From b86f5641c987b87183f5aa640e751c58c5a333a4 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Sun, 13 Aug 2017 20:11:38 +0200
Subject: [PATCH] library/roles/d4s_user_services_perms: Add a script that
 recursively sets the ACLs.

---
 d4s_user_services_perms/defaults/main.yml     |  5 ++
 .../tasks/d4s-basic-node.yml                  |  4 +-
 .../tasks/users-data-dirs.yml                 | 57 ++++++++++---------
 .../templates/set-acl-rules.sh.j2             | 13 +++++
 4 files changed, 50 insertions(+), 29 deletions(-)
 create mode 100644 d4s_user_services_perms/templates/set-acl-rules.sh.j2

diff --git a/d4s_user_services_perms/defaults/main.yml b/d4s_user_services_perms/defaults/main.yml
index c119abf8..251da3ba 100644
--- a/d4s_user_services_perms/defaults/main.yml
+++ b/d4s_user_services_perms/defaults/main.yml
@@ -36,6 +36,11 @@ d4science_service_stop_command:
 #  - { name: '/data/2', create: False, perms: 0755, file: False, owner: '{{ d4science_user }}', groups: ['gcube', 'gcube1' ], aclperms: 'rwx' }
 #  - { name: '/data/bah', create: False, perms: 0644, file: True, aclperms: 'rw' }
 
+# Set it to True if you want to run the script that sets the ACLs on every
+# subdirectory and file of the d4s_users_data_directories.
+# WARNING: it could take a long time to finish
+d4s_force_acls: False
+
 limits_nofile_value: 16000
 security_limits:
   - { domain: '{{ d4science_user }}', l_item: 'nofile', type: 'soft', value: '{{ limits_nofile_value }}' }
diff --git a/d4s_user_services_perms/tasks/d4s-basic-node.yml b/d4s_user_services_perms/tasks/d4s-basic-node.yml
index 03367219..c81c71c6 100644
--- a/d4s_user_services_perms/tasks/d4s-basic-node.yml
+++ b/d4s_user_services_perms/tasks/d4s-basic-node.yml
@@ -2,10 +2,10 @@
 - name: Create the d4science user
   user: name={{ d4science_user }} home={{ d4science_user_home }} createhome={{ d4science_user_create_home }} shell={{ d4science_user_shell }}
   when: gcore_users is not defined
-  tags: [ 'gcore', 'd4science', 'users' ]
+  tags: [ 'gcore', 'd4science', 'users', 'd4s' ]
 
 - name: Create the d4science users
   user: name={{ item }} home=/home/{{ item }} createhome={{ d4science_user_create_home }} shell={{ d4science_user_shell }}
   with_items: '{{ gcore_users | default([]) }}'
-  tags: [ 'gcore', 'd4science', 'users' ]
+  tags: [ 'gcore', 'd4science', 'users', 'd4s' ]
 
diff --git a/d4s_user_services_perms/tasks/users-data-dirs.yml b/d4s_user_services_perms/tasks/users-data-dirs.yml
index e65ce115..d0f7af51 100644
--- a/d4s_user_services_perms/tasks/users-data-dirs.yml
+++ b/d4s_user_services_perms/tasks/users-data-dirs.yml
@@ -1,34 +1,37 @@
 ---
-- name: Create a common group
-  group: name={{ d4science_common_group }} state=present
-  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+- block:
+    - name: Create a common group
+      group: name={{ d4science_common_group }} state=present
 
-- name: Add the gcube users to the common group
-  user: name={{ item.name }} append=yes groups={{ d4science_common_group }}
-  with_items: '{{ ssh_users_list }}'
-  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+    - name: Add the gcube users to the common group
+      user: name={{ item.name }} append=yes groups={{ d4science_common_group }}
+      with_items: '{{ ssh_users_list }}'
 
-- name: Create the users d4s data dirs
-  file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
-  with_items: '{{ d4s_users_data_directories | default([]) }}'
-  when: item.create and not item.file
-  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+    - name: Create the users d4s data dirs
+      file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
+      with_items: '{{ d4s_users_data_directories | default([]) }}'
+      when: item.create and not item.file
 
-- name: Set the read/write/access permissions on the users d4s data dirs
-  acl: name={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present
-  with_items: '{{ d4s_users_data_directories | default([])  }}'
-  when: not item.file
-  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+    - name: Set the read/write/access permissions on the users d4s data dirs
+      acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present
+      with_items: '{{ d4s_users_data_directories | default([])  }}'
+      when: not item.file
 
-- name: Set the default read/write/access permissions on the users d4s data dirs
-  acl: name={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present default=yes
-  with_items: '{{ d4s_users_data_directories | default([])  }}'
-  when: not item.file
-  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+    - name: Set the default read/write/access permissions on the users d4s data dirs
+      acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present default=yes
+      with_items: '{{ d4s_users_data_directories | default([])  }}'
+      when: not item.file
 
-- name: Set the read/write permissions on pre-existing files inside the users d4s data dirs
-  acl: name={{ item.name }} entity={{ d4s_group }} etype=group permissions={{ item.aclperms | default ('rw') }} state=present
-  with_items: '{{ d4s_users_data_directories | default([])  }}'
-  when: item.file
-  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+    - name: Set the read/write permissions on pre-existing files inside the users d4s data dirs
+      acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rw') }} state=present
+      with_items: '{{ d4s_users_data_directories | default([])  }}'
+      when: item.file
 
+    - name: Install a script that recursively sets the ACLs on all the directory tree that must be writeable and readable
+      template: src=set-acl-rules.sh.j2 dest=/usr/local/bin/set-acl-rules owner=root group=root mode=0755
+
+    - name: Run the script that recursively sets the ACLs
+      shell: /usr/local/bin/set-acl-rules
+      when: d4s_force_acls
+
+  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
diff --git a/d4s_user_services_perms/templates/set-acl-rules.sh.j2 b/d4s_user_services_perms/templates/set-acl-rules.sh.j2
new file mode 100644
index 00000000..3287b242
--- /dev/null
+++ b/d4s_user_services_perms/templates/set-acl-rules.sh.j2
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+set -o pipefail
+
+{% for path in d4s_users_data_directories %}
+
+find {{ path.name }} -type d -exec setfacl -m g:{{ d4science_common_group }}:rwx,o:rx,m:rwx {} \;
+find {{ path.name }} -type d -exec setfacl -d -m g:{{ d4science_common_group }}:rwx,o:rx,m:rwx {} \;
+find {{ path.name }} -type f -exec setfacl -m g:{{ d4science_common_group }}:rw,o:r,m:rw {} \;
+{% endfor %}
+
+exit 0