From 7f8c6e8c75b0b3acc663d4bb8fb8b91d5668fb23 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 20 Apr 2017 20:33:53 +0200 Subject: [PATCH] library/roles/d4s_user_services_perms: Add new tasks to manage ACLS, when multiple users need to read/write the same directories and files. See https://support.d4science.org/issues/6761#note-25 --- d4s_user_services_perms/defaults/main.yml | 8 ++++- d4s_user_services_perms/tasks/main.yml | 2 ++ .../tasks/users-data-dirs.yml | 34 +++++++++++++++++++ 3 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 d4s_user_services_perms/tasks/users-data-dirs.yml diff --git a/d4s_user_services_perms/defaults/main.yml b/d4s_user_services_perms/defaults/main.yml index ab857e8a..98f50ad6 100644 --- a/d4s_user_services_perms/defaults/main.yml +++ b/d4s_user_services_perms/defaults/main.yml @@ -1,5 +1,6 @@ --- d4science_user: gcube +d4science_common_group: d4s_data d4science_user_create_home: True d4science_user_home: '/home/{{ d4science_user }}' d4science_user_shell: /bin/bash @@ -16,7 +17,6 @@ d4science_tomcat_options_files: - '/etc/default/tomcat-instance-{{ item.0.http_port }}' - '/etc/default/tomcat-instance-{{ item.0.http_port }}.local' - d4science_service_commands: - /etc/init.d/* @@ -29,6 +29,12 @@ d4science_service_start_command: d4science_service_stop_command: +# Define the following if you want some directories readable and writable by the d4s group but outside the d4s app data dirs +#d4s_users_data_directories: +# - { name: '/data/1', perms: 0755, create: True, file: False, owner: '{{ d4science_user }}', groups: ['gcube', 'gcube1' ], aclperms: 'rwx' } +# - { name: '/data/2', create: False, perms: 0755, file: False, owner: '{{ d4science_user }}', groups: ['gcube', 'gcube1' ], aclperms: 'rwx' } +# - { name: '/data/bah', create: False, perms: 0644, file: True, aclperms: 'rw' } + limits_nofile_value: 16000 security_limits: - { domain: '{{ d4science_user }}', l_item: 'nofile', type: 'soft', value: '{{ limits_nofile_value }}' } diff --git a/d4s_user_services_perms/tasks/main.yml b/d4s_user_services_perms/tasks/main.yml index cf555365..307c3c8d 100644 --- a/d4s_user_services_perms/tasks/main.yml +++ b/d4s_user_services_perms/tasks/main.yml @@ -7,4 +7,6 @@ when: d4s_service_node - include: d4s-basic-node.yml when: gcore_node +- include: users-data-dirs.yml + when: d4s_users_data_directories is defined - include: security_limits.yml diff --git a/d4s_user_services_perms/tasks/users-data-dirs.yml b/d4s_user_services_perms/tasks/users-data-dirs.yml new file mode 100644 index 00000000..e65ce115 --- /dev/null +++ b/d4s_user_services_perms/tasks/users-data-dirs.yml @@ -0,0 +1,34 @@ +--- +- name: Create a common group + group: name={{ d4science_common_group }} state=present + tags: [ 'd4s', 'users', 'd4s_u_acl' ] + +- name: Add the gcube users to the common group + user: name={{ item.name }} append=yes groups={{ d4science_common_group }} + with_items: '{{ ssh_users_list }}' + tags: [ 'd4s', 'users', 'd4s_u_acl' ] + +- name: Create the users d4s data dirs + file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }} + with_items: '{{ d4s_users_data_directories | default([]) }}' + when: item.create and not item.file + tags: [ 'd4s', 'users', 'd4s_u_acl' ] + +- name: Set the read/write/access permissions on the users d4s data dirs + acl: name={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present + with_items: '{{ d4s_users_data_directories | default([]) }}' + when: not item.file + tags: [ 'd4s', 'users', 'd4s_u_acl' ] + +- name: Set the default read/write/access permissions on the users d4s data dirs + acl: name={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present default=yes + with_items: '{{ d4s_users_data_directories | default([]) }}' + when: not item.file + tags: [ 'd4s', 'users', 'd4s_u_acl' ] + +- name: Set the read/write permissions on pre-existing files inside the users d4s data dirs + acl: name={{ item.name }} entity={{ d4s_group }} etype=group permissions={{ item.aclperms | default ('rw') }} state=present + with_items: '{{ d4s_users_data_directories | default([]) }}' + when: item.file + tags: [ 'd4s', 'users', 'd4s_u_acl' ] +