voxpupuli / puppet-posix_acl Goto Github PK
View Code? Open in Web Editor NEWThis project forked from pdrakeweb/puppet-acl
A puppet module for POSIX ACLs
Home Page: https://forge.puppet.com/puppet/posix_acl
License: Apache License 2.0
This project forked from pdrakeweb/puppet-acl
A puppet module for POSIX ACLs
Home Page: https://forge.puppet.com/puppet/posix_acl
License: Apache License 2.0
test.pp:
'/etc/test/foo.pp':
ensure => present,
}
file{
'/etc/test':
ensure => directory,
}
acl {
'/etc/test':
action => set,
permission => ["group:root:r-x"],
recursive => true,
recursemode => deep,
}
Result:
# /opt/puppetlabs/bin/puppet apply foo.pp
Notice: Compiled catalog for example.com in environment production in 0.14 seconds
Error: Failed to apply catalog: Execution of '/usr/bin/getfacl --absolute-names --no-effective /etc/test/foo.pp' returned 1: getfacl: /etc/test/foo.pp: No such file or directory
I'm trying to ensure a subset of ACLs on a file using the set command. Here's an example of what I'm doing.
file { "/some/example_dir":
ensure => directory,
group => $owning_group,
mode => '0770',
} ->
posix_acl { "/some/example_dir":
action => set,
provider => posixacl,
permission => ["group:${co_owning_group}:r-x",'user:${special_user}:r-x'],
recursive => false,
}
I get a continuous corrective change that says the permissions will be changed from:
"group::rwx", "group:co_owning_group:r-x", "mask::rwx", "other::---", "user::rwx", "user:special_user:r-x"
to
"group:co_owning_group:r-x", "user:special_user:r-x"
I would expect that the ACLs would be overlayed, and further runs would not produce a need for puppet to do a corrective change.
This is the way the module functioned under release 0.1.1. It would simply overlay the permissions and any existing permissions would not be taken into consideration. This seems to be inline with the description of how the set
function is supposed to work (as opposed to the exact
function.)
This issue seems to be slightly different from the one opened by @Bouke
I'm perfectly fine with the way the permissions are getting set. It just seems to be a slight issue with the Puppet logic that evaluates whether or not a corrective changes is needed.
Hello!
I think it would be easy to add Solais OS support just by taking car of some issues related with getfacl and setfacl specific commands in that OS.
For example, getfacl command under Solaris does not support --absolute-names neither --no-efective arguments.
Is there any chance that you fix this problem. Could I collaborate somehow?
Kind Regards,
Raúl
Do you think a version release would be possible soon?
The latest version 0.1.1 dates back to Oct 14, 2018.
We are interested particularly in #66 as well as #65.
When given getfacl /home/ss/ff/app/EXTRACT_* this works when run on the linux server . But the module is not able to support this , it gives path cannot be found
Hi
I have this directory with the following permissions:
ls -l /backup2
total 0
-rw-r--r--. 1 root root 0 ago 2 15:40 file0
drwx------. 2 postgres postgres 19 ago 2 15:40 test1
drwx------. 2 root root 6 ago 2 15:39 test2
posix_acl { "/backup2":
action => set,
permission => [
'user:syncuser:rwX',
'mask::rwX',
],
recursive => true,
}
File /backup2/file0 is executable
getfacl file0
# file: file0
# owner: root
# group: root
user::rw-
user:syncuser:rwx
group::r--
mask::rwx
other::r--
File /backup2/file0 is not executable.
I would expect every file inside /backup2 to be not executable and every dir inside /backup executable.
getfacl file0
# file: file0
# owner: root
# group: root
user::rw-
user:syncuser:rw-
group::r--
mask::rw-
other::r--
Executing: '/usr/bin/setfacl -R -n -m user:syncuser:rwx /backup2'
Executing: '/usr/bin/setfacl -R -n -m mask::rwx /backup2'
If I run setfacl -n -R -m u:syncuser:rwX /backup2
and setfacl -n -R -m m::rwX /backup2
manually the result is the expected one with file0 being not executable
We are using the posix_acl module on some Oracle Linux 7 Servers.
Oracle Linux is binary compatible to RedHat Enterprise Linux or CentOS.
When i start puppet, i get the following warning message from posix_acl module:
Info: Using configured environment 'XXXX' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Retrieving locales Info: Loading facts Warning: Found multiple default providers for posix_acl: genericacl, posixacl; using genericacl Info: Caching catalog for XXXX Info: Applying configuration version '1623935894' Notice: Applied catalog in 19.77 seconds
I also set the correct provider in the puppet code where i wanna use posix_acl:
posix_acl { 'XXX': provider => posixacl, action => set, permission => [ "XXX" ], require => [ User['XXX'], ], recursive => true, }
How can i resolve this warning about the multiple default providers and force the module to use posic_acl?
Or can this warning be ignored cause i set the correct provider within the puppet code?
Maybe also a bug with using posix_acl on a Oracle Linux Machine.
Thanks in advance!
Running Puppet over a list of permissions causes setfacl to run on a for loop through every permission in the list,
this is extremely inefficient, specially with very large sets of folders
Example code
-> posix_acl { "${install_root}/accounts":
action => set,
permission => [
'group:engr:r-X',
'group:cs:r-X',
'default:group:engr:r-X',
'default:group:cs:r-X'
],
recursive => true,
}
This results in
/usr/bin/setfacl -R -n -m default:group:cs:r-X /data/accounts
/usr/bin/setfacl -R -n -m default:group:engr:r-X /data/accounts
/usr/bin/setfacl -R -n -m group:cs:r-X /data/accounts
/usr/bin/setfacl -R -n -m group:engr:r-X /data/accounts
Instead the proper and 4x faster run would be
/usr/bin/setfacl -R -n -m group:cs:r-X -m group:engr:r-X -m group:ops:r-X -m default:group:ops:r-X -m default:group:engr:r-X -m default:group:cs:r-X /data/accounts/
Is there any way to change this behavior? We have very large filesystem data sets and this method causes puppet timeout failures
FYI there was already a module that used acl as its folder name: puppetlabs/acl
That module is needed for managing perms on Windows so this is creating a conflict when both Linux and Windows nodes are managed by the same puppetmaster.
The introduction of FrozenStringLiteral made yesterday (2022-01-20) to comply with Rubocop defaults causes Puppet catalog compilation errors.
class acl_testing_class {
file { '/var/log/acl_test':
ensure => directory,
}
posix_acl { '/var/log/acl_test':
action => set,
permission => [
'user::rwx',
'group::rwx',
'other::rwx',
'default:user::rwx',
'default:group::rw-',
'default:other::rw-',
],
provider => posixacl,
recursive => false,
}
}
Errors during catalog compilation
Successfully compilation of catalog
Failed to apply catalog: Parameter permission failed on Posix_acl[/var/log/acl_test]: Munging failed for value "default:user::rwx" in class permission: can't modify frozen String (file: /etc/puppetlabs/code/environments/production/modules/service_module/manifests/init.pp, line: 56)
When reverting back to commit af9fdf8 , the module works again
At a first glance, it should not be a problem to run this on Ubuntu 18.04 and above.
Is it just missing a metadata.json
entry?
My example:
posix_acl { "filename":
action => set,
permission => [
'user:2001:r--',
'user:2002:r--',
],
}
Results in:
Notice: /Stage[main]/Stunnel/Posix_acl/permission: current_value ["group::r--", "other::---", "user::rw-","user:phil:r--", "user:bob:r--"], should be ["user:2001:r--", "user:2002:r--"]
phil is user 2001, bob is user 2002. Puppet wants to re-apply this every time the code is run. (I know, silly example, why would you do that? but I have a use case for which this would be useful.)
The check will always fail because the check is made against the resolved usernames not the userIDs (and as an aside the check seems to be made against the complete getfacl output not the specific lines, but that's the gist of the other Issue linked). The code should check if a line match is found based on /either/ numerical id /or/ username.
This is a side-issue from the add this is linked to, and seems to be a separate case worthy of separate consideration, IMO.
Originally posted by @matt-matt2 in #58 (comment)
include posix_acl::requirements
user { 'blub':
ensure => 'present',
}
file { '/opt/test':
ensure => directory,
owner => root,
group => root,
mode => '2770',
}
-> posix_acl { '/opt/test':
action => exact,
permission => [
'user::rwx',
'group::rwx',
'mask::rwx',
'other::---',
'user:blub:r-x',
'user:blub2:r-x',
],
provider => posixacl,
recursive => false,
require => User['blub'],
}
let's say we've a posix_acl that sets an ACL for blub. Maybe in the future you want to allow user blub2 but deny user blub:
include posix_acl::requirements
user { ['blub', 'blub2']:
ensure => 'present',
}
file { '/opt/test':
ensure => directory,
owner => root,
group => root,
mode => '2770',
}
-> posix_acl { '/opt/test':
action => exact,
permission => [
'user::rwx',
'group::rwx',
'mask::rwx',
'other::---',
'user:blub2:r-x',
],
provider => posixacl,
recursive => false,
require => User['blub2'],
}
Puppet will fail to remove the 'user:blub:r-x',
ACL. #109 Has a test to reproduce this. #108 has a fix for this.
942e335 causes an error occurring on the puppetserver-side for me. Probably a compatibility issue as I'm still stuck to Puppet5 (v5.3.11
).
puppetserver | 2020-01-22 15:08:23,502 ERROR [qtp661065012-23] [puppetserver] Puppet Evaluation Error: Error while evaluating a Virtual Query, Could not autoload puppet/type/posix_acl: /etc/puppetlabs/puppet/modules/posix_acl/lib/puppet/type/posix_acl.rb:82: unknown type of %string
puppetserver | %i[posix_acl file].each do |autorequire_type|
puppetserver | ^ (file: /data/puppet-modules/production/current/puppet-modules/local-modules/monitoring/manifests/init.pp, line: 56, column: 6) on node host.example.com
Currently, the Acl
type only operates on files and directories that exist. This means that a matching File
resource is needed to guarantee that the Acl
resource requirements are met. This also means that the mode
property for the File
resource must match the three base entries in the Acl
permission
property. See: https://github.com/dobbymoodge/puppet-acl#conflicts-with-file-resource-type
I propose that the Acl
type be modified to extend the File
type, so that all the properties available in the File
type are exposed or overridden by the Acl
type. I think this should be straightforward, but some properties may conflict (i.e. the Acl {'permission'}
and File {'mode'}
properties). These need to be specifically addressed:
mode
property will not be exposed, and the values for the base entries in the Acl {'permission'}
property will be used internally to supply File {'mode'}
File {'recurselimit'}
property will need a matching, overriding implementation in the Acl
type.The README tab is not currently showing in puppet forge for this module. Would be handy for the README to display rather than the changelog.
posix_acl { '/var/opt/rh/rh-haproxy18/lib/haproxy/stats':
action => set,
permission => [
"user:zabbix:rw-",
],
require => [Package['rh-haproxy18']],
}
Notice: /Stage[main]/Profile::Monitoring::Load_balancer/Posix_acl[/var/opt/rh/rh-haproxy18/lib/haproxy/stats]/permission: permission changed '["group::---", "other::---", "user::rw-"]' to '["user:zabbix:rw-"]'
[root@lb03 ~]# getfacl /var/opt/rh/rh-haproxy18/lib/haproxy/stats
getfacl: Removing leading '/' from absolute path names
# file: var/opt/rh/rh-haproxy18/lib/haproxy/stats
# owner: haproxy
# group: haproxy
user::rw-
user:zabbix:rw- #effective:---
group::---
mask::---
other::---
[root@lb03 ~]# setfacl -m u:zabbix:rw /var/opt/rh/rh-haproxy18/lib/haproxy/stats
[root@lb03 ~]# getfacl /var/opt/rh/rh-haproxy18/lib/haproxy/stats
getfacl: Removing leading '/' from absolute path names
# file: var/opt/rh/rh-haproxy18/lib/haproxy/stats
# owner: haproxy
# group: haproxy
user::rw-
user:zabbix:rw-
group::---
mask::rw-
other::---
The documentation says that the "set" operation should leave existing permissions alone. However it still replaces the user/group/other permissions.
Hello,
Module is noted as compatible with Puppet >= 5.5.8 < 7.0.0 in the metadata.json.
Does the code needs some kind of rework to be compatible with Puppet < 8.0.0?
Regards,
I cannot find references to recursemode
(lazy, deep) option in README file, is it normal?
As far as I understand, setting it to "deep" is needed when top-level files/directories have correct rights, but other files have not.
Hi
It does not seem possible to do setfacl -R -m u:myuser:rwX myfolder
Any idea (except no-recurse/give all subfiles) ?
Best regards
Do you think the current Tag (from January) can be published to forge? Or is there a reason not to?
Currently v1.0.0 is the most up-to-date version and we'd love to pull it from forge (rather than from github).
v1.0.1 is available via https://forge.puppet.com/modules/puppet/posix_acl
posix_acl { '/mnt/test':
action => exact,
permission => [
'default:user::rwx',
'default:group::rwx',
'default:mask::rwx',
'default:other::---',
'user::rwx',
'group::rwx',
'mask::rwx',
'other::---',
"user:${ad_domain_short_caps}\\tmashos:rwx",
],
recursive => true,
require => Package['acl'],
}
Puppet tries to correct the ACL every time
Puppet doesn't change the ACL when it's correct
Notice: /Stage[main]/Profile::Mssql::Linux_server/Posix_acl[/mnt/test]/permission: permission changed ["default:group::rwx", "default:mask::rwx", "default:other::---", "default:user::rwx", "group::rwx", "mask::rwx", "other::---", "user::rwx", "user:HOSTING-US\134tmashos:rwx"] to ["default:group::rwx", "default:mask::rwx", "default:other::---", "default:user::rwx", "group::rwx", "mask::rwx", "other::---", "user::rwx", "user:HOSTING-US\tmashos:rwx"]
This is using a LDAP (Active Directory) user in an ACL called "HOSTING-US\tmashos". getfacl formats the \ as \134 so it doesn't match what is set it puppet when it's returned.
I would like to see 0.0.3 published to the forge, thanks :-)
posix_acl { '/var/log':
action => set,
permission => [
'user::rwx',
'group::r-x',
'other::---',
'mask::r-x',
'user:dd-agent:rx',
],
provider => posixacl,
recursive => true,
}
It only applies to /var/log
and not any subfiles
To recursively set all files within with the same permissions
Notice: /Stage[main]/Profile::Logs/Posix_acl[/var/log]/permission: permission changed ["group::r-x", "mask::r-x", "other::r-x", "user::rwx", "user:dd-agent:r-x"] to ["group::r-x", "mask::r-x", "other::---", "user::rwx", "user:dd-agent:r-x"]
# ls -la /var/log
total 758120
drwxr-x---+ 15 root root 4096 Aug 9 03:28 .
drwxr-xr-x. 19 root root 267 Sep 4 2018 ..
drwxr-x---+ 2 root root 232 Sep 4 2018 anaconda
drwx------+ 2 root root 99 Aug 9 17:01 audit
-rw-------+ 1 root root 0 Nov 29 2019 boot.log
...
Not even boot.log
was changed to new permissions
What do you think about moving puppet-acl to Vox Pupuli to get more people working on it, and get higher visibility plus better standards?
They appear to work but I get a warning bellow unless all the acl's are in long form.
Notice: /Stage[main]/Srv/Acl[/srv/]/permission: permission changed 'default:group::r-x,default:other::--x,default:user::rwx,group::r-x,other::--x,user::rwx' to 'u::rwx,g::r-x,o::--x,d:u::rwx,d:g::r-x,d:o::--x'
It would be nice to be able to use d:u::rx
for example, without generating this warning. This form is accepted by the setfacl
command so it is standard.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.