diff --git a/files/acl b/files/acl index 0b1ff4f0f08..b8d2b85cb65 100644 --- a/files/acl +++ b/files/acl @@ -24,15 +24,10 @@ description: options: name: required: true - default: None + default: null description: - The full path of the file or object. aliases: ['path'] - entry: - required: false - default: None - description: - - The acl to set or remove. This must always be quoted in the form of '::'. The qualifier may be empty for some types, but the type and perms are always requried. '-' can be used as placeholder when you do not care about permissions. state: required: false @@ -40,12 +35,50 @@ options: choices: [ 'query', 'present', 'absent' ] description: - defines whether the ACL should be present or not. The C(query) state gets the current acl C(present) without changing it, for use in 'register' operations. + follow: required: false default: yes choices: [ 'yes', 'no' ] description: - whether to follow symlinks on the path if a symlink is encountered. + + default: + version_added: "1.5" + required: false + default: no + choices: [ 'yes', 'no' ] + description: + - if the target is a directory, setting this to yes will make it the default acl for entities created inside the directory. It causes an error if name is a file. + + entity: + version_added: "1.5" + required: false + description: + - actual user or group that the ACL applies to when matching entity types user or group are selected. + + etype: + version_added: "1.5" + required: false + default: null + choices: [ 'user', 'group', 'mask', 'other' ] + description: + - if the target is a directory, setting this to yes will make it the default acl for entities created inside the directory. It causes an error if name is a file. + + + permissions: + version_added: "1.5" + required: false + default: null + description: + - Permissions to apply/remove can be any combination of r, w and x (read, write and execute respectively) + + entry: + required: false + default: null + description: + - DEPRECATED. The acl to set or remove. This must always be quoted in the form of '::'. The qualifier may be empty for some types, but the type and perms are always requried. '-' can be used as placeholder when you do not care about permissions. This is now superceeded by entity, type and permissions fields. + author: Brian Coca notes: - The "acl" module requires that acls are enabled on the target filesystem and that the setfacl and getfacl binaries are installed. @@ -53,17 +86,59 @@ notes: EXAMPLES = ''' # Grant user Joe read access to a file -- acl: name=/etc/foo.conf entry="user:joe:r" state=present +- acl: name=/etc/foo.conf entity=joe etype=user permissions="r" state=present # Removes the acl for Joe on a specific file -- acl: name=/etc/foo.conf entry="user:joe:-" state=absent +- acl: name=/etc/foo.conf entity=joe etype=user state=absent + +# Sets default acl for joe on foo.d +- acl: name=/etc/foo.d entity=joe etype=user permissions=rw default=yes state=present + +# Same as previous but using entry shorthand +- acl: name=/etc/foo.d entrty="default:user:joe:rw-" state=present # Obtain the acl for a specific file - acl: name=/etc/foo.conf register: acl_info ''' -def get_acl(module,path,entry,follow): +def split_entry(entry): + ''' splits entry and ensures normalized return''' + + a = entry.split(':') + a.reverse() + if len(a) == 3: + a.append(False) + try: + p,e,t,d = a + except ValueError, e: + print "wtf?? %s => %s" % (entry,a) + raise e + + if t.startswith("u"): + t = "user" + elif t.startswith("g"): + t = "group" + elif t.startswith("m"): + t = "mask" + elif t.startswith("o"): + t = "other" + else: + t = None + + perms = ['-','-','-'] + for char in p: + if char == 'r': + perms[0] = 'r' + if char == 'w': + perms[1] = 'w' + if char == 'x': + perms[2] = 'x' + p = ''.join(perms) + + return [d,t,e,p] + +def get_acls(module,path,follow): cmd = [ module.get_bin_path('getfacl', True) ] if not follow: @@ -75,21 +150,25 @@ def get_acl(module,path,entry,follow): return _run_acl(module,cmd) -def set_acl(module,path,entry,follow): +def set_acl(module,path,entry,follow,default): cmd = [ module.get_bin_path('setfacl', True) ] if not follow: cmd.append('-h') + if default: + cmd.append('-d') cmd.append('-m "%s"' % entry) cmd.append(path) return _run_acl(module,cmd) -def rm_acl(module,path,entry,follow): +def rm_acl(module,path,entry,follow,default): cmd = [ module.get_bin_path('setfacl', True) ] if not follow: cmd.append('-h') + if default: + cmd.append('-k') entry = entry[0:entry.rfind(':')] cmd.append('-x "%s"' % entry) cmd.append(path) @@ -103,93 +182,104 @@ def _run_acl(module,cmd,check_rc=True): except Exception, e: module.fail_json(msg=e.strerror) - return out.splitlines() + # trim last line as it is always empty + ret = out.splitlines() + return ret[0:len(ret)-1] def main(): module = AnsibleModule( argument_spec = dict( - name = dict(required=True,aliases=['path']), - entry = dict(required=False, default=None), + name = dict(required=True,aliases=['path'], type='str'), + entry = dict(required=False, etype='str'), + entity = dict(required=False, type='str', default=''), + etype = dict(required=False, choices=['other', 'user', 'group', 'mask'], type='str'), + permissions = dict(required=False, type='str'), state = dict(required=False, default='query', choices=[ 'query', 'present', 'absent' ], type='str'), follow = dict(required=False, type='bool', default=True), + default= dict(required=False, type='bool', default=False), ), supports_check_mode=True, ) path = module.params.get('name') entry = module.params.get('entry') + entity = module.params.get('entity') + etype = module.params.get('etype') + permissions = module.params.get('permissions') state = module.params.get('state') follow = module.params.get('follow') + default = module.params.get('default') if not os.path.exists(path): module.fail_json(msg="path not found or not accessible!") - if entry is None: - if state in ['present','absent']: - module.fail_json(msg="%s needs entry to be set" % state) - else: - if entry.count(":") != 2: - module.fail_json(msg="Invalid entry: '%s', it requires 3 sections divided by ':'" % entry) + if state in ['present','absent']: + if not entry and not etype: + module.fail_json(msg="%s requries to have ither either etype and permissions or entry to be set" % state) + + if entry: + if etype or entity or permissions: + module.fail_json(msg="entry and another incompatible field (entity, etype or permissions) are also set") + if entry.count(":") not in [2,3]: + module.fail_json(msg="Invalid entry: '%s', it requires 3 or 4 sections divided by ':'" % entry) + + default, etype, entity, permissions = split_entry(entry) changed=False - changes=0 msg = "" - currentacl = get_acl(module,path,entry,follow) - + currentacls = get_acls(module,path,follow) if (state == 'present'): - newe = entry.split(':') matched = False - for oldentry in currentacl: - diff = False - olde = oldentry.split(':') - if olde[0] == newe[0]: - if newe[0] in ['user', 'group']: - if olde[1] == newe[1]: + for oldentry in currentacls: + if oldentry.count(":") == 0: + continue + old_default, old_type, old_entity, old_permissions = split_entry(oldentry) + if old_default == default: + if old_type == etype: + if etype in ['user', 'group']: + if old_entity == entity: + matched = True + if not old_permissions == permissions: + changed = True + break + else: matched = True - if not olde[2] == newe[2]: - diff = True - else: - matched = True - if not olde[2] == newe[2]: - diff = True - if diff: - changes=changes+1 - if not module.check_mode: - set_acl(module,path,entry,follow) - if matched: + if not old_permissions == permissions: + changed = True + break break if not matched: - changes=changes+1 - if not module.check_mode: - set_acl(module,path,entry,follow) - msg="%s is present" % (entry) + changed=True + + if changed and not module.check_mode: + set_acl(module,path,':'.join([etype, str(entity), permissions]),follow,default) + msg="%s is present" % ':'.join([etype, str(entity), permissions]) + elif state == 'absent': - rme = entry.split(':') - for oldentry in currentacl: - olde = oldentry.split(':') - if olde[0] == rme[0]: - if rme[0] in ['user', 'group']: - if olde[1] == rme[1]: - changes=changes+1 - if not module.check_mode: - rm_acl(module,path,entry,follow) + for oldentry in currentacls: + if oldentry.count(":") == 0: + continue + old_default, old_type, old_entity, old_permissions = split_entry(oldentry) + if old_default == default: + if old_type == etype: + if etype in ['user', 'group']: + if old_entity == entity: + changed=True + break + else: + changed=True break - else: - changes=changes+1 - if not module.check_mode: - rm_acl(module,path,entry,follow) - break - msg="%s is absent" % (entry) + if changed and not module.check_mode: + rm_acl(module,path,':'.join([etype, entity, '---']),follow,default) + msg="%s is absent" % ':'.join([etype, entity, '---']) else: msg="current acl" - if changes > 0: - changed=True - currentacl = get_acl(module,path,entry,follow) + if changed: + currentacls = get_acls(module,path,follow) - msg="%s. %d entries changed" % (msg,changes) - module.exit_json(changed=changed, msg=msg, acl=currentacl) + module.exit_json(changed=changed, msg=msg, acl=currentacls) # import module snippets from ansible.module_utils.basic import *