 "access is denied" 错误。
Configuration FileWithCredential {
Import-DscResource -ModuleName PSDesiredStateConfiguration
Node $AllNodes.NodeName {
# copy files from a file share to a new folder on the target node
File CopyFileShareFolder {
Ensure = 'Present'
Type = 'Directory'
Recurse = $true
SourcePath = '\fileshare\folder\subfolder\stuff_I_want_to_copy'
DestinationPath = 'c:\ps\DSC\filesharedestination'
# If I use Credential instead of PsDscRunAsCredential, it works
# Credential = Get-Credential -UserName ourdomain\myaccout -Message 'Enter Password'
PsDscRunAsCredential = Get-Credential -UserName ourdomain\myaccout -Message 'Enter Password'
}
}
}
$ConfigData = @{
AllNodes = @(
@{
NodeName = 'target-server'
PsDscAllowDomainUser = $true
PsDscAllowPlainTextPassword = $true
}
)
}
我正在 Windows 10 机器上编译 MOF,并将配置推送到 Server 2016 机器。两者都是 运行 PowerShell 5.1.
PS C:\Users\me\Documents\pscode\dsc_test2> FileWithCredential -ConfigurationData $ConfigData
PS C:\Users\me\Documents\pscode\dsc_test2> Start-DscConfiguration .\FileWithCredential\ -Verbose -Wait -Force
我知道 PsDscRunAsCredential 是新的,我假设有理由比旧的 Credential 更喜欢它,但我无法弄清楚真正的区别是什么。它们基本上可以互换吗?如果没有,我缺少什么可以使 "run as" 凭据起作用?
注意:我了解允许使用纯文本密码的安全风险,但现在我只是想了解如何传递凭据并确保它们有效。学习如何安全地这样做是我的下一个清单。
见文章ConfigData Credentials,具体
DSC configuration resources run as Local System by default. However, some resources need a credential, for example when the Package resource needs to install software under a specific user account.
Earlier resources used a hard-coded Credential property name to handle this. WMF 5.0 added an automatic PsDscRunAsCredential property for all resources. For information about using PsDscRunAsCredential, see Running DSC with user credentials. Newer resources and custom resources can use this automatic property instead of creating their own property for credentials.
看来我的预感是对的;将我的评论变成答案:
I just had a thought: the
Fileresource is.. somewhat special. It's one of the only resources implemented as binary. It has some strange quirks like not returning aModuleNamewhen you runGet-DscResource. Maybe it's implemented in a way that the LCM cannot change its context. It would be interesting to turn on debugging for DSC, then break into the debugger and check out your context, try to access the share and local file system, etc.
在 运行 测试中,File 资源似乎(无论出于何种原因)无法正确支持 PsDscRunAsCredential.
这是一个使用 Invoke-DscResource 的演示,将 File 与 Script 进行比较,结果文件的所有者不同。
对于 File,所有者始终是 SYSTEM。
使用 Script,当 运行 没有凭据(预期)时,所有者是 SYSTEM,但是当 运行 有凭据时,所有者是不同的(在我的情况是,所有者成为本地 Administrators 组,因为我提供的凭据是本地管理员)。
$cred = Get-Credential
$module = 'PsDesiredStateConfiguration'
$fprop = @{
DestinationPath = "$env:USERPROFILE\delme.txt"
Contents = "Hello"
}
$sprop = @{
GetScript = { @{} }
TestScript = { $false }
SetScript = [ScriptBlock]::Create("'Hello'|sc '$env:USERPROFILE\delme.txt'")
}
$cprop = @{ PsDscRunAsCredential = $cred }
function Assert-FileTest { Get-Item -LiteralPath $fprop.DestinationPath | % { $_.GetAccessControl().Owner | Write-Verbose -Verbose ; $_ } | Remove-Item -Force }
Invoke-DscResource -Name File -ModuleName $module -Method Set -Property $fprop -Verbose
Assert-FileTest
Invoke-DscResource -Name File -ModuleName $module -Method Set -Property ($fprop + $cprop) -Verbose
Assert-FileTest
Invoke-DscResource -Name Script -ModuleName $module -Method Set -Property $sprop -Verbose
Assert-FileTest
Invoke-DscResource -Name Script -ModuleName $module -Method Set -Property ($sprop + $cprop) -Verbose
Assert-FileTest
@briantist 指出 File 是一种特殊的资源是正确的……它在 C++ 中作为 WMI 资源实现。其他 in-the-box 资源是 在 PowerShell 中实现(Log 除外,它在 DSC 引擎本身内部实现)。
WMI 资源没有流行起来,文件是唯一以这种方式实现的资源。
PsDscRunAsCredential 是为 PowerShell 资源实现的,但不是为 WMI 资源实现的。这就是它不适用于文件的原因。
此外,File 的凭据 属性 比 PsDscRunAsCredential 更受限制:它仅用于访问网络共享中的文件。
我会跟进将此信息添加到我们的文档中。感谢您指出这一点。