Merge pull request #5363 from bcoca/acl_improved

acl module: acl now supports 'default'
This commit is contained in:
jctanner 2014-02-05 18:40:59 -05:00
commit a1d2b5f257

View file

@ -24,15 +24,10 @@ description:
options:
name:
required: true
default: None
default: null
description:
- The full path of the file or object.
aliases: ['path']
entry:
required: false
default: None
description:
- The acl to set or remove. This must always be quoted in the form of '<type>:<qualifier>:<perms>'. The qualifier may be empty for some types, but the type and perms are always requried. '-' can be used as placeholder when you do not care about permissions.
state:
required: false
@ -40,12 +35,50 @@ options:
choices: [ 'query', 'present', 'absent' ]
description:
- defines whether the ACL should be present or not. The C(query) state gets the current acl C(present) without changing it, for use in 'register' operations.
follow:
required: false
default: yes
choices: [ 'yes', 'no' ]
description:
- whether to follow symlinks on the path if a symlink is encountered.
default:
version_added: "1.5"
required: false
default: no
choices: [ 'yes', 'no' ]
description:
- if the target is a directory, setting this to yes will make it the default acl for entities created inside the directory. It causes an error if name is a file.
entity:
version_added: "1.5"
required: false
description:
- actual user or group that the ACL applies to when matching entity types user or group are selected.
etype:
version_added: "1.5"
required: false
default: null
choices: [ 'user', 'group', 'mask', 'other' ]
description:
- if the target is a directory, setting this to yes will make it the default acl for entities created inside the directory. It causes an error if name is a file.
permissions:
version_added: "1.5"
required: false
default: null
description:
- Permissions to apply/remove can be any combination of r, w and x (read, write and execute respectively)
entry:
required: false
default: null
description:
- DEPRECATED. The acl to set or remove. This must always be quoted in the form of '<etype>:<qualifier>:<perms>'. The qualifier may be empty for some types, but the type and perms are always requried. '-' can be used as placeholder when you do not care about permissions. This is now superceeded by entity, type and permissions fields.
author: Brian Coca
notes:
- The "acl" module requires that acls are enabled on the target filesystem and that the setfacl and getfacl binaries are installed.
@ -53,17 +86,59 @@ notes:
EXAMPLES = '''
# Grant user Joe read access to a file
- acl: name=/etc/foo.conf entry="user:joe:r" state=present
- acl: name=/etc/foo.conf entity=joe etype=user permissions="r" state=present
# Removes the acl for Joe on a specific file
- acl: name=/etc/foo.conf entry="user:joe:-" state=absent
- acl: name=/etc/foo.conf entity=joe etype=user state=absent
# Sets default acl for joe on foo.d
- acl: name=/etc/foo.d entity=joe etype=user permissions=rw default=yes state=present
# Same as previous but using entry shorthand
- acl: name=/etc/foo.d entrty="default:user:joe:rw-" state=present
# Obtain the acl for a specific file
- acl: name=/etc/foo.conf
register: acl_info
'''
def get_acl(module,path,entry,follow):
def split_entry(entry):
''' splits entry and ensures normalized return'''
a = entry.split(':')
a.reverse()
if len(a) == 3:
a.append(False)
try:
p,e,t,d = a
except ValueError, e:
print "wtf?? %s => %s" % (entry,a)
raise e
if t.startswith("u"):
t = "user"
elif t.startswith("g"):
t = "group"
elif t.startswith("m"):
t = "mask"
elif t.startswith("o"):
t = "other"
else:
t = None
perms = ['-','-','-']
for char in p:
if char == 'r':
perms[0] = 'r'
if char == 'w':
perms[1] = 'w'
if char == 'x':
perms[2] = 'x'
p = ''.join(perms)
return [d,t,e,p]
def get_acls(module,path,follow):
cmd = [ module.get_bin_path('getfacl', True) ]
if not follow:
@ -75,21 +150,25 @@ def get_acl(module,path,entry,follow):
return _run_acl(module,cmd)
def set_acl(module,path,entry,follow):
def set_acl(module,path,entry,follow,default):
cmd = [ module.get_bin_path('setfacl', True) ]
if not follow:
cmd.append('-h')
if default:
cmd.append('-d')
cmd.append('-m "%s"' % entry)
cmd.append(path)
return _run_acl(module,cmd)
def rm_acl(module,path,entry,follow):
def rm_acl(module,path,entry,follow,default):
cmd = [ module.get_bin_path('setfacl', True) ]
if not follow:
cmd.append('-h')
if default:
cmd.append('-k')
entry = entry[0:entry.rfind(':')]
cmd.append('-x "%s"' % entry)
cmd.append(path)
@ -103,93 +182,104 @@ def _run_acl(module,cmd,check_rc=True):
except Exception, e:
module.fail_json(msg=e.strerror)
return out.splitlines()
# trim last line as it is always empty
ret = out.splitlines()
return ret[0:len(ret)-1]
def main():
module = AnsibleModule(
argument_spec = dict(
name = dict(required=True,aliases=['path']),
entry = dict(required=False, default=None),
name = dict(required=True,aliases=['path'], type='str'),
entry = dict(required=False, etype='str'),
entity = dict(required=False, type='str', default=''),
etype = dict(required=False, choices=['other', 'user', 'group', 'mask'], type='str'),
permissions = dict(required=False, type='str'),
state = dict(required=False, default='query', choices=[ 'query', 'present', 'absent' ], type='str'),
follow = dict(required=False, type='bool', default=True),
default= dict(required=False, type='bool', default=False),
),
supports_check_mode=True,
)
path = module.params.get('name')
entry = module.params.get('entry')
entity = module.params.get('entity')
etype = module.params.get('etype')
permissions = module.params.get('permissions')
state = module.params.get('state')
follow = module.params.get('follow')
default = module.params.get('default')
if not os.path.exists(path):
module.fail_json(msg="path not found or not accessible!")
if entry is None:
if state in ['present','absent']:
module.fail_json(msg="%s needs entry to be set" % state)
else:
if entry.count(":") != 2:
module.fail_json(msg="Invalid entry: '%s', it requires 3 sections divided by ':'" % entry)
if state in ['present','absent']:
if not entry and not etype:
module.fail_json(msg="%s requries to have ither either etype and permissions or entry to be set" % state)
if entry:
if etype or entity or permissions:
module.fail_json(msg="entry and another incompatible field (entity, etype or permissions) are also set")
if entry.count(":") not in [2,3]:
module.fail_json(msg="Invalid entry: '%s', it requires 3 or 4 sections divided by ':'" % entry)
default, etype, entity, permissions = split_entry(entry)
changed=False
changes=0
msg = ""
currentacl = get_acl(module,path,entry,follow)
currentacls = get_acls(module,path,follow)
if (state == 'present'):
newe = entry.split(':')
matched = False
for oldentry in currentacl:
diff = False
olde = oldentry.split(':')
if olde[0] == newe[0]:
if newe[0] in ['user', 'group']:
if olde[1] == newe[1]:
for oldentry in currentacls:
if oldentry.count(":") == 0:
continue
old_default, old_type, old_entity, old_permissions = split_entry(oldentry)
if old_default == default:
if old_type == etype:
if etype in ['user', 'group']:
if old_entity == entity:
matched = True
if not old_permissions == permissions:
changed = True
break
else:
matched = True
if not olde[2] == newe[2]:
diff = True
else:
matched = True
if not olde[2] == newe[2]:
diff = True
if diff:
changes=changes+1
if not module.check_mode:
set_acl(module,path,entry,follow)
if matched:
if not old_permissions == permissions:
changed = True
break
break
if not matched:
changes=changes+1
if not module.check_mode:
set_acl(module,path,entry,follow)
msg="%s is present" % (entry)
changed=True
if changed and not module.check_mode:
set_acl(module,path,':'.join([etype, str(entity), permissions]),follow,default)
msg="%s is present" % ':'.join([etype, str(entity), permissions])
elif state == 'absent':
rme = entry.split(':')
for oldentry in currentacl:
olde = oldentry.split(':')
if olde[0] == rme[0]:
if rme[0] in ['user', 'group']:
if olde[1] == rme[1]:
changes=changes+1
if not module.check_mode:
rm_acl(module,path,entry,follow)
for oldentry in currentacls:
if oldentry.count(":") == 0:
continue
old_default, old_type, old_entity, old_permissions = split_entry(oldentry)
if old_default == default:
if old_type == etype:
if etype in ['user', 'group']:
if old_entity == entity:
changed=True
break
else:
changed=True
break
else:
changes=changes+1
if not module.check_mode:
rm_acl(module,path,entry,follow)
break
msg="%s is absent" % (entry)
if changed and not module.check_mode:
rm_acl(module,path,':'.join([etype, entity, '---']),follow,default)
msg="%s is absent" % ':'.join([etype, entity, '---'])
else:
msg="current acl"
if changes > 0:
changed=True
currentacl = get_acl(module,path,entry,follow)
if changed:
currentacls = get_acls(module,path,follow)
msg="%s. %d entries changed" % (msg,changes)
module.exit_json(changed=changed, msg=msg, acl=currentacl)
module.exit_json(changed=changed, msg=msg, acl=currentacls)
# import module snippets
from ansible.module_utils.basic import *