--- /dev/null
+#+TITLE: Acl module for Puppet
+
+* Description
+This plugin module provides a way to set POSIX 1.e (and other standards) file ACLs via Puppet.
+
+* Usage:
+ - the =posix_acl= resource =title= is used as the path specifier.
+ - ACLs are specified in the =permission= property as an array of strings in the same format as is used for =setfacl=.
+ - the =action= parameter can be one of =set=, =exact=, =unset= or =purge=. These are described in detail below.
+ - the =provider= parameter allows a choice of filesystem ACL provider. Currently only POSIX 1.e is implemented.
+ - the =recursive= parameter allows you to apply the ACLs to all files under the specified path.
+
+ : posix_acl { "/var/log/httpd":
+ : action => set,
+ : permission => [
+ : "user::rwx",
+ : "group::---",
+ : "mask::r-x",
+ : "other::---",
+ : "group:logview:r-x",
+ : "default:user::rwx",
+ : "default:group::---",
+ : "default:mask::rwx",
+ : "default:other::---",
+ : "default:group:logview:r-x",
+ : ],
+ : provider => posixacl,
+ : require => [
+ : Group["logview"],
+ : Package["httpd"],
+ : Mount["/var"],
+ : ],
+ : recursive => false,
+ : }
+
+** Using action => set:
+The =set= option for the =action= parameter allows you to specify a minimal set of ACLs which will be guaranteed by Puppet. ACLs applied to the path which do not match those specified in the =permission= property will remain unchanged.
+*** Initial permissions:
+ : # file /var/www/site1
+ : user::rwx
+ : group::r-x
+ : other::r-x
+ : mask::rwx
+ : group:webadmin:r-x
+ : group:httpadmin:rwx
+*** Specified acls:
+ : permission => [
+ : 'user::rwx',
+ : 'group::r-x',
+ : 'other::r-x',
+ : 'mask::rwx',
+ : 'group:webadmin:rwx',
+ : 'user:apache:rwx',
+ : ],
+*** Updated permissions:
+ : # file /var/www/site1
+ : user::rwx
+ : group::r-x
+ : other::r-x
+ : mask::rwx
+ : user:apache:rwx
+ : group:webadmin:rwx
+ : group:httpadmin:rwx
+** Using action => exact:
+The =exact= option for the =action= parameter will specify the exact set of ACLs guaranteed and enforced by Puppet. ACLs applied to the path which do not match those specified in the =permission= property will be removed.
+*** Initial permissions:
+ : # file /var/www/site1
+ : user::rwx
+ : group::r-x
+ : other::r-x
+ : mask::rwx
+ : group:webadmin:r-x
+ : group:httpadmin:rwx
+*** Specified acls:
+ : permission => [
+ : 'user::rwx',
+ : 'group::r-x',
+ : 'other::r-x',
+ : 'mask::rwx',
+ : 'group:webadmin:r--',
+ : 'user:apache:rwx',
+ : ],
+*** Updated permissions:
+ - group:httpadmin permission is removed
+ - user:apache permission is added
+ - group:webadmin permission is updated
+ : # file /var/www/site1
+ : user::rwx
+ : group::r-x
+ : other::r-x
+ : mask::rwx
+ : group:webadmin:r--
+ : user:apache:rwx
+** Using action => unset:
+The =unset= option for the =action= parameter will specify the set of ACLs guaranteed by Puppet to NOT be applied to the path. ACLs applied to the path which match those specified in the =permission= property will be removed. ACLs applied to the path which do not match those specified in the =permission= property will remain unchanged.
+*** Initial permissions:
+ : # file /var/www/site1
+ : user::rwx
+ : group::r-x
+ : other::r-x
+ : mask::rwx
+ : group:webadmin:r-x
+ : group:httpadmin:rwx
+*** Specified acls:
+ : permission => [
+ : 'user::rwx',
+ : 'group::r-x',
+ : 'other::r-x',
+ : 'mask::rwx',
+ : 'group:webadmin:r--',
+ : 'user:apache:rwx',
+ : ],
+*** Updated permissions:
+ : # file /var/www/site1
+ : user::rwx
+ : group::r-x
+ : other::r-x
+ : mask::rwx
+ : group:httpadmin:rwx
+** Using action => purge:
+The =purge= option for the =action= parameter will cause Puppet to remove any file ACLs applied to the path.
+
+NOTE: Although the =permission= property is unused for this action, it needs to have a valid ACL value for the action to work. This is a known issue.
+*** Initial permissions:
+ : # file /var/www/site1
+ : user::rwx
+ : group::r-x
+ : other::r-x
+ : mask::rwx
+ : group:webadmin:r-x
+ : group:httpadmin:rwx
+*** Specified acls:
+See above
+ : permission => [
+ : 'user::rwx',
+ : 'group::r-x',
+ : 'other::r-x',
+ : 'mask::rwx',
+ : 'group:webadmin:r--',
+ : 'user:apache:rwx',
+ : ],
+*** Updated permissions:
+ - All file ACLs are removed
+ : # file /var/www/site1
+ : user::rwx
+ : group::r-x
+ : other::r-x
+
+* Notes:
+** Conflicts with "file" resource type:
+If the path being modified is managed via the =File= resource type, the path's mode bits must match the value specified in the =permission= property of the ACL
+** Mask check:
+The ACL setter doesn't recalculate the rights mask based on the user/group ACLs specified, so it is possible to specify ACLs on a file for which a more restrictive set of rights is enforced, known as "effective rights". For example, with these =permission= parameters on a file =test=:
+ : permission => [
+ : 'user::rw-',
+ : 'group::---',
+ : 'mask::r--',
+ : 'other::---',
+ : 'user:apache:rwx',
+ : 'group:root:r-x',
+ : 'group:admin:rwx',
+ : ],
+
+The output of =getfacl test= reveals a more restrictive set of effective rights, which might not be what was expected:
+ : # file: test
+ : # owner: root
+ : # group: root
+ : user::rw-
+ : group::---
+ : other::---
+ : mask::r--
+ : user:apache:rwx #effective:r--
+ : group:root:r-x #effective:r--
+ : group:admin:rwx #effective:r--