Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix defaults: behaviour #19

Merged
merged 1 commit into from
Sep 23, 2015
Merged

Fix defaults: behaviour #19

merged 1 commit into from
Sep 23, 2015

Conversation

roidelapluie
Copy link
Member

This commit matches the default behaviour with what setfacl does

@roidelapluie
Fix defaults: behaviour
1916b90 
This commit matches the default behaviour with what setfacl does
@dobbymoodge
Copy link

@roidelapluie I think this will be a better solution than #18. I'll review and merge later this morning.

@roidelapluie
Copy link
Member Author

Both could be merged

@dobbymoodge
Copy link

Using this puppet file:

# ./test2.pp
file { "/tmp/testdir":
    ensure => directory,
}

file { [ "/tmp/testdir/a",
         ]:
    ensure => file,
}

acl { "/tmp/testdir":
    action     => set,
    permission => [
                   "user::rwx",
                   "group::---",
                   "mask::r-x",
                   "other::---",
                   "default:user::rwx",
                   "default:group::r-x",
                   "default:mask::rwx",
                   "default:other::---",
                   ],
    provider   => posixacl,
    recursive  => true,
    recursemode => deep,
}

The defaults set by setfacl -n -R -M ... with an ACL file matching that from the Puppet script are shown below:

[jolamb@ovce Vagrant]$ find /tmp/testdir
/tmp/testdir
/tmp/testdir/a
[jolamb@ovce Vagrant]$ setfacl -b -R /tmp/testdir/
[jolamb@ovce Vagrant]$ getfacl --absolute-names --no-effective /tmp/testdir/ ; getfacl --absolute-names --no-effective /tmp/testdir/a
# file: /tmp/testdir/
# owner: jolamb
# group: jolamb
user::rwx
group::---
other::---

# file: /tmp/testdir/a
# owner: jolamb
# group: jolamb
user::rwx
group::---
other::---

[jolamb@ovce Vagrant]$ cat aclfile.acl
user::rwx
group::---
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:mask::rwx
default:other::---

[jolamb@ovce Vagrant]$ setfacl --no-mask --recursive --modify-file ~/Vagrant/aclfile.acl /tmp/testdir
[jolamb@ovce Vagrant]$ getfacl --absolute-names --no-effective /tmp/testdir/ ; getfacl --absolute-names --no-effective /tmp/testdir/a
# file: /tmp/testdir/
# owner: jolamb
# group: jolamb
user::rwx
group::---
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:mask::rwx
default:other::---

# file: /tmp/testdir/a
# owner: jolamb
# group: jolamb
user::rwx
group::---
mask::r-x
other::---

It takes 2 puppet runs for the files to be created and have the final calculated ACLs applied:

[jolamb@ovce Vagrant]$ rm -rf /tmp/testdir
[jolamb@ovce Vagrant]$ puppet apply --verbose --debug --modulepath=. ./test2.pp
Debug: Runtime environment: run_mode=user, ruby_version=1.8.7, puppet_version=3.8.3
...
Debug: /Stage[main]/Main/File[/tmp/testdir/a]: Autorequiring File[/tmp/testdir]
Debug: /Stage[main]/Main/Acl[/tmp/testdir]: Autorequiring File[/tmp/testdir]
Info: Applying configuration version '1443018432'
Notice: /Stage[main]/Main/File[/tmp/testdir]/ensure: created
Debug: /Stage[main]/Main/File[/tmp/testdir]: The container Class[Main] will propagate my refresh event
Debug: Executing '/usr/bin/getfacl --absolute-names --no-effective /tmp/testdir'
Debug: Executing '/usr/bin/getfacl --absolute-names --no-effective /tmp/testdir'
Debug: permission.insync? cur_perm: group::rwx, other::r-x, user::rwx @should: default:group::r-x, default:mask::rwx, default:other::---, default:user::rwx, group::---, mask::r-x, other::---, user::rwx
Debug: set
Debug: Executing '/usr/bin/getfacl --absolute-names --no-effective /tmp/testdir'
Debug: Executing '/usr/bin/setfacl -n -m group::--- /tmp/testdir'
Debug: Executing '/usr/bin/setfacl -n -m mask::r-x /tmp/testdir'
Debug: Executing '/usr/bin/setfacl -n -m other::--- /tmp/testdir'
Debug: Executing '/usr/bin/setfacl -n -m default:user::rwx /tmp/testdir'
Debug: Executing '/usr/bin/setfacl -n -m default:group::r-x /tmp/testdir'
Debug: Executing '/usr/bin/setfacl -n -m default:mask::rwx /tmp/testdir'
Debug: Executing '/usr/bin/setfacl -n -m default:other::--- /tmp/testdir'
Notice: /Stage[main]/Main/Acl[/tmp/testdir]/permission: permission changed 'group::rwx,other::r-x,user::rwx' to 'user::rwx,group::---,mask::r-x,other::---,default:user::rwx,default:group::r-x,default:mask::rwx,default:other::---'
Debug: /Stage[main]/Main/Acl[/tmp/testdir]: The container Class[Main] will propagate my refresh event
Notice: /Stage[main]/Main/File[/tmp/testdir/a]/ensure: created
Debug: /Stage[main]/Main/File[/tmp/testdir/a]: The container Class[Main] will propagate my refresh event
Debug: Class[Main]: The container Stage[main] will propagate my refresh event
Debug: Finishing transaction 70324828276540
...


[jolamb@ovce Vagrant]$ puppet apply --verbose --debug --modulepath=. ./test2.pp

Debug: Runtime environment: ruby_version=1.8.7, run_mode=user, puppet_version=3.8.3
...
Debug: /Stage[main]/Main/Acl[/tmp/testdir]: Autorequiring File[/tmp/testdir]
Debug: /Stage[main]/Main/File[/tmp/testdir/a]: Autorequiring File[/tmp/testdir]
Info: Applying configuration version '1443018439'
Debug: Executing '/usr/bin/getfacl --absolute-names --no-effective /tmp/testdir'
Debug: Executing '/usr/bin/getfacl --absolute-names --no-effective /tmp/testdir'
Debug: permission.insync? cur_perm: default:group::r-x, default:mask::rwx, default:other::---, default:user::rwx, group::---, mask::r-x, other::---, user::rwx @should: default:group::r-x, default:mask::rwx, default:other::---, default:user::rwx, group::---, mask::r-x, other::---, user::rwx
Debug: Executing '/usr/bin/getfacl --absolute-names --no-effective /tmp/testdir/a'
Debug: Executing '/usr/bin/getfacl --absolute-names --no-effective /tmp/testdir/a'
Debug: permission.insync? cur_perm: group::r-x, mask::rw-, other::---, user::rw- @should: group::---, mask::r-x, other::---, user::rwx
Debug: set
Debug: Executing '/usr/bin/getfacl --absolute-names --no-effective /tmp/testdir/a'
Debug: Executing '/usr/bin/setfacl -n -m user::rwx /tmp/testdir/a'
Debug: Executing '/usr/bin/setfacl -n -m group::--- /tmp/testdir/a'
Debug: Executing '/usr/bin/setfacl -n -m mask::r-x /tmp/testdir/a'
Notice: /Stage[main]/Main/Acl[/tmp/testdir/a]/permission: permission changed 'group::r-x,mask::rw-,other::---,user::rw-' to 'user::rwx,group::---,mask::r-x,other::---'
Debug: Finishing transaction 70178179858320
...

The result for /tmp/testdir/a matches what we got from the setfacl -n -R -M ... earlier:

[jolamb@ovce Vagrant]$ getfacl --absolute-names --no-effective /tmp/testdir/ ; getfacl --absolute-names --no-effective /tmp/testdir/a
# file: /tmp/testdir/
# owner: jolamb
# group: jolamb
user::rwx
group::---
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:mask::rwx
default:other::---

# file: /tmp/testdir/a
# owner: jolamb
# group: jolamb
user::rwx
group::---
mask::r-x
other::---

[jolamb@ovce Vagrant]$

I still wish it didn't take 2 runs for this to take effect, but this result is preferred to the "unique" calculated ACLs the current version produces. 👍

dobbymoodge added a commit that referenced this pull request Sep 23, 2015
@dobbymoodge
Merge pull request #19 from roidelapluie/Fix_defaults_behaviour
01d86cb 
Fix defaults: behaviour
@dobbymoodge dobbymoodge merged commit 01d86cb into voxpupuli:master Sep 23, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@roidelapluie @dobbymoodge