forked from ungleich-public/cdist
Merge branch '__acl_improvements_vol3' into 'master'
__acl rewrite See merge request ungleich-public/cdist!785
This commit is contained in:
commit
b4f090fd7f
8 changed files with 95 additions and 76 deletions
|
@ -20,29 +20,20 @@
|
||||||
|
|
||||||
# TODO check if filesystem has ACL turned on etc
|
# TODO check if filesystem has ACL turned on etc
|
||||||
|
|
||||||
for parameter in user group
|
if [ -f "$__object/parameter/acl" ]
|
||||||
do
|
then
|
||||||
if [ ! -f "$__object/parameter/$parameter" ]
|
grep -E '^(default:)?(user|group):' "$__object/parameter/acl" \
|
||||||
then
|
| while read -r acl
|
||||||
continue
|
|
||||||
fi
|
|
||||||
|
|
||||||
while read -r acl
|
|
||||||
do
|
do
|
||||||
check="$( echo "$acl" | awk -F: '{print $1}' )"
|
param="$( echo "$acl" | awk -F: '{print $(NF-2)}' )"
|
||||||
|
check="$( echo "$acl" | awk -F: '{print $(NF-1)}' )"
|
||||||
|
|
||||||
if [ "$parameter" = 'user' ]
|
[ "$param" = 'user' ] && db=passwd || db="$param"
|
||||||
then
|
|
||||||
getent_db=passwd
|
|
||||||
else
|
|
||||||
getent_db="$parameter"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! getent "$getent_db" "$check" > /dev/null
|
if ! getent "$db" "$check" > /dev/null
|
||||||
then
|
then
|
||||||
echo "missing $parameter '$check'" >&2
|
echo "missing $param '$check'" >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
done \
|
done
|
||||||
< "$__object/parameter/$parameter"
|
fi
|
||||||
done
|
|
||||||
|
|
|
@ -24,41 +24,55 @@ file_is="$( cat "$__object/explorer/file_is" )"
|
||||||
|
|
||||||
os="$( cat "$__global/explorer/os" )"
|
os="$( cat "$__global/explorer/os" )"
|
||||||
|
|
||||||
acl_is="$( cat "$__object/explorer/acl_is" )"
|
|
||||||
|
|
||||||
acl_path="/$__object_id"
|
acl_path="/$__object_id"
|
||||||
|
|
||||||
if [ -f "$__object/parameter/default" ] && [ "$file_is" = 'directory' ]
|
acl_is="$( cat "$__object/explorer/acl_is" )"
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/acl" ]
|
||||||
then
|
then
|
||||||
set_default=1
|
acl_should="$( cat "$__object/parameter/acl" )"
|
||||||
|
elif
|
||||||
|
[ -f "$__object/parameter/user" ] \
|
||||||
|
|| [ -f "$__object/parameter/group" ] \
|
||||||
|
|| [ -f "$__object/parameter/mask" ] \
|
||||||
|
|| [ -f "$__object/parameter/other" ]
|
||||||
|
then
|
||||||
|
acl_should="$( for param in user group mask other
|
||||||
|
do
|
||||||
|
[ ! -f "$__object/parameter/$param" ] && continue
|
||||||
|
|
||||||
|
echo "$param" | grep -Eq 'mask|other' && sep=:: || sep=:
|
||||||
|
|
||||||
|
echo "$param$sep$( cat "$__object/parameter/$param" )"
|
||||||
|
done )"
|
||||||
else
|
else
|
||||||
set_default=0
|
echo 'no parameters set' >&2
|
||||||
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
acl_should="$( for parameter in user group mask other
|
if [ -f "$__object/parameter/default" ]
|
||||||
do
|
then
|
||||||
if [ ! -f "$__object/parameter/$parameter" ]
|
acl_should="$( echo "$acl_should" \
|
||||||
then
|
| sed 's/^default://' \
|
||||||
continue
|
| sort -u \
|
||||||
fi
|
| sed 's/\(.*\)/default:\1\n\1/' )"
|
||||||
|
fi
|
||||||
|
|
||||||
while read -r acl
|
if [ "$file_is" = 'regular' ] \
|
||||||
do
|
&& echo "$acl_should" | grep -Eq '^default:'
|
||||||
if echo "$acl" | awk -F: '{ print $NF }' | grep -Fq 'X'
|
then
|
||||||
then
|
# only directories can have default ACLs,
|
||||||
[ "$file_is" = 'directory' ] && rep=x || rep=-
|
# but instead of error,
|
||||||
|
# let's just remove default entries
|
||||||
|
acl_should="$( echo "$acl_should" | grep -Ev '^default:' )"
|
||||||
|
fi
|
||||||
|
|
||||||
acl="$( echo "$acl" | sed "s/\\(.*\\)X/\\1$rep/" )"
|
if echo "$acl_should" | awk -F: '{ print $NF }' | grep -Fq 'X'
|
||||||
fi
|
then
|
||||||
|
[ "$file_is" = 'directory' ] && rep=x || rep=-
|
||||||
|
|
||||||
echo "$parameter" | grep -Eq '(mask|other)' && sep=:: || sep=:
|
acl_should="$( echo "$acl_should" | sed "s/\\(.*\\)X/\\1$rep/" )"
|
||||||
|
fi
|
||||||
echo "$parameter$sep$acl"
|
|
||||||
|
|
||||||
[ "$set_default" = '1' ] && echo "default:$parameter$sep$acl"
|
|
||||||
done \
|
|
||||||
< "$__object/parameter/$parameter"
|
|
||||||
done )"
|
|
||||||
|
|
||||||
setfacl_exec='setfacl'
|
setfacl_exec='setfacl'
|
||||||
|
|
||||||
|
@ -76,7 +90,7 @@ if [ -f "$__object/parameter/remove" ]
|
||||||
then
|
then
|
||||||
echo "$acl_is" | while read -r acl
|
echo "$acl_is" | while read -r acl
|
||||||
do
|
do
|
||||||
# Skip wanted ACL entries which already exist
|
# skip wanted ACL entries which already exist
|
||||||
# and skip mask and other entries, because we
|
# and skip mask and other entries, because we
|
||||||
# can't actually remove them, but only change.
|
# can't actually remove them, but only change.
|
||||||
if echo "$acl_should" | grep -Eq "^$acl" \
|
if echo "$acl_should" | grep -Eq "^$acl" \
|
||||||
|
@ -103,7 +117,7 @@ do
|
||||||
if echo "$os" | grep -Fq 'freebsd' \
|
if echo "$os" | grep -Fq 'freebsd' \
|
||||||
&& echo "$acl" | grep -Eq '^default:'
|
&& echo "$acl" | grep -Eq '^default:'
|
||||||
then
|
then
|
||||||
echo "setting default ACL in $os is currently not supported. sorry :(" >&2
|
echo "setting default ACL in $os is currently not supported" >&2
|
||||||
else
|
else
|
||||||
echo "$setfacl_exec -m \"$acl\" \"$acl_path\""
|
echo "$setfacl_exec -m \"$acl\" \"$acl_path\""
|
||||||
echo "added '$acl'" >> "$__messages_out"
|
echo "added '$acl'" >> "$__messages_out"
|
||||||
|
|
|
@ -8,42 +8,36 @@ cdist-type__acl - Set ACL entries
|
||||||
|
|
||||||
DESCRIPTION
|
DESCRIPTION
|
||||||
-----------
|
-----------
|
||||||
ACL must be defined as 3-symbol combination, using ``r``, ``w``, ``x`` and ``-``.
|
|
||||||
|
|
||||||
Fully supported and tested on Linux (ext4 filesystem), partial support for FreeBSD.
|
Fully supported and tested on Linux (ext4 filesystem), partial support for FreeBSD.
|
||||||
|
|
||||||
See ``setfacl`` and ``acl`` manpages for more details.
|
See ``setfacl`` and ``acl`` manpages for more details.
|
||||||
|
|
||||||
|
|
||||||
OPTIONAL MULTIPLE PARAMETERS
|
REQUIRED MULTIPLE PARAMETERS
|
||||||
----------------------------
|
----------------------------
|
||||||
user
|
acl
|
||||||
Add user ACL entry.
|
Set ACL entry following ``getfacl`` output syntax.
|
||||||
|
|
||||||
group
|
|
||||||
Add group ACL entry.
|
|
||||||
|
|
||||||
|
|
||||||
OPTIONAL PARAMETERS
|
|
||||||
-------------------
|
|
||||||
mask
|
|
||||||
Add mask ACL entry.
|
|
||||||
|
|
||||||
other
|
|
||||||
Add other ACL entry.
|
|
||||||
|
|
||||||
|
|
||||||
BOOLEAN PARAMETERS
|
BOOLEAN PARAMETERS
|
||||||
------------------
|
------------------
|
||||||
|
default
|
||||||
|
Set all ACL entries as default too.
|
||||||
|
Only directories can have default ACLs.
|
||||||
|
Setting default ACL in FreeBSD is currently not supported.
|
||||||
|
|
||||||
recursive
|
recursive
|
||||||
Make ``setfacl`` recursive (Linux only), but not ``getfacl`` in explorer.
|
Make ``setfacl`` recursive (Linux only), but not ``getfacl`` in explorer.
|
||||||
|
|
||||||
default
|
|
||||||
Add default ACL entries (FreeBSD not supported).
|
|
||||||
|
|
||||||
remove
|
remove
|
||||||
Remove undefined ACL entries (Solaris not supported).
|
Remove undefined ACL entries.
|
||||||
ACL entries for ``mask`` and ``other`` can't be removed.
|
``mask`` and ``other`` entries can't be removed, but only changed.
|
||||||
|
|
||||||
|
|
||||||
|
DEPRECATED PARAMETERS
|
||||||
|
---------------------
|
||||||
|
Parameters ``user``, ``group``, ``mask`` and ``other`` are deprecated and they
|
||||||
|
will be removed in future versions. Please use ``acl`` parameter instead.
|
||||||
|
|
||||||
|
|
||||||
EXAMPLES
|
EXAMPLES
|
||||||
|
@ -52,15 +46,30 @@ EXAMPLES
|
||||||
.. code-block:: sh
|
.. code-block:: sh
|
||||||
|
|
||||||
__acl /srv/project \
|
__acl /srv/project \
|
||||||
|
--default \
|
||||||
--recursive \
|
--recursive \
|
||||||
|
--remove \
|
||||||
|
--acl user:alice:rwx \
|
||||||
|
--acl user:bob:r-x \
|
||||||
|
--acl group:project-group:rwx \
|
||||||
|
--acl group:some-other-group:r-x \
|
||||||
|
--acl mask::r-x \
|
||||||
|
--acl other::r-x
|
||||||
|
|
||||||
|
# give Alice read-only access to subdir,
|
||||||
|
# but don't allow her to see parent content.
|
||||||
|
|
||||||
|
__acl /srv/project2 \
|
||||||
|
--remove \
|
||||||
|
--acl default:group:secret-project:rwx \
|
||||||
|
--acl group:secret-project:rwx \
|
||||||
|
--acl user:alice:--x
|
||||||
|
|
||||||
|
__acl /srv/project2/subdir \
|
||||||
--default \
|
--default \
|
||||||
--remove \
|
--remove \
|
||||||
--user alice:rwx \
|
--acl group:secret-project:rwx \
|
||||||
--user bob:r-x \
|
--acl user:alice:r-x
|
||||||
--group project-group:rwx \
|
|
||||||
--group some-other-group:r-x \
|
|
||||||
--mask r-x \
|
|
||||||
--other r-x
|
|
||||||
|
|
||||||
|
|
||||||
AUTHORS
|
AUTHORS
|
||||||
|
|
1
cdist/conf/type/__acl/parameter/deprecated/group
Normal file
1
cdist/conf/type/__acl/parameter/deprecated/group
Normal file
|
@ -0,0 +1 @@
|
||||||
|
see manual for details
|
1
cdist/conf/type/__acl/parameter/deprecated/mask
Normal file
1
cdist/conf/type/__acl/parameter/deprecated/mask
Normal file
|
@ -0,0 +1 @@
|
||||||
|
see manual for details
|
1
cdist/conf/type/__acl/parameter/deprecated/other
Normal file
1
cdist/conf/type/__acl/parameter/deprecated/other
Normal file
|
@ -0,0 +1 @@
|
||||||
|
see manual for details
|
1
cdist/conf/type/__acl/parameter/deprecated/user
Normal file
1
cdist/conf/type/__acl/parameter/deprecated/user
Normal file
|
@ -0,0 +1 @@
|
||||||
|
see manual for details
|
|
@ -1,2 +1,3 @@
|
||||||
|
acl
|
||||||
user
|
user
|
||||||
group
|
group
|
||||||
|
|
Loading…
Reference in a new issue