search

PowerShell / DSC

This repo is for the DSC v3 project
MIT License
142 stars 22 forks source link

Annotation on a DSC Resource regarding elevation requirements #316

Closed denelon closed 4 months ago

denelon commented 5 months ago

Summary of the new feature / enhancement

I would like to be able to "inspect" a DSC resource and have it provide information regarding elevation requirements.

WinGet package manifests have a concept of "elevationRequired", "elevationProhibited", and "elevatesSelf".

This kind of annotation or property would help orchestrators or commands calling resources understand based on the context they are being called in (system, user, elevated user) to know if the resource should work or fail before calling them.

It would also help when building tooling to generate a configuration file to appropriately decorate the configuration file as to the elevation requirements for those resources.

Proposed technical implementation details (optional)

No response

denelon commented 5 months ago

Ideally, this would be supported for both DSC v2 PowerShell Class based resources and DSC v3 resources.

michaeltlombardi commented 5 months ago

A few approaches spring to mind for DSCv3 resources, all in the resource manifest:

  1. Add an elevation property to the top-level of the manifest, with the enum values default, prohibited, required, and self - the expectation here is that the resource executes according to this setting, regardless of the operation. So if a resource is defined with "elevation": "required", it must be run elevated for get, test, and set operations. If the property isn't specified, the resource is interpreted as having a value of default.
  2. Add the same property to the command/operation sections of the manifest. In this case, the property applies only to that operation. Setting elevation for set has no effect on whether elevation is required or prohibited for get.

I think it would be possible to support both, but only one in a manifest - if the top-level elevation is set it should be prohibited in the operation properties and vice versa.

I don't see a way to do this for existing PSDSC resources, short of introducing a new attribute (like DscElevation()) or a not-required method, like GetElevationInfo(). It can't be worked backwards into the existing DscResource() attribute as far as I know.

SteveL-MSFT commented 4 months ago

Fixed via https://github.com/PowerShell/DSC/pull/351