Feature #1033
support for file system acls on the file type
| Status: | Closed | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | file | |||
| Target version: | - | |||
| Affected Puppet version: | 0.24.4 | Branch: | ||
| Keywords: | ||||
| Votes: | 10 |
Description
being able to set file system acls (setfacl et all) on a file type would be very useful. More of a further extension of the existing file type I would think.
something perhaps along the line of:
file { "/tmp/foo":
mode => 0644,
owner => foo,
group => bar,
acl => u:rxw:g:foo:rxw,
...
}
History
Updated by Luke Kanies over 4 years ago
Is that really sufficient for the ACLs? Won’t people want a lot more flexibility?
I frankly have no idea, since I’ve not used ACLs.
Updated by Chris MacLeod over 4 years ago
I’m not sure what additional flexibility would be required. the above example is an explicit acl string, the acl itself is broken up into parts (basically delimited by the :’s)
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/fs-acl.html
It seems like low-hanging fruit to add an attribute to set an explicit acl on a file object, if there’s more flexibility needed it should come out as people use it and the explicit acl s insufficient.
Updated by Redmine Admin almost 4 years ago
- Status changed from 1 to Needs Decision
Updated by Luke Kanies over 3 years ago
- Status changed from Needs Decision to Accepted
- Affected Puppet version set to 0.24.4
Updated by James Turnbull almost 3 years ago
- Assignee deleted (
Puppet Community)
Updated by Stefan Schlesinger over 2 years ago
I’d also like to see this integrated into puppet.
Remember that there a two diffent types of filesystem ACLs:
- default ACLs on folders (they are inherited)
- ACLs on files and folders (actual permissions)
And of course you can set this as the “standard ACL” which represents owner/group/other, but as well for users and groups. A fully fledged FS ACLs could look like:
getfacl: Removing leading ‘/’ from absolute path names
file: srv/ftp/web/press¶
owner: press¶
group: ftpusers¶
user::rwx user:ftpadmin:rwx user:customer0:rwx user:pres:r— group::r-x mask::rwx other::r-x default:user::rwx default:user:ftpadmin:rwx default:user:customer0:rwx default:user:press:r— default:group::r-x default:mask::rwx default:other::r-x
Updated by Joe McDonagh over 2 years ago
Note that ZFS uses NFSv4 FACLs, and I’ve heard speculation that this will overtake the posix draft facls. It would be probably be better to have facls as a separate type, because of that, and sometimes you want to use a facl restore file. I do this often, setfacl —restore=/perms.bak say will restore from your working directory all facls. That way you could point to some local file that is filled with the recursive facl listing for a directory, and update any differences between your proper permissions and the machine.
Updated by Joe McDonagh over 2 years ago
By ‘local’ I meant local to the master.
Updated by Nigel Kersten over 1 year ago
- Target version deleted (
4)
Updated by Avalos . over 1 year ago
Hi all
I was looking forward for this feature too, and discovered this thread. Would be nice to have acl integrated to puppet. But I had to do something for right now, exec wasn’t just good enough. So I had to write a puppet module to manage acl in a better way. I hope it is useful for someone. If you find it useful give me a feedback. Thanks
Example of use:
acl_user { "avalos_rw_rc.local" :
id => avalos,
mode => "rw-",
path => "/etc/rc.local",
}
Please read the README to more info
Updated by Lance A 4 months ago
Another workaround, assuming the file’s parent directory has the correct permissions and a recent version of Windows, is simply to reset the file(s) permissions. Yes, it’s still exec, but it solves the simple use case. Note that icacls properly orders file permissions, an important consideration that any solution should guarantee. For example:
# Copy the file
file { "C:\\Temp\\dest.txt":
source => "C:\\Temp\\source.txt",
ensure => present,
}
# Reset the ACLs on the file since Puppet mangles them
exec { "icacls-reset-dest":
path => "${::systemroot}\\system32",
command => "icacls C:\\Temp\\dest.txt /reset",
subscribe => File["C:\\Temp\\dest.txt"],
refreshonly => true,
}
Updated by Daniel Black 3 months ago
I’ve started an implementation here. One I get it going as a stand alone type I’ll make a patch to the file type. If someone wants to write a Windows provider I’m happy to accept merges.
Updated by Daniel Pittman 3 months ago
- Status changed from Accepted to Closed
Daniel Black wrote:
I’ve started an implementation here. One I get it going as a stand alone type I’ll make a patch to the file type. If someone wants to write a Windows provider I’m happy to accept merges.
Daniel, thanks, that is pretty damn awesome. These days we are generally encouraging people to develop this sort of functionality outside core, as modules, because that is a win for everyone. Most especially, though, it is a win for the folks using it – because you can release bug fixes without having to wait until the next Puppet core minor (or up to a year for a major) release. Worse, most users still don’t see that sort of core fix for some time, until the distributions update, which can take a whole bunch of years.
A module is immediately useful, and can be updated, for anyone even on older versions or distribution releases.
So, thank you very much. I am going to close this ticket for the moment in favour of directing people to your module. That is awesome.
Updated by Jeremy Kindy about 1 month ago
Please note that the implementation at https://github.com/grooverdan/puppet-acl does not work (as of 3/21/2012). There is a fork available that seems to be more actively maintained: https://github.com/AllPlayers/puppet-acl