https://github.com/autostructure/acl_posix
https://github.com/autostructure/acl_posix
Last synced: 9 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/autostructure/acl_posix
- Owner: autostructure
- Created: 2017-10-20T13:40:25.000Z (over 8 years ago)
- Default Branch: master
- Last Pushed: 2017-10-20T13:46:20.000Z (over 8 years ago)
- Last Synced: 2025-04-02T22:15:04.849Z (about 1 year ago)
- Language: Ruby
- Size: 57.6 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.org
- Contributing: CONTRIBUTING.md
Awesome Lists containing this project
README
#+TITLE: Acl module for Puppet
* Description
This a module that was lifted nearly byte by byte from https://github.com/dobbymoodge/puppet-acl. We needed the functionality, but it's
name conflicted with the approved acl module for Windows.
This plugin module provides a way to set POSIX 1.e (and other standards) file ACLs via Puppet.
* Usage:
- the =Acl= resource =title= is used as the path specifier.
- ACLs are specified in the =permission= property as an array of strings in the same format as is used for =setfacl=.
- the =action= parameter can be one of =set=, =exact=, =unset= or =purge=. These are described in detail below.
- the =provider= parameter allows a choice of filesystem ACL provider. Currently only POSIX 1.e is implemented.
- the =recursive= parameter allows you to apply the ACLs to all files under the specified path.
: acl { "/var/log/httpd":
: action => set,
: permission => [
: "user::rwx",
: "group::---",
: "mask::r-x",
: "other::---",
: "group:logview:r-x",
: "default:user::rwx",
: "default:group::---",
: "default:mask::rwx",
: "default:other::---",
: "default:group:logview:r-x",
: ],
: provider => posixacl,
: require => [
: Group["logview"],
: Package["httpd"],
: Mount["/var"],
: ],
: recursive => false,
: }
** Using action => set:
The =set= option for the =action= parameter allows you to specify a minimal set of ACLs which will be guaranteed by Puppet. ACLs applied to the path which do not match those specified in the =permission= property will remain unchanged.
*** Initial permissions:
: # file /var/www/site1
: user::rwx
: group::r-x
: other::r-x
: mask::rwx
: group:webadmin:r-x
: group:httpadmin:rwx
*** Specified acls:
: permission => [
: 'user::rwx',
: 'group::r-x',
: 'other::r-x',
: 'mask::rwx',
: 'group:webadmin:rwx',
: 'user:apache:rwx',
: ],
*** Updated permissions:
: # file /var/www/site1
: user::rwx
: group::r-x
: other::r-x
: mask::rwx
: user:apache:rwx
: group:webadmin:rwx
: group:httpadmin:rwx
** Using action => exact:
The =exact= option for the =action= parameter will specify the exact set of ACLs guaranteed and enforced by Puppet. ACLs applied to the path which do not match those specified in the =permission= property will be removed.
*** Initial permissions:
: # file /var/www/site1
: user::rwx
: group::r-x
: other::r-x
: mask::rwx
: group:webadmin:r-x
: group:httpadmin:rwx
*** Specified acls:
: permission => [
: 'user::rwx',
: 'group::r-x',
: 'other::r-x',
: 'mask::rwx',
: 'group:webadmin:r--',
: 'user:apache:rwx',
: ],
*** Updated permissions:
- group:httpadmin permission is removed
- user:apache permission is added
- group:webadmin permission is updated
: # file /var/www/site1
: user::rwx
: group::r-x
: other::r-x
: mask::rwx
: group:webadmin:r--
: user:apache:rwx
** Using action => unset:
The =unset= option for the =action= parameter will specify the set of ACLs guaranteed by Puppet to NOT be applied to the path. ACLs applied to the path which match those specified in the =permission= property will be removed. ACLs applied to the path which do not match those specified in the =permission= property will remain unchanged.
*** Initial permissions:
: # file /var/www/site1
: user::rwx
: group::r-x
: other::r-x
: mask::rwx
: group:webadmin:r-x
: group:httpadmin:rwx
*** Specified acls:
: permission => [
: 'user::rwx',
: 'group::r-x',
: 'other::r-x',
: 'mask::rwx',
: 'group:webadmin:r--',
: 'user:apache:rwx',
: ],
*** Updated permissions:
: # file /var/www/site1
: user::rwx
: group::r-x
: other::r-x
: mask::rwx
: group:httpadmin:rwx
** Using action => purge:
The =purge= option for the =action= parameter will cause Puppet to remove any file ACLs applied to the path.
NOTE: Although the =permission= property is unused for this action, it needs to have a valid ACL value for the action to work. This is a known issue.
*** Initial permissions:
: # file /var/www/site1
: user::rwx
: group::r-x
: other::r-x
: mask::rwx
: group:webadmin:r-x
: group:httpadmin:rwx
*** Specified acls:
See above
: permission => [
: 'user::rwx',
: 'group::r-x',
: 'other::r-x',
: 'mask::rwx',
: 'group:webadmin:r--',
: 'user:apache:rwx',
: ],
*** Updated permissions:
- All file ACLs are removed
: # file /var/www/site1
: user::rwx
: group::r-x
: other::r-x
* Notes:
** Conflicts with "file" resource type:
If the path being modified is managed via the =File= resource type, the path's mode bits must match the value specified in the =permission= property of the ACL
** Mask check:
The ACL setter doesn't recalculate the rights mask based on the user/group ACLs specified, so it is possible to specify ACLs on a file for which a more restrictive set of rights is enforced, known as "effective rights". For example, with these =permission= parameters on a file =test=:
: permission => [
: 'user::rw-',
: 'group::---',
: 'mask::r--',
: 'other::---',
: 'user:apache:rwx',
: 'group:root:r-x',
: 'group:admin:rwx',
: ],
The output of =getfacl test= reveals a more restrictive set of effective rights, which might not be what was expected:
: # file: test
: # owner: root
: # group: root
: user::rw-
: group::---
: other::---
: mask::r--
: user:apache:rwx #effective:r--
: group:root:r-x #effective:r--
: group:admin:rwx #effective:r--