Merge branch '__acl_improvements_vol3' into 'master'
__acl rewrite See merge request ungleich-public/cdist!785
This commit is contained in:
commit
b4f090fd7f
8 changed files with 95 additions and 76 deletions
|
@ -20,29 +20,20 @@
|
|||
|
||||
# TODO check if filesystem has ACL turned on etc
|
||||
|
||||
for parameter in user group
|
||||
if [ -f "$__object/parameter/acl" ]
|
||||
then
|
||||
grep -E '^(default:)?(user|group):' "$__object/parameter/acl" \
|
||||
| while read -r acl
|
||||
do
|
||||
if [ ! -f "$__object/parameter/$parameter" ]
|
||||
then
|
||||
continue
|
||||
fi
|
||||
param="$( echo "$acl" | awk -F: '{print $(NF-2)}' )"
|
||||
check="$( echo "$acl" | awk -F: '{print $(NF-1)}' )"
|
||||
|
||||
while read -r acl
|
||||
do
|
||||
check="$( echo "$acl" | awk -F: '{print $1}' )"
|
||||
[ "$param" = 'user' ] && db=passwd || db="$param"
|
||||
|
||||
if [ "$parameter" = 'user' ]
|
||||
if ! getent "$db" "$check" > /dev/null
|
||||
then
|
||||
getent_db=passwd
|
||||
else
|
||||
getent_db="$parameter"
|
||||
fi
|
||||
|
||||
if ! getent "$getent_db" "$check" > /dev/null
|
||||
then
|
||||
echo "missing $parameter '$check'" >&2
|
||||
echo "missing $param '$check'" >&2
|
||||
exit 1
|
||||
fi
|
||||
done \
|
||||
< "$__object/parameter/$parameter"
|
||||
done
|
||||
fi
|
||||
|
|
|
@ -24,42 +24,56 @@ file_is="$( cat "$__object/explorer/file_is" )"
|
|||
|
||||
os="$( cat "$__global/explorer/os" )"
|
||||
|
||||
acl_is="$( cat "$__object/explorer/acl_is" )"
|
||||
|
||||
acl_path="/$__object_id"
|
||||
|
||||
if [ -f "$__object/parameter/default" ] && [ "$file_is" = 'directory' ]
|
||||
acl_is="$( cat "$__object/explorer/acl_is" )"
|
||||
|
||||
if [ -f "$__object/parameter/acl" ]
|
||||
then
|
||||
set_default=1
|
||||
acl_should="$( cat "$__object/parameter/acl" )"
|
||||
elif
|
||||
[ -f "$__object/parameter/user" ] \
|
||||
|| [ -f "$__object/parameter/group" ] \
|
||||
|| [ -f "$__object/parameter/mask" ] \
|
||||
|| [ -f "$__object/parameter/other" ]
|
||||
then
|
||||
acl_should="$( for param in user group mask other
|
||||
do
|
||||
[ ! -f "$__object/parameter/$param" ] && continue
|
||||
|
||||
echo "$param" | grep -Eq 'mask|other' && sep=:: || sep=:
|
||||
|
||||
echo "$param$sep$( cat "$__object/parameter/$param" )"
|
||||
done )"
|
||||
else
|
||||
set_default=0
|
||||
echo 'no parameters set' >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
acl_should="$( for parameter in user group mask other
|
||||
do
|
||||
if [ ! -f "$__object/parameter/$parameter" ]
|
||||
if [ -f "$__object/parameter/default" ]
|
||||
then
|
||||
continue
|
||||
acl_should="$( echo "$acl_should" \
|
||||
| sed 's/^default://' \
|
||||
| sort -u \
|
||||
| sed 's/\(.*\)/default:\1\n\1/' )"
|
||||
fi
|
||||
|
||||
while read -r acl
|
||||
do
|
||||
if echo "$acl" | awk -F: '{ print $NF }' | grep -Fq 'X'
|
||||
if [ "$file_is" = 'regular' ] \
|
||||
&& echo "$acl_should" | grep -Eq '^default:'
|
||||
then
|
||||
# only directories can have default ACLs,
|
||||
# but instead of error,
|
||||
# let's just remove default entries
|
||||
acl_should="$( echo "$acl_should" | grep -Ev '^default:' )"
|
||||
fi
|
||||
|
||||
if echo "$acl_should" | awk -F: '{ print $NF }' | grep -Fq 'X'
|
||||
then
|
||||
[ "$file_is" = 'directory' ] && rep=x || rep=-
|
||||
|
||||
acl="$( echo "$acl" | sed "s/\\(.*\\)X/\\1$rep/" )"
|
||||
acl_should="$( echo "$acl_should" | sed "s/\\(.*\\)X/\\1$rep/" )"
|
||||
fi
|
||||
|
||||
echo "$parameter" | grep -Eq '(mask|other)' && sep=:: || sep=:
|
||||
|
||||
echo "$parameter$sep$acl"
|
||||
|
||||
[ "$set_default" = '1' ] && echo "default:$parameter$sep$acl"
|
||||
done \
|
||||
< "$__object/parameter/$parameter"
|
||||
done )"
|
||||
|
||||
setfacl_exec='setfacl'
|
||||
|
||||
if [ -f "$__object/parameter/recursive" ]
|
||||
|
@ -76,7 +90,7 @@ if [ -f "$__object/parameter/remove" ]
|
|||
then
|
||||
echo "$acl_is" | while read -r acl
|
||||
do
|
||||
# Skip wanted ACL entries which already exist
|
||||
# skip wanted ACL entries which already exist
|
||||
# and skip mask and other entries, because we
|
||||
# can't actually remove them, but only change.
|
||||
if echo "$acl_should" | grep -Eq "^$acl" \
|
||||
|
@ -103,7 +117,7 @@ do
|
|||
if echo "$os" | grep -Fq 'freebsd' \
|
||||
&& echo "$acl" | grep -Eq '^default:'
|
||||
then
|
||||
echo "setting default ACL in $os is currently not supported. sorry :(" >&2
|
||||
echo "setting default ACL in $os is currently not supported" >&2
|
||||
else
|
||||
echo "$setfacl_exec -m \"$acl\" \"$acl_path\""
|
||||
echo "added '$acl'" >> "$__messages_out"
|
||||
|
|
|
@ -8,42 +8,36 @@ cdist-type__acl - Set ACL entries
|
|||
|
||||
DESCRIPTION
|
||||
-----------
|
||||
ACL must be defined as 3-symbol combination, using ``r``, ``w``, ``x`` and ``-``.
|
||||
|
||||
Fully supported and tested on Linux (ext4 filesystem), partial support for FreeBSD.
|
||||
|
||||
See ``setfacl`` and ``acl`` manpages for more details.
|
||||
|
||||
|
||||
OPTIONAL MULTIPLE PARAMETERS
|
||||
REQUIRED MULTIPLE PARAMETERS
|
||||
----------------------------
|
||||
user
|
||||
Add user ACL entry.
|
||||
|
||||
group
|
||||
Add group ACL entry.
|
||||
|
||||
|
||||
OPTIONAL PARAMETERS
|
||||
-------------------
|
||||
mask
|
||||
Add mask ACL entry.
|
||||
|
||||
other
|
||||
Add other ACL entry.
|
||||
acl
|
||||
Set ACL entry following ``getfacl`` output syntax.
|
||||
|
||||
|
||||
BOOLEAN PARAMETERS
|
||||
------------------
|
||||
default
|
||||
Set all ACL entries as default too.
|
||||
Only directories can have default ACLs.
|
||||
Setting default ACL in FreeBSD is currently not supported.
|
||||
|
||||
recursive
|
||||
Make ``setfacl`` recursive (Linux only), but not ``getfacl`` in explorer.
|
||||
|
||||
default
|
||||
Add default ACL entries (FreeBSD not supported).
|
||||
|
||||
remove
|
||||
Remove undefined ACL entries (Solaris not supported).
|
||||
ACL entries for ``mask`` and ``other`` can't be removed.
|
||||
Remove undefined ACL entries.
|
||||
``mask`` and ``other`` entries can't be removed, but only changed.
|
||||
|
||||
|
||||
DEPRECATED PARAMETERS
|
||||
---------------------
|
||||
Parameters ``user``, ``group``, ``mask`` and ``other`` are deprecated and they
|
||||
will be removed in future versions. Please use ``acl`` parameter instead.
|
||||
|
||||
|
||||
EXAMPLES
|
||||
|
@ -52,15 +46,30 @@ EXAMPLES
|
|||
.. code-block:: sh
|
||||
|
||||
__acl /srv/project \
|
||||
--default \
|
||||
--recursive \
|
||||
--remove \
|
||||
--acl user:alice:rwx \
|
||||
--acl user:bob:r-x \
|
||||
--acl group:project-group:rwx \
|
||||
--acl group:some-other-group:r-x \
|
||||
--acl mask::r-x \
|
||||
--acl other::r-x
|
||||
|
||||
# give Alice read-only access to subdir,
|
||||
# but don't allow her to see parent content.
|
||||
|
||||
__acl /srv/project2 \
|
||||
--remove \
|
||||
--acl default:group:secret-project:rwx \
|
||||
--acl group:secret-project:rwx \
|
||||
--acl user:alice:--x
|
||||
|
||||
__acl /srv/project2/subdir \
|
||||
--default \
|
||||
--remove \
|
||||
--user alice:rwx \
|
||||
--user bob:r-x \
|
||||
--group project-group:rwx \
|
||||
--group some-other-group:r-x \
|
||||
--mask r-x \
|
||||
--other r-x
|
||||
--acl group:secret-project:rwx \
|
||||
--acl user:alice:r-x
|
||||
|
||||
|
||||
AUTHORS
|
||||
|
|
1
cdist/conf/type/__acl/parameter/deprecated/group
Normal file
1
cdist/conf/type/__acl/parameter/deprecated/group
Normal file
|
@ -0,0 +1 @@
|
|||
see manual for details
|
1
cdist/conf/type/__acl/parameter/deprecated/mask
Normal file
1
cdist/conf/type/__acl/parameter/deprecated/mask
Normal file
|
@ -0,0 +1 @@
|
|||
see manual for details
|
1
cdist/conf/type/__acl/parameter/deprecated/other
Normal file
1
cdist/conf/type/__acl/parameter/deprecated/other
Normal file
|
@ -0,0 +1 @@
|
|||
see manual for details
|
1
cdist/conf/type/__acl/parameter/deprecated/user
Normal file
1
cdist/conf/type/__acl/parameter/deprecated/user
Normal file
|
@ -0,0 +1 @@
|
|||
see manual for details
|
|
@ -1,2 +1,3 @@
|
|||
acl
|
||||
user
|
||||
group
|
||||
|
|
Loading…
Reference in a new issue