thias / puppet-fooacl Goto Github PK

View Code? Open in Web Editor NEW

9.0 3.0 20.0 456 KB

Puppet POSIX ACLs module

License: Other

Puppet 63.22% Shell 10.65% HTML 25.38% Pascal 0.75%

puppet-fooacl's Introduction

puppet-fooacl

Overview

Manage POSIX filesystem ACLs with Puppet.

Most (all?) other ACL modules implement a type which can be declared only once per file, which isn't flexible. This module takes the unusual approach of creating a single large concatenated script to manage all ACLs recursively in a single run. Ugly, yet very efficient and flexible since ACLs aren't tied to the file type in any way.

Features :

Set ACLs for the same path from different parts of your puppet manifests (flexible).
Set global ACL permissions to be applied for all paths managed by the module (flexible).
Automatic purging of ACLs on paths as long as at least one ACL is still being applied by the module (remove users easily and reliably).
Automatic setting of both normal and default ACLs to the same values (shortens declarations, increases code readability).

Limitations :

No purging once paths are no longer being managed by the module.
Any ACL changes trigger re-applying all ACLs (fine for a few thousands files, but typically an issue for millions of files).

Module content :

fooacl : Class to start managing ACLs with the module (fooacl::conf automatically includes it).
fooacl::conf: Definition to manage ACLs configuration.

Examples

A typical declaration from anywhere in your puppet manifests :

fooacl::conf { '/var/www/www.example.com':
  permissions => [
    'user:userA:rwX',
    'user:userB:rwX',
    'user:userX:r-X',
  ],
}

From anywhere else, you may set more ACLs for the same /var/www/www.example.com directory as long as you don't use the same $title (that would cause a duplicate declatation), so you would do :

fooacl::conf { 'www.example.com-other-team':
  target      => '/var/www/www.example.com',
  permissions => [
    'user:userC:rwX',
    'user:userY:r-X',
  ],
}

Parameter requirements :

If $target is not specificed, $title must be the target.
If $target is specified, as a directory or an array of directories, $title is ignored (this allows to work around duplicate declarations)
The special $title of 'default' will apply permissions to all directories managed by this module on the node. Useful for global access on certain nodes.

If you need to order some of your resources with the execution of the script contained in the module (e.g. refresh when you modify uid or gid values), use :

foo { 'bar':
  ...
  notify => Class['::fooacl'],
}

More advanced example :

# Global webmasters
fooacl::conf { 'default':
  permissions => [
    'user:userA:rwX',
    'user:userB:rwX',
  ],
}
# Frontend website webmasters
fooacl::conf { 'frontend':
  target => [
    '/var/www/frontend.example.com',
    '/var/www/frontend.example.org',
  ],
  permissions => [
    'user:userX:rwX',
    'user:userY:rwX',
  ],
}
# Backend website webmasters
fooacl::conf { 'backend':
  target => [
    '/var/www/backend.example.com',
    '/var/www/backend.example.org',
  ],
  permissions => [
    'user:userZ:rwX',
  ],
}

Debugging

You can set the module fooacl_noop globally using hiera :

---
fooacl::fooacl_noop: true

After which the /usr/local/sbin/fooacl script will get updated but won't be automatically run.

puppet-fooacl's People

Contributors

Stargazers

Watchers

Forkers

stl-jim lloy0076 ctoa slashbunny nexjhealth belminf inuits occelebi exoscale spitfire1900 ebartz ccin2p3 tedwardia tux-o-matic legooolas

puppet-fooacl's Issues

Compatible with OpenSuse

Hi,
I would like to know whether it is compatible or not with OpenSuse, since this is an standard POSIX system I guess it will work.

Ability to opt-out from recursive setfacl

Hey!

When using fooacl::conf { dir: ... }, the ACL are applied recursively. It would be convenient to be able to opt out of this possibility.

Consider integrating into Puppetlabs-acl?

I've been following this since you mentioned it on puppet-users/puppet-dev mailing groups last year and considerable thoughts into the design of the acl module were put in (especially the allowing multiple acl resources to target the same path) to allow for it to work with POSIX acls, it just doesn't have anything built into it yet. The ticket is https://tickets.puppetlabs.com/browse/MODULES-962.

The module is https://github.com/puppetlabs/puppetlabs-acl - I'm sure there are things that have possibly been baked in that have been pushed too high (to the type versus left down at the provider) that would need to be fixed.

I like that you have set target as an array. That could potentially be a way to go for acl as well.

I'd like to get your thoughts on design changes that would be required and if you would be interested in integrating to an acl that is a type with providers.

Puppet run must set the configured ACLs in any case.

When we make a manual change of ACLs after a puppet run (for testing or so) and want to set them back to desired state by another puppet run, refresh only for exec:

 exec { '/usr/local/sbin/fooacl':
    refreshonly => true,

makes it impossible to do so, since the script file didn't change.

Modulefile Dependence on puppletabs' concat breaks librarian-puppet

Librarian puppet queries this URL:

http://forge.puppetlabs.com/api/v1/releases.json?module=puppetlabs-concat

Response of:

{"error":"Parameter module (\"puppetlabs-concat\") did not match /\\A[a-zA-Z0-9]+\\/[a-zA-Z0-9_]+\\Z/"}

I believe the fix is to change the Modulefile dependency to:

puppetlabs/concat

Which does respond with:

{"puppetlabs/concat":[{"file":"/system/releases/p/puppetlabs/puppetlabs-concat-1.0.0-rc1.tar.gz","version":"1.0.0-rc1","dependencies":[]},{"file":"/system/releases/p/puppetlabs/puppetlabs-concat-1.0.0.tar.gz","version":"1.0.0","dependencies":[]},{"file":"/system/releases/p/puppetlabs/puppetlabs-concat-1.0.1.tar.gz","version":"1.0.1","dependencies":[]},{"file":"/system/releases/p/puppetlabs/puppetlabs-concat-1.0.2.tar.gz","version":"1.0.2","dependencies":[]},{"file":"/system/releases/p/puppetlabs/puppetlabs-concat-1.1.0-rc1.tar.gz","version":"1.1.0-rc1","dependencies":[["puppetlabs/stdlib",">= 3.0.0"]]}],"puppetlabs/stdlib":[{"file":"/system/releases/p/puppetlabs/puppetlabs-stdlib-3.0.0.tar.gz","version":"3.0.0","dependencies":[]},{"file":"/system/releases/p/puppetlabs/puppetlabs-stdlib-3.0.1.tar.gz","version":"3.0.1","dependencies":[]},{"file":"/system/releases/p/puppetlabs/puppetlabs-stdlib-3.1.0.tar.gz","version":"3.1.0","dependencies":[]},{"file":"/system/releases/p/puppetlabs/puppetlabs-stdlib-3.1.1.tar.gz","version":"3.1.1","dependencies":[]},{"file":"/system/releases/p/puppetlabs/puppetlabs-stdlib-3.2.0.tar.gz","version":"3.2.0","dependencies":[]},{"file":"/system/releases/p/puppetlabs/puppetlabs-stdlib-3.2.1.tar.gz","version":"3.2.1","dependencies":[]},{"file":"/system/releases/p/puppetlabs/puppetlabs-stdlib-4.1.0.tar.gz","version":"4.1.0","dependencies":[]}]}

failed to parse 20.erb

New to puppet so this could be simple -- I missed something obvious...

Downloaded fooacl as tar ball, untarred and renamed fooacl in my modulepath.

touched /tmp/foobar for test file on puppet agent system

used puppet module generate to create module named try
init.pp:
class try {
include fooacl
fooacl::conf { "/tmp/foobar":
permissions => [
'user::splunk:r--',
],
}
}

included try in test node in site.pp

Got the following error: ??

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to parse template fooacl/20.erb:
Filepath: /etc/puppetlabs/puppet/environments/dsade/modules/fooacl/templates/20.erb
Line: 1
Detail: undefined method `each' for "/tmp/foobar":String
at /etc/puppetlabs/puppet/environments/dsade/modules/fooacl/manifests/conf.pp:16 on node ess0840x.dre.dev.int
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

Fooacl dependency upon BASH version

Associative arrays were introduced to bash in version 4. Redhat 5 includes Bash 3.X without associative arrays. So the /usr/local/sbin/fooacl scripts with declare -A ACLOPTS fails with "unknown option -A".

[root sbin]# bash fooacl
fooacl: line 7: declare: -A: invalid option
declare: usage: declare [-afFirtx] [-p] [name[=value] ...]

bash --version
GNU bash, version 3.2.25(1)-release (x86_64-redhat-linux-gnu)

Hiera Support

Hi,

Thanks for module. I thought it would be nice to have hiera Support. Would you mind implementing it ?

Cheers,
Cem

Warning: noop is a metaparam

This module throws a warning when including init.pp:

Warning: noop is a metaparam; 
this value will inherit to all contained resources in the fooacl definition

Perhaps the $noop variable needs to be renamed?

Please add "set -x" to /usr/local/sbin/fooacl to catch errors

I found your fooacl puppet very useful.

I managed however to add an illegal value in my permissions, which was not caught.

Therefore add please as a second line after #!/bin/bash

set -e

to make the script return with an error if one command fails.

File "mode" and "ACL" clash

If I create a directory with mode 0711 then grant a group access to the directory with an ACL, it all seems fine till the next puppet run, when puppet detects that the permissions are 0771 and changes them back to 0711, which creates a "mask" on the ACL... which "fooacl" doesn't detect.

$ getfacl var
# file: var
# owner: magento
# group: magento
user::rwx
group::---
group:apache:rwx        #effective:--x
group:magento:rwx       #effective:--x
mask::--x
other::--x
default:user::rwx
default:group::---
default:group:apache:rwx
default:group:magento:rwx
default:mask::rwx
default:other::--x

This makes for a very bad day, and might illustrate why this functionality needs to be implemented as part of the "file" type? I am not sure what to do to resolve this. As a workaround, I am going to set mode => undef, but that is not really a "good" solution.