library/roles/d4s_user_services_perms: Add new tasks to manage ACLS, when multiple users need to read/write the same directories and files. See https://support.d4science.org/issues/6761#note-25

d4s_user_services_perms/defaults/main.yml

@@ -1,5 +1,6 @@
 ---
 d4science_user: gcube
+d4science_common_group: d4s_data
 d4science_user_create_home: True
 d4science_user_home: '/home/{{ d4science_user }}'
 d4science_user_shell: /bin/bash
@@ -16,7 +17,6 @@ d4science_tomcat_options_files:
   - '/etc/default/tomcat-instance-{{ item.0.http_port }}'
   - '/etc/default/tomcat-instance-{{ item.0.http_port }}.local'
 
-
 d4science_service_commands:
   - /etc/init.d/*
 
@@ -29,6 +29,12 @@ d4science_service_start_command:
 d4science_service_stop_command:
 
 
+# Define the following if you want some directories readable and writable by the d4s group but outside the d4s app data dirs
+#d4s_users_data_directories:
+#  - { name: '/data/1', perms: 0755, create: True, file: False, owner: '{{ d4science_user }}', groups: ['gcube', 'gcube1' ], aclperms: 'rwx' }
+#  - { name: '/data/2', create: False, perms: 0755, file: False, owner: '{{ d4science_user }}', groups: ['gcube', 'gcube1' ], aclperms: 'rwx' }
+#  - { name: '/data/bah', create: False, perms: 0644, file: True, aclperms: 'rw' }
+
 limits_nofile_value: 16000
 security_limits:
   - { domain: '{{ d4science_user }}', l_item: 'nofile', type: 'soft', value: '{{ limits_nofile_value }}' }

d4s_user_services_perms/tasks/main.yml

@@ -7,4 +7,6 @@
   when: d4s_service_node
 - include: d4s-basic-node.yml
   when: gcore_node
+- include: users-data-dirs.yml
+  when: d4s_users_data_directories is defined
 - include: security_limits.yml

d4s_user_services_perms/tasks/users-data-dirs.yml

@@ -0,0 +1,34 @@
+---
+- name: Create a common group
+  group: name={{ d4science_common_group }} state=present
+  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+
+- name: Add the gcube users to the common group
+  user: name={{ item.name }} append=yes groups={{ d4science_common_group }}
+  with_items: '{{ ssh_users_list }}'
+  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+
+- name: Create the users d4s data dirs
+  file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
+  with_items: '{{ d4s_users_data_directories | default([]) }}'
+  when: item.create and not item.file
+  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+
+- name: Set the read/write/access permissions on the users d4s data dirs
+  acl: name={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present
+  with_items: '{{ d4s_users_data_directories | default([])  }}'
+  when: not item.file
+  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+
+- name: Set the default read/write/access permissions on the users d4s data dirs
+  acl: name={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present default=yes
+  with_items: '{{ d4s_users_data_directories | default([])  }}'
+  when: not item.file
+  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+
+- name: Set the read/write permissions on pre-existing files inside the users d4s data dirs
+  acl: name={{ item.name }} entity={{ d4s_group }} etype=group permissions={{ item.aclperms | default ('rw') }} state=present
+  with_items: '{{ d4s_users_data_directories | default([])  }}'
+  when: item.file
+  tags: [ 'd4s', 'users', 'd4s_u_acl' ]
+