1 #+TITLE: Acl module for Puppet
4 This plugin module provides a way to set POSIX 1.e (and other standards) file ACLs via Puppet.
7 - the =posix_acl= resource =title= is used as the path specifier.
8 - ACLs are specified in the =permission= property as an array of strings in the same format as is used for =setfacl=.
9 - the =action= parameter can be one of =set=, =exact=, =unset= or =purge=. These are described in detail below.
10 - the =provider= parameter allows a choice of filesystem ACL provider. Currently only POSIX 1.e is implemented.
11 - the =recursive= parameter allows you to apply the ACLs to all files under the specified path.
13 : posix_acl { "/var/log/httpd":
20 : "group:logview:r-x",
21 : "default:user::rwx",
22 : "default:group::---",
23 : "default:mask::rwx",
24 : "default:other::---",
25 : "default:group:logview:r-x",
27 : provider => posixacl,
36 ** Using action => set:
37 The =set= option for the =action= parameter allows you to specify a minimal set of ACLs which will be guaranteed by Puppet. ACLs applied to the path which do not match those specified in the =permission= property will remain unchanged.
38 *** Initial permissions:
39 : # file /var/www/site1
52 : 'group:webadmin:rwx',
55 *** Updated permissions:
56 : # file /var/www/site1
64 ** Using action => exact:
65 The =exact= option for the =action= parameter will specify the exact set of ACLs guaranteed and enforced by Puppet. ACLs applied to the path which do not match those specified in the =permission= property will be removed.
66 *** Initial permissions:
67 : # file /var/www/site1
80 : 'group:webadmin:r--',
83 *** Updated permissions:
84 - group:httpadmin permission is removed
85 - user:apache permission is added
86 - group:webadmin permission is updated
87 : # file /var/www/site1
94 ** Using action => unset:
95 The =unset= option for the =action= parameter will specify the set of ACLs guaranteed by Puppet to NOT be applied to the path. ACLs applied to the path which match those specified in the =permission= property will be removed. ACLs applied to the path which do not match those specified in the =permission= property will remain unchanged.
96 *** Initial permissions:
97 : # file /var/www/site1
103 : group:httpadmin:rwx
110 : 'group:webadmin:r--',
113 *** Updated permissions:
114 : # file /var/www/site1
119 : group:httpadmin:rwx
120 ** Using action => purge:
121 The =purge= option for the =action= parameter will cause Puppet to remove any file ACLs applied to the path.
123 NOTE: Although the =permission= property is unused for this action, it needs to have a valid ACL value for the action to work. This is a known issue.
124 *** Initial permissions:
125 : # file /var/www/site1
131 : group:httpadmin:rwx
139 : 'group:webadmin:r--',
142 *** Updated permissions:
143 - All file ACLs are removed
144 : # file /var/www/site1
150 ** Conflicts with "file" resource type:
151 If the path being modified is managed via the =File= resource type, the path's mode bits must match the value specified in the =permission= property of the ACL
153 The ACL setter doesn't recalculate the rights mask based on the user/group ACLs specified, so it is possible to specify ACLs on a file for which a more restrictive set of rights is enforced, known as "effective rights". For example, with these =permission= parameters on a file =test=:
164 The output of =getfacl test= reveals a more restrictive set of effective rights, which might not be what was expected:
172 : user:apache:rwx #effective:r--
173 : group:root:r-x #effective:r--
174 : group:admin:rwx #effective:r--