library/roles/d4s_user_services_perms: Add a script that recursively sets the ACLs.

This commit is contained in:
Andrea Dell'Amico 2017-08-13 20:11:38 +02:00
parent e0fce456e8
commit b86f5641c9
4 changed files with 50 additions and 29 deletions

View File

@ -36,6 +36,11 @@ d4science_service_stop_command:
# - { name: '/data/2', create: False, perms: 0755, file: False, owner: '{{ d4science_user }}', groups: ['gcube', 'gcube1' ], aclperms: 'rwx' } # - { name: '/data/2', create: False, perms: 0755, file: False, owner: '{{ d4science_user }}', groups: ['gcube', 'gcube1' ], aclperms: 'rwx' }
# - { name: '/data/bah', create: False, perms: 0644, file: True, aclperms: 'rw' } # - { name: '/data/bah', create: False, perms: 0644, file: True, aclperms: 'rw' }
# Set it to True if you want to run the script that sets the ACLs on every
# subdirectory and file of the d4s_users_data_directories.
# WARNING: it could take a long time to finish
d4s_force_acls: False
limits_nofile_value: 16000 limits_nofile_value: 16000
security_limits: security_limits:
- { domain: '{{ d4science_user }}', l_item: 'nofile', type: 'soft', value: '{{ limits_nofile_value }}' } - { domain: '{{ d4science_user }}', l_item: 'nofile', type: 'soft', value: '{{ limits_nofile_value }}' }

View File

@ -2,10 +2,10 @@
- name: Create the d4science user - name: Create the d4science user
user: name={{ d4science_user }} home={{ d4science_user_home }} createhome={{ d4science_user_create_home }} shell={{ d4science_user_shell }} user: name={{ d4science_user }} home={{ d4science_user_home }} createhome={{ d4science_user_create_home }} shell={{ d4science_user_shell }}
when: gcore_users is not defined when: gcore_users is not defined
tags: [ 'gcore', 'd4science', 'users' ] tags: [ 'gcore', 'd4science', 'users', 'd4s' ]
- name: Create the d4science users - name: Create the d4science users
user: name={{ item }} home=/home/{{ item }} createhome={{ d4science_user_create_home }} shell={{ d4science_user_shell }} user: name={{ item }} home=/home/{{ item }} createhome={{ d4science_user_create_home }} shell={{ d4science_user_shell }}
with_items: '{{ gcore_users | default([]) }}' with_items: '{{ gcore_users | default([]) }}'
tags: [ 'gcore', 'd4science', 'users' ] tags: [ 'gcore', 'd4science', 'users', 'd4s' ]

View File

@ -1,34 +1,37 @@
--- ---
- name: Create a common group - block:
group: name={{ d4science_common_group }} state=present - name: Create a common group
tags: [ 'd4s', 'users', 'd4s_u_acl' ] group: name={{ d4science_common_group }} state=present
- name: Add the gcube users to the common group - name: Add the gcube users to the common group
user: name={{ item.name }} append=yes groups={{ d4science_common_group }} user: name={{ item.name }} append=yes groups={{ d4science_common_group }}
with_items: '{{ ssh_users_list }}' with_items: '{{ ssh_users_list }}'
tags: [ 'd4s', 'users', 'd4s_u_acl' ]
- name: Create the users d4s data dirs - name: Create the users d4s data dirs
file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }} file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }}
with_items: '{{ d4s_users_data_directories | default([]) }}' with_items: '{{ d4s_users_data_directories | default([]) }}'
when: item.create and not item.file when: item.create and not item.file
tags: [ 'd4s', 'users', 'd4s_u_acl' ]
- name: Set the read/write/access permissions on the users d4s data dirs - name: Set the read/write/access permissions on the users d4s data dirs
acl: name={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present
with_items: '{{ d4s_users_data_directories | default([]) }}' with_items: '{{ d4s_users_data_directories | default([]) }}'
when: not item.file when: not item.file
tags: [ 'd4s', 'users', 'd4s_u_acl' ]
- name: Set the default read/write/access permissions on the users d4s data dirs - name: Set the default read/write/access permissions on the users d4s data dirs
acl: name={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present default=yes acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwx') }} state=present default=yes
with_items: '{{ d4s_users_data_directories | default([]) }}' with_items: '{{ d4s_users_data_directories | default([]) }}'
when: not item.file when: not item.file
tags: [ 'd4s', 'users', 'd4s_u_acl' ]
- name: Set the read/write permissions on pre-existing files inside the users d4s data dirs - name: Set the read/write permissions on pre-existing files inside the users d4s data dirs
acl: name={{ item.name }} entity={{ d4s_group }} etype=group permissions={{ item.aclperms | default ('rw') }} state=present acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rw') }} state=present
with_items: '{{ d4s_users_data_directories | default([]) }}' with_items: '{{ d4s_users_data_directories | default([]) }}'
when: item.file when: item.file
tags: [ 'd4s', 'users', 'd4s_u_acl' ]
- name: Install a script that recursively sets the ACLs on all the directory tree that must be writeable and readable
template: src=set-acl-rules.sh.j2 dest=/usr/local/bin/set-acl-rules owner=root group=root mode=0755
- name: Run the script that recursively sets the ACLs
shell: /usr/local/bin/set-acl-rules
when: d4s_force_acls
tags: [ 'd4s', 'users', 'd4s_u_acl' ]

View File

@ -0,0 +1,13 @@
#!/bin/bash
set -e
set -o pipefail
{% for path in d4s_users_data_directories %}
find {{ path.name }} -type d -exec setfacl -m g:{{ d4science_common_group }}:rwx,o:rx,m:rwx {} \;
find {{ path.name }} -type d -exec setfacl -d -m g:{{ d4science_common_group }}:rwx,o:rx,m:rwx {} \;
find {{ path.name }} -type f -exec setfacl -m g:{{ d4science_common_group }}:rw,o:r,m:rw {} \;
{% endfor %}
exit 0