mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2024-09-14 20:13:21 +02:00 
			
		
		
		
	
		
			
				
	
	
		
			287 lines
		
	
	
	
		
			9.2 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			287 lines
		
	
	
	
		
			9.2 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| #!/usr/bin/python
 | |
| # This file is part of Ansible
 | |
| #
 | |
| # Ansible is free software: you can redistribute it and/or modify
 | |
| # it under the terms of the GNU General Public License as published by
 | |
| # the Free Software Foundation, either version 3 of the License, or
 | |
| # (at your option) any later version.
 | |
| #
 | |
| # Ansible is distributed in the hope that it will be useful,
 | |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
| # GNU General Public License for more details.
 | |
| #
 | |
| # You should have received a copy of the GNU General Public License
 | |
| # along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
 | |
| 
 | |
| DOCUMENTATION = '''
 | |
| ---
 | |
| module: acl
 | |
| version_added: "1.4"
 | |
| short_description: Sets and retrieves file ACL information.
 | |
| description:
 | |
|      - Sets and retrieves file ACL information.
 | |
| options:
 | |
|   name:
 | |
|     required: true
 | |
|     default: null
 | |
|     description:
 | |
|       - The full path of the file or object.
 | |
|     aliases: ['path']
 | |
| 
 | |
|   state:
 | |
|     required: false
 | |
|     default: query
 | |
|     choices: [ 'query', 'present', 'absent' ]
 | |
|     description:
 | |
|       - defines whether the ACL should be present or not.  The C(query) state gets the current acl C(present) without changing it, for use in 'register' operations.
 | |
| 
 | |
|   follow:
 | |
|     required: false
 | |
|     default: yes
 | |
|     choices: [ 'yes', 'no' ]
 | |
|     description:
 | |
|       - whether to follow symlinks on the path if a symlink is encountered.
 | |
| 
 | |
|   default:
 | |
|     version_added: "1.5"
 | |
|     required: false
 | |
|     default: no
 | |
|     choices: [ 'yes', 'no' ]
 | |
|     description:
 | |
|       - if the target is a directory, setting this to yes will make it the default acl for entities created inside the directory. It causes an error if name is a file.
 | |
| 
 | |
|   entity:
 | |
|     version_added: "1.5"
 | |
|     required: false
 | |
|     description:
 | |
|       - actual user or group that the ACL applies to when matching entity types user or group are selected.
 | |
| 
 | |
|   etype:
 | |
|     version_added: "1.5"
 | |
|     required: false
 | |
|     default: null
 | |
|     choices: [ 'user', 'group', 'mask', 'other' ]
 | |
|     description:
 | |
|       - if the target is a directory, setting this to yes will make it the default acl for entities created inside the directory. It causes an error if name is a file.
 | |
| 
 | |
| 
 | |
|   permissions:
 | |
|     version_added: "1.5"
 | |
|     required: false
 | |
|     default: null
 | |
|     description:
 | |
|       - Permissions to apply/remove can be any combination of r, w and  x (read, write and execute respectively)
 | |
| 
 | |
|   entry:
 | |
|     required: false
 | |
|     default: null
 | |
|     description:
 | |
|       - DEPRECATED. The acl to set or remove.  This must always be quoted in the form of '<etype>:<qualifier>:<perms>'.  The qualifier may be empty for some types, but the type and perms are always requried. '-' can be used as placeholder when you do not care about permissions. This is now superceeded by entity, type and permissions fields.
 | |
| 
 | |
| author: Brian Coca
 | |
| notes:
 | |
|     - The "acl" module requires that acls are enabled on the target filesystem and that the setfacl and getfacl binaries are installed.
 | |
| '''
 | |
| 
 | |
| EXAMPLES = '''
 | |
| # Grant user Joe read access to a file
 | |
| - acl: name=/etc/foo.conf entity=joe etype=user permissions="r" state=present
 | |
| 
 | |
| # Removes the acl for Joe on a specific file
 | |
| - acl: name=/etc/foo.conf entity=joe etype=user state=absent
 | |
| 
 | |
| # Sets default acl for joe on foo.d
 | |
| - acl: name=/etc/foo.d entity=joe etype=user permissions=rw default=yes state=present
 | |
| 
 | |
| # Same as previous but using entry shorthand
 | |
| - acl: name=/etc/foo.d entrty="default:user:joe:rw-" state=present
 | |
| 
 | |
| # Obtain the acl for a specific file
 | |
| - acl: name=/etc/foo.conf
 | |
|   register: acl_info
 | |
| '''
 | |
| 
 | |
| def split_entry(entry):
 | |
|     ''' splits entry and ensures normalized return'''
 | |
| 
 | |
|     a = entry.split(':')
 | |
|     a.reverse()
 | |
|     if len(a) == 3:
 | |
|         a.append(False)
 | |
|     try:
 | |
|         p,e,t,d = a
 | |
|     except ValueError, e:
 | |
|         print "wtf?? %s => %s" % (entry,a)
 | |
|         raise e
 | |
| 
 | |
|     if t.startswith("u"):
 | |
|         t = "user"
 | |
|     elif t.startswith("g"):
 | |
|         t = "group"
 | |
|     elif t.startswith("m"):
 | |
|         t = "mask"
 | |
|     elif t.startswith("o"):
 | |
|         t = "other"
 | |
|     else:
 | |
|         t = None
 | |
| 
 | |
|     perms = ['-','-','-']
 | |
|     for char in p:
 | |
|         if char == 'r':
 | |
|             perms[0] = 'r'
 | |
|         if char == 'w':
 | |
|             perms[1] = 'w'
 | |
|         if char == 'x':
 | |
|             perms[2] = 'x'
 | |
|     p = ''.join(perms)
 | |
| 
 | |
|     return [d,t,e,p]
 | |
| 
 | |
| def get_acls(module,path,follow):
 | |
| 
 | |
|     cmd = [ module.get_bin_path('getfacl', True) ]
 | |
|     if not follow:
 | |
|         cmd.append('-h')
 | |
|     # prevents absolute path warnings and removes headers
 | |
|     cmd.append('--omit-header')
 | |
|     cmd.append('--absolute-names')
 | |
|     cmd.append(path)
 | |
| 
 | |
|     return _run_acl(module,cmd)
 | |
| 
 | |
| def set_acl(module,path,entry,follow,default):
 | |
| 
 | |
|     cmd = [ module.get_bin_path('setfacl', True) ]
 | |
|     if not follow:
 | |
|         cmd.append('-h')
 | |
|     if default:
 | |
|         cmd.append('-d')
 | |
|     cmd.append('-m "%s"' % entry)
 | |
|     cmd.append(path)
 | |
| 
 | |
|     return _run_acl(module,cmd)
 | |
| 
 | |
| def rm_acl(module,path,entry,follow,default):
 | |
| 
 | |
|     cmd = [ module.get_bin_path('setfacl', True) ]
 | |
|     if not follow:
 | |
|         cmd.append('-h')
 | |
|     if default:
 | |
|         cmd.append('-k')
 | |
|     entry = entry[0:entry.rfind(':')]
 | |
|     cmd.append('-x "%s"' % entry)
 | |
|     cmd.append(path)
 | |
| 
 | |
|     return _run_acl(module,cmd,False)
 | |
| 
 | |
| def _run_acl(module,cmd,check_rc=True):
 | |
| 
 | |
|     try:
 | |
|         (rc, out, err) = module.run_command(' '.join(cmd), check_rc=check_rc)
 | |
|     except Exception, e:
 | |
|         module.fail_json(msg=e.strerror)
 | |
| 
 | |
|     # trim last line as it is always empty
 | |
|     ret = out.splitlines()
 | |
|     return ret[0:len(ret)-1]
 | |
| 
 | |
| def main():
 | |
|     module = AnsibleModule(
 | |
|         argument_spec = dict(
 | |
|             name = dict(required=True,aliases=['path'], type='str'),
 | |
|             entry = dict(required=False, etype='str'),
 | |
|             entity = dict(required=False, type='str', default=''),
 | |
|             etype = dict(required=False, choices=['other', 'user', 'group', 'mask'], type='str'),
 | |
|             permissions = dict(required=False, type='str'),
 | |
|             state = dict(required=False, default='query', choices=[ 'query', 'present', 'absent' ], type='str'),
 | |
|             follow = dict(required=False, type='bool', default=True),
 | |
|             default= dict(required=False, type='bool', default=False),
 | |
|         ),
 | |
|         supports_check_mode=True,
 | |
|     )
 | |
| 
 | |
|     path = module.params.get('name')
 | |
|     entry = module.params.get('entry')
 | |
|     entity = module.params.get('entity')
 | |
|     etype = module.params.get('etype')
 | |
|     permissions = module.params.get('permissions')
 | |
|     state = module.params.get('state')
 | |
|     follow = module.params.get('follow')
 | |
|     default = module.params.get('default')
 | |
| 
 | |
|     if not os.path.exists(path):
 | |
|         module.fail_json(msg="path not found or not accessible!")
 | |
| 
 | |
|     if state in ['present','absent']:
 | |
|         if  not entry and not etype:
 | |
|             module.fail_json(msg="%s requries to have ither either etype and permissions or entry to be set" % state)
 | |
| 
 | |
|     if entry:
 | |
|         if etype  or entity  or permissions:
 | |
|             module.fail_json(msg="entry and another incompatible field (entity, etype or permissions) are also set")
 | |
|         if entry.count(":") not in [2,3]:
 | |
|             module.fail_json(msg="Invalid entry: '%s', it requires 3 or 4 sections divided by ':'" % entry)
 | |
| 
 | |
|         default, etype, entity, permissions = split_entry(entry)
 | |
| 
 | |
|     changed=False
 | |
|     msg = ""
 | |
|     currentacls = get_acls(module,path,follow)
 | |
| 
 | |
|     if (state == 'present'):
 | |
|         matched = False
 | |
|         for oldentry in currentacls:
 | |
|             if oldentry.count(":") == 0:
 | |
|                 continue
 | |
|             old_default, old_type, old_entity, old_permissions = split_entry(oldentry)
 | |
|             if old_default == default:
 | |
|                 if old_type == etype:
 | |
|                     if etype in ['user', 'group']:
 | |
|                         if old_entity == entity:
 | |
|                             matched = True
 | |
|                             if not old_permissions == permissions:
 | |
|                                 changed = True
 | |
|                             break
 | |
|                     else:
 | |
|                         matched = True
 | |
|                         if not old_permissions == permissions:
 | |
|                             changed = True
 | |
|                         break
 | |
|                 break
 | |
|         if not matched:
 | |
|             changed=True
 | |
| 
 | |
|         if changed and not module.check_mode:
 | |
|             set_acl(module,path,':'.join([etype, str(entity), permissions]),follow,default)
 | |
|         msg="%s is present" % ':'.join([etype, str(entity), permissions])
 | |
| 
 | |
|     elif state == 'absent':
 | |
|         for oldentry in currentacls:
 | |
|             if oldentry.count(":") == 0:
 | |
|                 continue
 | |
|             old_default, old_type, old_entity, old_permissions = split_entry(oldentry)
 | |
|             if old_default == default:
 | |
|                 if old_type == etype:
 | |
|                     if etype in ['user', 'group']:
 | |
|                         if old_entity == entity:
 | |
|                             changed=True
 | |
|                             break
 | |
|                     else:
 | |
|                         changed=True
 | |
|                         break
 | |
|         if changed and not module.check_mode:
 | |
|             rm_acl(module,path,':'.join([etype, entity, '---']),follow,default)
 | |
|         msg="%s is absent" % ':'.join([etype, entity, '---'])
 | |
|     else:
 | |
|         msg="current acl"
 | |
| 
 | |
|     if changed:
 | |
|         currentacls = get_acls(module,path,follow)
 | |
| 
 | |
|     module.exit_json(changed=changed, msg=msg, acl=currentacls)
 | |
| 
 | |
| # import module snippets
 | |
| from ansible.module_utils.basic import *
 | |
| 
 | |
| main()
 |