d4s_user_services_perms: More scenarios that involve nfs (so no ACLs) and common main group between users.
This commit is contained in:
parent
1f93b6f542
commit
29c3b9357a
|
@ -4,8 +4,13 @@
|
||||||
when: gcore_users is not defined
|
when: gcore_users is not defined
|
||||||
tags: [ 'gcore', 'd4science', 'users', 'd4s' ]
|
tags: [ 'gcore', 'd4science', 'users', 'd4s' ]
|
||||||
|
|
||||||
|
- name: Create a common group if needed to use it as primary group for the additional users
|
||||||
|
user: name={{ gcube_users_main_group }} state=present
|
||||||
|
when: gcube_users_main_group is defined
|
||||||
|
tags: [ 'gcore', 'd4science', 'users', 'd4s' ]
|
||||||
|
|
||||||
- name: Create the d4science users
|
- name: Create the d4science users
|
||||||
user: name={{ item }} home=/home/{{ item }} createhome={{ d4science_user_create_home }} shell={{ d4science_user_shell }}
|
user: name={{ item }} group={{ gcube_users_main_group | default(omit) }} home=/home/{{ item }} createhome={{ d4science_user_create_home }} shell={{ d4science_user_shell }}
|
||||||
with_items: '{{ gcore_users | default([]) }}'
|
with_items: '{{ gcore_users | default([]) }}'
|
||||||
tags: [ 'gcore', 'd4science', 'users', 'd4s' ]
|
tags: [ 'gcore', 'd4science', 'users', 'd4s' ]
|
||||||
|
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
user: name={{ item.name }} append=yes groups={{ d4science_common_group }}
|
user: name={{ item.name }} append=yes groups={{ d4science_common_group }}
|
||||||
with_items: '{{ ssh_users_list }}'
|
with_items: '{{ ssh_users_list }}'
|
||||||
|
|
||||||
- name: Create the users d4s data dirs
|
- name: Create the d4s data dirs
|
||||||
file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
|
file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
|
||||||
with_items: '{{ d4s_users_data_directories | default([]) }}'
|
with_items: '{{ d4s_users_data_directories | default([]) }}'
|
||||||
when: item.create and not item.file
|
when: item.create and not item.file
|
||||||
|
@ -15,23 +15,16 @@
|
||||||
- name: Set the default read/write/access permissions on the users d4s data dirs
|
- name: Set the default read/write/access permissions on the users d4s data dirs
|
||||||
acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwX') }} state=present default=yes recursive=yes
|
acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwX') }} state=present default=yes recursive=yes
|
||||||
with_items: '{{ d4s_users_data_directories | default([]) }}'
|
with_items: '{{ d4s_users_data_directories | default([]) }}'
|
||||||
when: not item.file
|
when:
|
||||||
|
- not item.file
|
||||||
|
- item.set_acls is defined and item.set_acls
|
||||||
|
|
||||||
- name: Set the read/write/access permissions on the users d4s data dirs
|
- name: Set the read/write/access permissions on the users d4s data dirs
|
||||||
acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwX') }} state=present recursive=yes
|
acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwX') }} state=present recursive=yes
|
||||||
with_items: '{{ d4s_users_data_directories | default([]) }}'
|
with_items: '{{ d4s_users_data_directories | default([]) }}'
|
||||||
# when: not item.file
|
when: item.set_acls is defined and item.set_acls
|
||||||
|
|
||||||
# - name: Set the read/write permissions on pre-existing files inside the users d4s data dirs
|
|
||||||
# acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rw') }} state=present
|
|
||||||
# with_items: '{{ d4s_users_data_directories | default([]) }}'
|
|
||||||
# when: item.file
|
|
||||||
|
|
||||||
- name: Install a script that recursively sets the ACLs on all the directory tree that must be writeable and readable
|
- name: Install a script that recursively sets the ACLs on all the directory tree that must be writeable and readable
|
||||||
template: src=set-acl-rules.sh.j2 dest=/usr/local/bin/set-acl-rules owner=root group=root mode=0755
|
template: src=set-acl-rules.sh.j2 dest=/usr/local/bin/set-acl-rules owner=root group=root mode=0755
|
||||||
|
|
||||||
# - name: Run the script that recursively sets the ACLs
|
|
||||||
# shell: /usr/local/bin/set-acl-rules
|
|
||||||
# when: d4s_force_acls
|
|
||||||
|
|
||||||
tags: [ 'd4s', 'users', 'd4s_u_acl' ]
|
tags: [ 'd4s', 'users', 'd4s_u_acl' ]
|
||||||
|
|
|
@ -1,13 +1,13 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
# The X bit set the value for the directories but not for the files
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
set -o pipefail
|
set -o pipefail
|
||||||
|
|
||||||
{% for path in d4s_users_data_directories %}
|
{% for path in d4s_users_data_directories %}
|
||||||
|
setfacl -R -d -m g:{{ d4science_common_group }}:rwX,o:rX,m:rwX {{ path.name }}
|
||||||
find {{ path.name }} -type d -exec setfacl -m g:{{ d4science_common_group }}:rwx,o:rx,m:rwx {} \;
|
setfacl -R -m g:{{ d4science_common_group }}:rwX,o:rX,m:rwX {{ path.name }}
|
||||||
find {{ path.name }} -type d -exec setfacl -d -m g:{{ d4science_common_group }}:rwx,o:rx,m:rwx {} \;
|
|
||||||
find {{ path.name }} -type f -exec setfacl -m g:{{ d4science_common_group }}:rw,o:r,m:rw {} \;
|
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
Loading…
Reference in New Issue