library/roles/d4s_user_services_perms: Add a script that recursively sets the ACLs.

2017-08-13 20:11:38 +02:00 · 2017-08-13 20:11:38 +02:00 · b86f5641c9
parent e0fce456e8
commit b86f5641c9
4 changed files with 50 additions and 29 deletions
--- a/d4s_user_services_perms/defaults/main.yml
+++ b/d4s_user_services_perms/defaults/main.yml
@ -36,6 +36,11 @@ d4science_service_stop_command:
 #  - { name: '/data/2', create: False, perms: 0755, file: False, owner: '{{ d4science_user }}', groups: ['gcube', 'gcube1' ], aclperms: 'rwx' }
 #  - { name: '/data/bah', create: False, perms: 0644, file: True, aclperms: 'rw' }

+# Set it to True if you want to run the script that sets the ACLs on every
+# subdirectory and file of the d4s_users_data_directories.
+# WARNING: it could take a long time to finish
+d4s_force_acls: False
+
 limits_nofile_value: 16000
 security_limits:
  - { domain: '{{ d4science_user }}', l_item: 'nofile', type: 'soft', value: '{{ limits_nofile_value }}' }
--- a/d4s_user_services_perms/tasks/d4s-basic-node.yml
+++ b/d4s_user_services_perms/tasks/d4s-basic-node.yml
@ -2,10 +2,10 @@
 - name: Create the d4science user
  user: name={{ d4science_user }} home={{ d4science_user_home }} createhome={{ d4science_user_create_home }} shell={{ d4science_user_shell }}
  when: gcore_users is not defined
-  tags: [ 'gcore', 'd4science', 'users' ]
+  tags: [ 'gcore', 'd4science', 'users', 'd4s' ]

 - name: Create the d4science users
  user: name={{ item }} home=/home/{{ item }} createhome={{ d4science_user_create_home }} shell={{ d4science_user_shell }}
  with_items: '{{ gcore_users | default([]) }}'
-  tags: [ 'gcore', 'd4science', 'users' ]
+  tags: [ 'gcore', 'd4science', 'users', 'd4s' ]

--- a/d4s_user_services_perms/tasks/users-data-dirs.yml
+++ b/d4s_user_services_perms/tasks/users-data-dirs.yml
@ -1,34 +1,37 @@
 ---
- name: Create a common group
-  group: name={{ d4science_common_group }} state=present
-  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+- block:
+    - name: Create a common group
+      group: name={{ d4science_common_group }} state=present

- name: Add the gcube users to the common group
-  user: name={{ item.name }} append=yes groups={{ d4science_common_group }}
-  with_items: '{{ ssh_users_list }}'
-  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+    - name: Add the gcube users to the common group
+      user: name={{ item.name }} append=yes groups={{ d4science_common_group }}
+      with_items: '{{ ssh_users_list }}'

- name: Create the users d4s data dirs
-  file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
-  with_items: '{{ d4s_users_data_directories | default([]) }}'
-  when: item.create and not item.file
-  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+    - name: Create the users d4s data dirs
+      file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
+      with_items: '{{ d4s_users_data_directories | default([]) }}'
+      when: item.create and not item.file

- name: Set the read/write/access permissions on the users d4s data dirs
-  acl: name={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present
-  with_items: '{{ d4s_users_data_directories | default([])  }}'
-  when: not item.file
-  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+    - name: Set the read/write/access permissions on the users d4s data dirs
+      acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present
+      with_items: '{{ d4s_users_data_directories | default([])  }}'
+      when: not item.file

- name: Set the default read/write/access permissions on the users d4s data dirs
-  acl: name={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present default=yes
-  with_items: '{{ d4s_users_data_directories | default([])  }}'
-  when: not item.file
-  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+    - name: Set the default read/write/access permissions on the users d4s data dirs
+      acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present default=yes
+      with_items: '{{ d4s_users_data_directories | default([])  }}'
+      when: not item.file

- name: Set the read/write permissions on pre-existing files inside the users d4s data dirs
-  acl: name={{ item.name }} entity={{ d4s_group }} etype=group permissions={{ item.aclperms | default ('rw') }} state=present
-  with_items: '{{ d4s_users_data_directories | default([])  }}'
-  when: item.file
-  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+    - name: Set the read/write permissions on pre-existing files inside the users d4s data dirs
+      acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rw') }} state=present
+      with_items: '{{ d4s_users_data_directories | default([])  }}'
+      when: item.file

+    - name: Install a script that recursively sets the ACLs on all the directory tree that must be writeable and readable
+      template: src=set-acl-rules.sh.j2 dest=/usr/local/bin/set-acl-rules owner=root group=root mode=0755
+
+    - name: Run the script that recursively sets the ACLs
+      shell: /usr/local/bin/set-acl-rules
+      when: d4s_force_acls
+
+  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
--- a/d4s_user_services_perms/templates/set-acl-rules.sh.j2
+++ b/d4s_user_services_perms/templates/set-acl-rules.sh.j2
@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+set -o pipefail
+
+{% for path in d4s_users_data_directories %}
+
+find {{ path.name }} -type d -exec setfacl -m g:{{ d4science_common_group }}:rwx,o:rx,m:rwx {} \;
+find {{ path.name }} -type d -exec setfacl -d -m g:{{ d4science_common_group }}:rwx,o:rx,m:rwx {} \;
+find {{ path.name }} -type f -exec setfacl -m g:{{ d4science_common_group }}:rw,o:r,m:rw {} \;
+{% endfor %}
+
+exit 0