Skip to content

thias/puppet-fooacl

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
manifests
manifests
 
 
templates
templates
 
 
tests
tests
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
metadata.json
metadata.json
 
 

Repository files navigation

puppet-fooacl

Overview

Manage POSIX filesystem ACLs with Puppet.

Most (all?) other ACL modules implement a type which can be declared only once per file, which isn't flexible. This module takes the unusual approach of creating a single large concatenated script to manage all ACLs recursively in a single run. Ugly, yet very efficient and flexible since ACLs aren't tied to the file type in any way.

Features :

  • Set ACLs for the same path from different parts of your puppet manifests (flexible).
  • Set global ACL permissions to be applied for all paths managed by the module (flexible).
  • Automatic purging of ACLs on paths as long as at least one ACL is still being applied by the module (remove users easily and reliably).
  • Automatic setting of both normal and default ACLs to the same values (shortens declarations, increases code readability).

Limitations :

  • No purging once paths are no longer being managed by the module.
  • Any ACL changes trigger re-applying all ACLs (fine for a few thousands files, but typically an issue for millions of files).

Module content :

  • fooacl : Class to start managing ACLs with the module (fooacl::conf automatically includes it).
  • fooacl::conf: Definition to manage ACLs configuration.

Examples

A typical declaration from anywhere in your puppet manifests :

fooacl::conf { '/var/www/www.example.com':
  permissions => [
    'user:userA:rwX',
    'user:userB:rwX',
    'user:userX:r-X',
  ],
}

From anywhere else, you may set more ACLs for the same /var/www/www.example.com directory as long as you don't use the same $title (that would cause a duplicate declatation), so you would do :

fooacl::conf { 'www.example.com-other-team':
  target      => '/var/www/www.example.com',
  permissions => [
    'user:userC:rwX',
    'user:userY:r-X',
  ],
}

Parameter requirements :

  • If $target is not specificed, $title must be the target.
  • If $target is specified, as a directory or an array of directories, $title is ignored (this allows to work around duplicate declarations)
  • The special $title of 'default' will apply permissions to all directories managed by this module on the node. Useful for global access on certain nodes.

If you need to order some of your resources with the execution of the script contained in the module (e.g. refresh when you modify uid or gid values), use :

foo { 'bar':
  ...
  notify => Class['::fooacl'],
}

More advanced example :

# Global webmasters
fooacl::conf { 'default':
  permissions => [
    'user:userA:rwX',
    'user:userB:rwX',
  ],
}
# Frontend website webmasters
fooacl::conf { 'frontend':
  target => [
    '/var/www/frontend.example.com',
    '/var/www/frontend.example.org',
  ],
  permissions => [
    'user:userX:rwX',
    'user:userY:rwX',
  ],
}
# Backend website webmasters
fooacl::conf { 'backend':
  target => [
    '/var/www/backend.example.com',
    '/var/www/backend.example.org',
  ],
  permissions => [
    'user:userZ:rwX',
  ],
}

Debugging

You can set the module fooacl_noop globally using hiera :

---
fooacl::fooacl_noop: true

After which the /usr/local/sbin/fooacl script will get updated but won't be automatically run.

About

Puppet POSIX ACLs module

Resources

Readme

License

View license
Activity

Stars

9 stars

Watchers

3 watching

Forks

20 forks
Report repository

Releases

5 tags

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages