now w/o python module dependencies

Signed-off-by: Brian Coca <briancoca+dev@gmail.com>
reviewable/pr18780/r1
Brian Coca 11 years ago
parent 73ffb0c020
commit 1ddcc9574b

@ -35,10 +35,10 @@ options:
- The acl to set/remove. MUST always quote! In form of '<type>:<qualifier>:<perms>', qualifier may be empty for some types but type and perms are always requried. '-' can be used as placeholder when you don't care about permissions. - The acl to set/remove. MUST always quote! In form of '<type>:<qualifier>:<perms>', qualifier may be empty for some types but type and perms are always requried. '-' can be used as placeholder when you don't care about permissions.
state: state:
required: false required: false
default: get default: query
choices: [ 'get', 'present', 'absent' ] choices: [ 'query', 'present', 'absent' ]
description: description:
- defines which operation you want to do. C(get) get the current acl C(present) sets/changes the acl, requires entry field C(absent) deletes the acl, requires entry field - defines which operation you want to do. C(query) get the current acl C(present) sets/changes the acl, requires permissions field C(absent) deletes the acl, requires permissions field
follow: follow:
required: false required: false
default: yes default: yes
@ -47,7 +47,10 @@ options:
- if yes, dereferences symlinks and sets/gets attributes on symlink target, otherwise acts on symlink itself. - if yes, dereferences symlinks and sets/gets attributes on symlink target, otherwise acts on symlink itself.
author: Brian Coca author: Brian Coca
notes: notes:
- The "acl" module requires the posix1e module on the target machine and that acl is enabled on the target filesystem. - The "acl" module requires that acl is enabled on the target filesystem and that the setfacl and getfacl binaries are installed.
author: Brian Coca
notes:
- The "acl" module requires the acl command line utilities be installed on the target machine and that acl is enabled on the target filesystem.
''' '''
EXAMPLES = ''' EXAMPLES = '''
@ -55,37 +58,64 @@ EXAMPLES = '''
- acl: name=/etc/foo.conf - acl: name=/etc/foo.conf
# Grants joe read access to foo # Grants joe read access to foo
- acl: name=/etc/foo.conf entry="u:joe:r" state=present - acl: name=/etc/foo.conf entry="user:joe:r" state=present
# Removes the acl for joe # Removes the acl for joe
- acl: name=/etc/foo.conf entry="u:joe:-" state=absent - acl: name=/etc/foo.conf entry="user:joe:-" state=absent
''' '''
NO_PYLIBACL=False
try:
import posix1e
except:
NO_PYLIBACL=True
def gen_acl(module,entry): def get_acl(module,path,entry,follow):
cmd = [ module.get_bin_path('getfacl', True) ]
if not follow:
cmd.append('-h')
# prevents absolute path warnings and removes headers
cmd.append('-cp')
cmd.append(path)
return _run_acl(module,cmd)
def set_acl(module,path,entry,follow):
cmd = [ module.get_bin_path('setfacl', True) ]
if not follow:
cmd.append('-h')
cmd.append('-m "%s"' % entry)
cmd.append(path)
return _run_acl(module,cmd)
def rm_acl(module,path,entry,follow):
cmd = [ module.get_bin_path('setfacl', True) ]
if not follow:
cmd.append('-h')
entry = entry[0:entry.rfind(':')]
cmd.append('-x "%s"' % entry)
cmd.append(path)
return _run_acl(module,cmd,False)
def _run_acl(module,cmd,check_rc=True):
try: try:
return posix1e.ACL(text=entry) (rc, out, err) = module.run_command(' '.join(cmd), check_rc=check_rc)
except IOError, e: except Exception, e:
module.fail_json(msg="Invalid entry: '%s', check that user/groups exist and permissions are correct" % entry) module.fail_json(msg=e.strerror)
return out.splitlines()
def main(): def main():
module = AnsibleModule( module = AnsibleModule(
argument_spec = dict( argument_spec = dict(
name = dict(required=True,aliases=['path']), name = dict(required=True,aliases=['path']),
entry = dict(required=False, default=None), entry = dict(required=False, default=None),
state = dict(required=False, default='get', choices=[ 'get', 'present', 'absent' ], type='str'), state = dict(required=False, default='query', choices=[ 'query', 'present', 'absent' ], type='str'),
follow = dict(required=False, type='bool', default=True), follow = dict(required=False, type='bool', default=True),
), ),
supports_check_mode=True, supports_check_mode=True,
) )
if NO_PYLIBACL:
module.fail_json(msg="Could not import required module pylibacl (posix1e)")
path = module.params.get('name') path = module.params.get('name')
entry = module.params.get('entry') entry = module.params.get('entry')
state = module.params.get('state') state = module.params.get('state')
@ -94,73 +124,72 @@ def main():
if not os.path.exists(path): if not os.path.exists(path):
module.fail_json(msg="path not found or not accessible!") module.fail_json(msg="path not found or not accessible!")
if entry is None and state in ['present','absent']: if entry is None:
module.fail_json(msg="%s needs entry to be set" % state) if state in ['present','absent']:
module.fail_json(msg="%s needs entry to be set" % state)
if entry.count(":") != 2: else:
module.fail_json(msg="Invalid entry: '%s', it requires 3 sections divided by ':'" % entry) if entry.count(":") != 2:
module.fail_json(msg="Invalid entry: '%s', it requires 3 sections divided by ':'" % entry)
changed=False changed=False
changes=0 changes=0
msg = "" msg = ""
currentacl = posix1e.ACL(file=path) currentacl = get_acl(module,path,entry,follow)
newacl = currentacl
res = currentacl
if (state == 'present'): if (state == 'present'):
for newe in gen_acl(module, entry): newe = entry.split(':')
matched = False matched = False
for olde in currentacl: for oldentry in currentacl:
diff = False diff = False
if olde.tag_type == newe.tag_type: olde = oldentry.split(':')
if newe.tag_type in [ posix1e.ACL_GROUP, posix1e.ACL_USER ]: if olde[0] == newe[0]:
if olde.qualifier == newe.qualifier: if newe[0] in ['user', 'group']:
matched = True if olde[1] == newe[1]:
if not str(olde.permset) == str(newe.permset):
diff = True
else:
matched = True matched = True
if not str(olde.permset) == str(newe.permset): if not olde[2] == newe[2]:
diff = True diff = True
if diff: else:
newacl.delete_entry(olde) matched = True
newacl.append(newe) if not olde[2] == newe[2]:
changes=changes+1 diff = True
if matched: if diff:
break
if not matched:
newacl.append(newe)
changes=changes+1 changes=changes+1
if not module.check_mode:
set_acl(module,path,entry,follow)
if matched:
break
if not matched:
changes=changes+1
if not module.check_mode:
set_acl(module,path,entry,follow)
msg="%s is present" % (entry) msg="%s is present" % (entry)
elif state == 'absent': elif state == 'absent':
for rme in gen_acl(module, entry): rme = entry.split(':')
for olde in currentacl: for oldentry in currentacl:
if olde.tag_type == rme.tag_type: olde = oldentry.split(':')
if rme.tag_type in [ posix1e.ACL_GROUP, posix1e.ACL_USER ]: if olde[0] == rme[0]:
if olde.qualifier == rme.qualifier: if rme[0] in ['user', 'group']:
newacl.delete_entry(olde) if olde[1] == rme[1]:
changes=changes+1
break
else:
newacl.delete_entry(olde)
changes=changes+1 changes=changes+1
if not module.check_mode:
rm_acl(module,path,entry,follow)
break break
else:
changes=changes+1
if not module.check_mode:
rm_acl(module,path,entry,follow)
break
msg="%s is absent" % (entry) msg="%s is absent" % (entry)
else: else:
msg="current acl" msg="current acl"
if changes > 0: if changes > 0:
newacl.calc_mask()
if not newacl.valid():
module.fail_json(msg="Invalid acl constructed: %s" % newacl.to_any_text())
if not module.check_mode:
newacl.applyto(path)
changed=True changed=True
res=newacl currentacl = get_acl(module,path,entry,follow)
msg="%s. %d entries changed" % (msg,changes) msg="%s. %d entries changed" % (msg,changes)
module.exit_json(changed=changed, msg=msg, acl=res.to_any_text().split()) module.exit_json(changed=changed, msg=msg, acl=currentacl)
# this is magic, see lib/ansible/module_common.py # this is magic, see lib/ansible/module_common.py
#<<INCLUDE_ANSIBLE_MODULE_COMMON>> #<<INCLUDE_ANSIBLE_MODULE_COMMON>>

Loading…
Cancel
Save