diff --git a/d4s_user_services_perms/tasks/d4s-basic-node.yml b/d4s_user_services_perms/tasks/d4s-basic-node.yml index c81c71c6..25f940c9 100644 --- a/d4s_user_services_perms/tasks/d4s-basic-node.yml +++ b/d4s_user_services_perms/tasks/d4s-basic-node.yml @@ -4,8 +4,13 @@ when: gcore_users is not defined tags: [ 'gcore', 'd4science', 'users', 'd4s' ] +- name: Create a common group if needed to use it as primary group for the additional users + user: name={{ gcube_users_main_group }} state=present + when: gcube_users_main_group is defined + tags: [ 'gcore', 'd4science', 'users', 'd4s' ] + - name: Create the d4science users - user: name={{ item }} home=/home/{{ item }} createhome={{ d4science_user_create_home }} shell={{ d4science_user_shell }} + user: name={{ item }} group={{ gcube_users_main_group | default(omit) }} home=/home/{{ item }} createhome={{ d4science_user_create_home }} shell={{ d4science_user_shell }} with_items: '{{ gcore_users | default([]) }}' tags: [ 'gcore', 'd4science', 'users', 'd4s' ] diff --git a/d4s_user_services_perms/tasks/users-data-dirs.yml b/d4s_user_services_perms/tasks/users-data-dirs.yml index c91a26f5..05470d50 100644 --- a/d4s_user_services_perms/tasks/users-data-dirs.yml +++ b/d4s_user_services_perms/tasks/users-data-dirs.yml @@ -7,7 +7,7 @@ user: name={{ item.name }} append=yes groups={{ d4science_common_group }} with_items: '{{ ssh_users_list }}' - - name: Create the users d4s data dirs + - name: Create the d4s data dirs file: name={{ item.name }} state=directory owner={{ item.owner }} group={{ item.group }} mode={{ item.perms }} with_items: '{{ d4s_users_data_directories | default([]) }}' when: item.create and not item.file @@ -15,23 +15,16 @@ - name: Set the default read/write/access permissions on the users d4s data dirs acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwX') }} state=present default=yes recursive=yes with_items: '{{ d4s_users_data_directories | default([]) }}' - when: not item.file + when: + - not item.file + - item.set_acls is defined and item.set_acls - name: Set the read/write/access permissions on the users d4s data dirs acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rwX') }} state=present recursive=yes with_items: '{{ d4s_users_data_directories | default([]) }}' -# when: not item.file - - # - name: Set the read/write permissions on pre-existing files inside the users d4s data dirs - # acl: path={{ item.name }} entity={{ d4science_common_group }} etype=group permissions={{ item.aclperms | default ('rw') }} state=present - # with_items: '{{ d4s_users_data_directories | default([]) }}' - # when: item.file + when: item.set_acls is defined and item.set_acls - name: Install a script that recursively sets the ACLs on all the directory tree that must be writeable and readable template: src=set-acl-rules.sh.j2 dest=/usr/local/bin/set-acl-rules owner=root group=root mode=0755 - # - name: Run the script that recursively sets the ACLs - # shell: /usr/local/bin/set-acl-rules - # when: d4s_force_acls - tags: [ 'd4s', 'users', 'd4s_u_acl' ] diff --git a/d4s_user_services_perms/templates/set-acl-rules.sh.j2 b/d4s_user_services_perms/templates/set-acl-rules.sh.j2 index 3287b242..c1dae860 100644 --- a/d4s_user_services_perms/templates/set-acl-rules.sh.j2 +++ b/d4s_user_services_perms/templates/set-acl-rules.sh.j2 @@ -1,13 +1,13 @@ #!/bin/bash +# The X bit set the value for the directories but not for the files + set -e set -o pipefail {% for path in d4s_users_data_directories %} - -find {{ path.name }} -type d -exec setfacl -m g:{{ d4science_common_group }}:rwx,o:rx,m:rwx {} \; -find {{ path.name }} -type d -exec setfacl -d -m g:{{ d4science_common_group }}:rwx,o:rx,m:rwx {} \; -find {{ path.name }} -type f -exec setfacl -m g:{{ d4science_common_group }}:rw,o:r,m:rw {} \; +setfacl -R -d -m g:{{ d4science_common_group }}:rwX,o:rX,m:rwX {{ path.name }} +setfacl -R -m g:{{ d4science_common_group }}:rwX,o:rX,m:rwX {{ path.name }} {% endfor %} exit 0