diff --git a/d4s_user_services_perms/defaults/main.yml b/d4s_user_services_perms/defaults/main.yml index c119abf8..251da3ba 100644 --- a/d4s_user_services_perms/defaults/main.yml +++ b/d4s_user_services_perms/defaults/main.yml @@ -36,6 +36,11 @@ d4science_service_stop_command: # - { name: '/data/2', create: False, perms: 0755, file: False, owner: '{{ d4science_user }}', groups: ['gcube', 'gcube1' ], aclperms: 'rwx' } # - { name: '/data/bah', create: False, perms: 0644, file: True, aclperms: 'rw' } +# Set it to True if you want to run the script that sets the ACLs on every +# subdirectory and file of the d4s_users_data_directories. +# WARNING: it could take a long time to finish +d4s_force_acls: False + limits_nofile_value: 16000 security_limits: - { domain: '{{ d4science_user }}', l_item: 'nofile', type: 'soft', value: '{{ limits_nofile_value }}' } diff --git a/d4s_user_services_perms/tasks/d4s-basic-node.yml b/d4s_user_services_perms/tasks/d4s-basic-node.yml index 03367219..c81c71c6 100644 --- a/d4s_user_services_perms/tasks/d4s-basic-node.yml +++ b/d4s_user_services_perms/tasks/d4s-basic-node.yml @@ -2,10 +2,10 @@ - name: Create the d4science user user: name={{ d4science_user }} home={{ d4science_user_home }} createhome={{ d4science_user_create_home }} shell={{ d4science_user_shell }} when: gcore_users is not defined - tags: [ 'gcore', 'd4science', 'users' ] + tags: [ 'gcore', 'd4science', 'users', 'd4s' ] - name: Create the d4science users user: name={{ item }} home=/home/{{ item }} createhome={{ d4science_user_create_home }} shell={{ d4science_user_shell }} with_items: '{{ gcore_users | default([]) }}' - tags: [ 'gcore', 'd4science', 'users' ] + tags: [ 'gcore', 'd4science', 'users', 'd4s' ] diff --git a/d4s_user_services_perms/tasks/users-data-dirs.yml b/d4s_user_services_perms/tasks/users-data-dirs.yml index e65ce115..d0f7af51 100644 --- a/d4s_user_services_perms/tasks/users-data-dirs.yml +++ b/d4s_user_services_perms/tasks/users-data-dirs.yml @@ -1,34 +1,37 @@ --- -- name: Create a common group - group: name={{ d4science_common_group }} state=present - tags: [ 'd4s', 'users', 'd4s_u_acl' ] +- block: + - name: Create a common group + group: name={{ d4science_common_group }} state=present -- name: Add the gcube users to the common group - user: name={{ item.name }} append=yes groups={{ d4science_common_group }} - with_items: '{{ ssh_users_list }}' - tags: [ 'd4s', 'users', 'd4s_u_acl' ] + - name: Add the gcube users to the common group + user: name={{ item.name }} append=yes groups={{ d4science_common_group }} + with_items: '{{ ssh_users_list }}' -- name: Create the users d4s data dirs - file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }} - with_items: '{{ d4s_users_data_directories | default([]) }}' - when: item.create and not item.file - tags: [ 'd4s', 'users', 'd4s_u_acl' ] + - name: Create the users d4s data dirs + file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }} + with_items: '{{ d4s_users_data_directories | default([]) }}' + when: item.create and not item.file -- name: Set the read/write/access permissions on the users d4s data dirs - acl: name={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present - with_items: '{{ d4s_users_data_directories | default([]) }}' - when: not item.file - tags: [ 'd4s', 'users', 'd4s_u_acl' ] + - name: Set the read/write/access permissions on the users d4s data dirs + acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present + with_items: '{{ d4s_users_data_directories | default([]) }}' + when: not item.file -- name: Set the default read/write/access permissions on the users d4s data dirs - acl: name={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present default=yes - with_items: '{{ d4s_users_data_directories | default([]) }}' - when: not item.file - tags: [ 'd4s', 'users', 'd4s_u_acl' ] + - name: Set the default read/write/access permissions on the users d4s data dirs + acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present default=yes + with_items: '{{ d4s_users_data_directories | default([]) }}' + when: not item.file -- name: Set the read/write permissions on pre-existing files inside the users d4s data dirs - acl: name={{ item.name }} entity={{ d4s_group }} etype=group permissions={{ item.aclperms | default ('rw') }} state=present - with_items: '{{ d4s_users_data_directories | default([]) }}' - when: item.file - tags: [ 'd4s', 'users', 'd4s_u_acl' ] + - name: Set the read/write permissions on pre-existing files inside the users d4s data dirs + acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rw') }} state=present + with_items: '{{ d4s_users_data_directories | default([]) }}' + when: item.file + - name: Install a script that recursively sets the ACLs on all the directory tree that must be writeable and readable + template: src=set-acl-rules.sh.j2 dest=/usr/local/bin/set-acl-rules owner=root group=root mode=0755 + + - name: Run the script that recursively sets the ACLs + shell: /usr/local/bin/set-acl-rules + when: d4s_force_acls + + tags: [ 'd4s', 'users', 'd4s_u_acl' ] diff --git a/d4s_user_services_perms/templates/set-acl-rules.sh.j2 b/d4s_user_services_perms/templates/set-acl-rules.sh.j2 new file mode 100644 index 00000000..3287b242 --- /dev/null +++ b/d4s_user_services_perms/templates/set-acl-rules.sh.j2 @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e +set -o pipefail + +{% for path in d4s_users_data_directories %} + +find {{ path.name }} -type d -exec setfacl -m g:{{ d4science_common_group }}:rwx,o:rx,m:rwx {} \; +find {{ path.name }} -type d -exec setfacl -d -m g:{{ d4science_common_group }}:rwx,o:rx,m:rwx {} \; +find {{ path.name }} -type f -exec setfacl -m g:{{ d4science_common_group }}:rw,o:r,m:rw {} \; +{% endfor %} + +exit 0