stephan/cdist
1
0
Fork 0
forked from ungleich-public/cdist
Code Issues Pull requests Projects Releases Wiki Activity

Merge branch '__acl_improvements_vol3' into 'master'

Browse source 
__acl rewrite

See merge request ungleich-public/cdist!785
This commit is contained in:
poljakowski 2019-06-21 12:55:08 +02:00
commit b4f090fd7f
8 changed files with 95 additions and 76 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
cdist/conf/type/__acl/explorer/checks
View file

@ -20,29 +20,20 @@
# TODO check if filesystem has ACL turned on etc # TODO check if filesystem has ACL turned on etc
for parameter in user group if [ -f "$__object/parameter/acl" ]
do then
if [ ! -f "$__object/parameter/$parameter" ] grep -E '^(default:)?(user|group):' "$__object/parameter/acl" \
then | while read -r acl
continue
fi
while read -r acl
do do
check="$( echo "$acl" | awk -F: '{print $1}' )" param="$( echo "$acl" | awk -F: '{print $(NF-2)}' )"
check="$( echo "$acl" | awk -F: '{print $(NF-1)}' )"
if [ "$parameter" = 'user' ] [ "$param" = 'user' ] && db=passwd || db="$param"
then
getent_db=passwd
else
getent_db="$parameter"
fi
if ! getent "$getent_db" "$check" > /dev/null if ! getent "$db" "$check" > /dev/null
then then
echo "missing $parameter '$check'" >&2 echo "missing $param '$check'" >&2
exit 1 exit 1
fi fi
done \ done
< "$__object/parameter/$parameter" fi
done

70
cdist/conf/type/__acl/gencode-remote
View file

@ -24,41 +24,55 @@ file_is="$( cat "$__object/explorer/file_is" )"
os="$( cat "$__global/explorer/os" )" os="$( cat "$__global/explorer/os" )"
acl_is="$( cat "$__object/explorer/acl_is" )"
acl_path="/$__object_id" acl_path="/$__object_id"
if [ -f "$__object/parameter/default" ] && [ "$file_is" = 'directory' ] acl_is="$( cat "$__object/explorer/acl_is" )"
if [ -f "$__object/parameter/acl" ]
then then
set_default=1 acl_should="$( cat "$__object/parameter/acl" )"
elif
[ -f "$__object/parameter/user" ] \
|| [ -f "$__object/parameter/group" ] \
|| [ -f "$__object/parameter/mask" ] \
|| [ -f "$__object/parameter/other" ]
then
acl_should="$( for param in user group mask other
do
[ ! -f "$__object/parameter/$param" ] && continue
echo "$param" | grep -Eq 'mask|other' && sep=:: || sep=:
echo "$param$sep$( cat "$__object/parameter/$param" )"
done )"
else else
set_default=0 echo 'no parameters set' >&2
exit 1
fi fi
acl_should="$( for parameter in user group mask other if [ -f "$__object/parameter/default" ]
do then
if [ ! -f "$__object/parameter/$parameter" ] acl_should="$( echo "$acl_should" \
then | sed 's/^default://' \
continue | sort -u \
fi | sed 's/\(.*\)/default:\1\n\1/' )"
fi
while read -r acl if [ "$file_is" = 'regular' ] \
do && echo "$acl_should" | grep -Eq '^default:'
if echo "$acl" | awk -F: '{ print $NF }' | grep -Fq 'X' then
then # only directories can have default ACLs,
[ "$file_is" = 'directory' ] && rep=x || rep=- # but instead of error,
# let's just remove default entries
acl_should="$( echo "$acl_should" | grep -Ev '^default:' )"
fi
acl="$( echo "$acl" | sed "s/\\(.*\\)X/\\1$rep/" )" if echo "$acl_should" | awk -F: '{ print $NF }' | grep -Fq 'X'
fi then
[ "$file_is" = 'directory' ] && rep=x || rep=-
echo "$parameter" | grep -Eq '(mask|other)' && sep=:: || sep=: acl_should="$( echo "$acl_should" | sed "s/\\(.*\\)X/\\1$rep/" )"
fi
echo "$parameter$sep$acl"
[ "$set_default" = '1' ] && echo "default:$parameter$sep$acl"
done \
< "$__object/parameter/$parameter"
done )"
setfacl_exec='setfacl' setfacl_exec='setfacl'
@ -76,7 +90,7 @@ if [ -f "$__object/parameter/remove" ]
then then
echo "$acl_is" | while read -r acl echo "$acl_is" | while read -r acl
do do
# Skip wanted ACL entries which already exist # skip wanted ACL entries which already exist
# and skip mask and other entries, because we # and skip mask and other entries, because we
# can't actually remove them, but only change. # can't actually remove them, but only change.
if echo "$acl_should" | grep -Eq "^$acl" \ if echo "$acl_should" | grep -Eq "^$acl" \
@ -103,7 +117,7 @@ do
if echo "$os" | grep -Fq 'freebsd' \ if echo "$os" | grep -Fq 'freebsd' \
&& echo "$acl" | grep -Eq '^default:' && echo "$acl" | grep -Eq '^default:'
then then
echo "setting default ACL in $os is currently not supported. sorry :(" >&2 echo "setting default ACL in $os is currently not supported" >&2
else else
echo "$setfacl_exec -m \"$acl\" \"$acl_path\"" echo "$setfacl_exec -m \"$acl\" \"$acl_path\""
echo "added '$acl'" >> "$__messages_out" echo "added '$acl'" >> "$__messages_out"

65
cdist/conf/type/__acl/man.rst
View file

@ -8,42 +8,36 @@ cdist-type__acl - Set ACL entries
DESCRIPTION DESCRIPTION
----------- -----------
ACL must be defined as 3-symbol combination, using ``r``, ``w``, ``x`` and ``-``.
Fully supported and tested on Linux (ext4 filesystem), partial support for FreeBSD. Fully supported and tested on Linux (ext4 filesystem), partial support for FreeBSD.
See ``setfacl`` and ``acl`` manpages for more details. See ``setfacl`` and ``acl`` manpages for more details.
OPTIONAL MULTIPLE PARAMETERS REQUIRED MULTIPLE PARAMETERS
---------------------------- ----------------------------
user acl
Add user ACL entry. Set ACL entry following ``getfacl`` output syntax.
group
Add group ACL entry.
OPTIONAL PARAMETERS
-------------------
mask
Add mask ACL entry.
other
Add other ACL entry.
BOOLEAN PARAMETERS BOOLEAN PARAMETERS
------------------ ------------------
default
Set all ACL entries as default too.
Only directories can have default ACLs.
Setting default ACL in FreeBSD is currently not supported.
recursive recursive
Make ``setfacl`` recursive (Linux only), but not ``getfacl`` in explorer. Make ``setfacl`` recursive (Linux only), but not ``getfacl`` in explorer.
default
Add default ACL entries (FreeBSD not supported).
remove remove
Remove undefined ACL entries (Solaris not supported). Remove undefined ACL entries.
ACL entries for ``mask`` and ``other`` can't be removed. ``mask`` and ``other`` entries can't be removed, but only changed.
DEPRECATED PARAMETERS
---------------------
Parameters ``user``, ``group``, ``mask`` and ``other`` are deprecated and they
will be removed in future versions. Please use ``acl`` parameter instead.
EXAMPLES EXAMPLES
@ -52,15 +46,30 @@ EXAMPLES
.. code-block:: sh .. code-block:: sh
__acl /srv/project \ __acl /srv/project \
--default \
--recursive \ --recursive \
--remove \
--acl user:alice:rwx \
--acl user:bob:r-x \
--acl group:project-group:rwx \
--acl group:some-other-group:r-x \
--acl mask::r-x \
--acl other::r-x
# give Alice read-only access to subdir,
# but don't allow her to see parent content.
__acl /srv/project2 \
--remove \
--acl default:group:secret-project:rwx \
--acl group:secret-project:rwx \
--acl user:alice:--x
__acl /srv/project2/subdir \
--default \ --default \
--remove \ --remove \
--user alice:rwx \ --acl group:secret-project:rwx \
--user bob:r-x \ --acl user:alice:r-x
--group project-group:rwx \
--group some-other-group:r-x \
--mask r-x \
--other r-x
AUTHORS AUTHORS

1
cdist/conf/type/__acl/parameter/deprecated/group Normal file
View file

@ -0,0 +1 @@
see manual for details

1
cdist/conf/type/__acl/parameter/deprecated/mask Normal file
View file

@ -0,0 +1 @@
see manual for details

1
cdist/conf/type/__acl/parameter/deprecated/other Normal file
View file

@ -0,0 +1 @@
see manual for details

1
cdist/conf/type/__acl/parameter/deprecated/user Normal file
View file

@ -0,0 +1 @@
see manual for details

1
cdist/conf/type/__acl/parameter/optional_multiple
View file

@ -1,2 +1,3 @@
acl
user user
group group