From 6c911f85db068d860d00aad21a89c1050106af84 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Thu, 9 Nov 2017 19:40:41 +0100
Subject: [PATCH] dnet_user_services_perms: Fix the acl tasks so that they can
 run safely in recursive mode.

---
 .../tasks/dnet-data-dirs.yml                   | 18 ++++--------------
 .../tasks/dnet-tomcat-acls.yml                 | 16 ++++++++--------
 .../tasks/dnet-users-data-dirs.yml             | 12 ++----------
 3 files changed, 14 insertions(+), 32 deletions(-)

diff --git a/dnet_user_services_perms/tasks/dnet-data-dirs.yml b/dnet_user_services_perms/tasks/dnet-data-dirs.yml
index 4a5cdacc..05f60eb2 100644
--- a/dnet_user_services_perms/tasks/dnet-data-dirs.yml
+++ b/dnet_user_services_perms/tasks/dnet-data-dirs.yml
@@ -10,32 +10,22 @@
   tags: [ 'tomcat', 'dnet', 'users' ]
 
 - name: Set the read/write permissions on the dnet data dirs
-  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwX state=present recursive=yes
   with_items: '{{ dnet_data_directories }}'
   tags: [ 'tomcat', 'dnet', 'users' ]
 
 - name: Set the default read/write permissions on the dnet data dirs
-  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwX state=present default=yes recursive=yes
   with_items: '{{ dnet_data_directories }}'
   tags: [ 'tomcat', 'dnet', 'users' ]
 
-- name: Recursively set the ACLs to give access and read write permissions on the dnet data directories
-  shell: find {{ item }} -type d -exec setfacl -d -m group:{{ dnet_group }}:rwx,m:rwx {} \; ; find {{ item }} -type d -exec setfacl -m group:{{ dnet_group }}:rwx,m:rwx {} \; ; find {{ item }} -type f -exec setfacl -m group:{{ dnet_group }}:rw,m:rw {} \;
-  with_items: '{{ dnet_data_directories }}'
-  tags: [ 'dnet_acls', 'dnet', 'users' ]
-
 - name: Set the read permissions on the dnet log dirs
-  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rX state=present recursive=yes
   with_items: '{{ dnet_log_directories }}'
   tags: [ 'tomcat', 'dnet', 'users' ]
 
 - name: Set the default read permissions on the dnet log dirs
-  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rX state=present default=yes recursive=yes
   with_items: '{{ dnet_log_directories }}'
   tags: [ 'tomcat', 'dnet', 'users' ]
 
-- name: Recursively set the ACLs to give access and read permissions on the log directories
-  shell: find {{ item }} -type d -exec setfacl -d -m group:{{ dnet_group }}:r-x {} \; ; find {{ item }} -type d -exec setfacl -m group:{{ dnet_group }}:r-x {} \; ; find {{ item }} -type f -exec setfacl -m group:{{ dnet_group }}:r {} \;
-  with_items: '{{ dnet_log_directories }}'
-  tags: [ 'dnet_acls', 'dnet', 'users' ]
-
diff --git a/dnet_user_services_perms/tasks/dnet-tomcat-acls.yml b/dnet_user_services_perms/tasks/dnet-tomcat-acls.yml
index 2a3db7a9..e5357647 100644
--- a/dnet_user_services_perms/tasks/dnet-tomcat-acls.yml
+++ b/dnet_user_services_perms/tasks/dnet-tomcat-acls.yml
@@ -4,14 +4,14 @@
 #
 # Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default
 - name: Set the read/write permissions on the tomcat webapps and common/classes directories. single tomcat instance
-  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwX state=present recursive=yes
   with_items:
     - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ tomcat_common_dir }}' ]
   when: tomcat_m_instances is not defined 
   tags: [ 'tomcat', 'dnet', 'users' ]
 
 - name: Set the default read/write permissions on the tomcat webapps and common/classes directories. single tomcat instance
-  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwX state=present default=yes recursive=yes
   with_items:
     - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ tomcat_common_dir }}' ]
   when: tomcat_m_instances is not defined 
@@ -19,14 +19,14 @@
 
 # Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default
 - name: Set the read permissions on the tomcat log directory. single tomcat instance
-  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rX state=present recursive=yes
   with_items:
     - [ '{{ tomcat_logdir }}' ]
   when: tomcat_m_instances is not defined 
   tags: [ 'tomcat', 'dnet', 'users' ]
 
 - name: Set the default read permissions on the tomcat log directory. single tomcat instance
-  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rX state=present default=yes recursive=yes
   with_items:
     - [ '{{ tomcat_logdir }}' ]
   when: tomcat_m_instances is not defined 
@@ -37,7 +37,7 @@
 #
 # Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default
 - name: Set the read/write permissions on the tomcat webapps and common/classes directories. multiple tomcat instances
-  acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwx state=present
+  acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwX state=present recursive=yes
   with_nested:
     - '{{ tomcat_m_instances }}'
     - [ 'webapps', 'common', 'common/classes' ]
@@ -45,7 +45,7 @@
   tags: [ 'tomcat', 'dnet', 'users' ]
 
 - name: Set the default read/write permissions on the tomcat webapps and common/classes directories. multiple tomcat instances
-  acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes
+  acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwX state=present default=yes recursive=yes
   with_nested:
     - '{{ tomcat_m_instances }}'
     - [ 'webapps', 'common', 'common/classes' ]
@@ -54,13 +54,13 @@
 
 # Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default
 - name: Set the read permissions on the tomcat log directory. multiple tomcat instances
-  acl: name={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} entity={{ dnet_group }} etype=group permissions=rx state=present
+  acl: name={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} entity={{ dnet_group }} etype=group permissions=rX state=present recursive=yes
   with_items: '{{ tomcat_m_instances }}'
   when: tomcat_m_instances is defined 
   tags: [ 'tomcat', 'dnet', 'users' ]
 
 - name: Set the default read permissions on the tomcat log directory. multiple tomcat instances
-  acl: name={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes
+  acl: name={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} entity={{ dnet_group }} etype=group permissions=rX state=present default=yes recursive=yes
   with_items: '{{ tomcat_m_instances }}'
   when: tomcat_m_instances is defined
   tags: [ 'tomcat', 'dnet', 'users' ]
diff --git a/dnet_user_services_perms/tasks/dnet-users-data-dirs.yml b/dnet_user_services_perms/tasks/dnet-users-data-dirs.yml
index 9dfd0290..3fe81cf1 100644
--- a/dnet_user_services_perms/tasks/dnet-users-data-dirs.yml
+++ b/dnet_user_services_perms/tasks/dnet-users-data-dirs.yml
@@ -6,20 +6,12 @@
   tags: [ 'dnet', 'users', 'dnet_u_acl' ]
 
 - name: Set the read/write/access permissions on the users dnet data dirs
-  acl: name={{ item.name }} entity={{ dnet_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present
+  acl: name={{ item.name }} entity={{ dnet_group }} etype=group permissions={{ item.aclperms | default ('rwX') }} state=present recursive=yes
   with_items: '{{ dnet_users_data_directories | default([])  }}'
-  when: not item.file
   tags: [ 'dnet', 'users', 'dnet_u_acl' ]
 
 - name: Set the default read/write/access permissions on the users dnet data dirs
-  acl: name={{ item.name }} entity={{ dnet_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present default=yes
+  acl: name={{ item.name }} entity={{ dnet_group }} etype=group permissions={{ item.aclperms | default ('rwX') }} state=present default=yes recursive=yes
   with_items: '{{ dnet_users_data_directories | default([])  }}'
-  when: not item.file
-  tags: [ 'dnet', 'users', 'dnet_u_acl' ]
-
-- name: Set the read/write permissions on pre-existing files inside the users dnet data dirs
-  acl: name={{ item.name }} entity={{ dnet_group }} etype=group permissions={{ item.aclperms | default ('rw') }} state=present
-  with_items: '{{ dnet_users_data_directories | default([])  }}'
-  when: item.file
   tags: [ 'dnet', 'users', 'dnet_u_acl' ]