Feature #1033
support for file system acls on the file type
| Status: | Accepted | Start: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | file | |||
| Target version: | unplanned | |||
| Affected version: | 0.24.4 | Branch: | ||
| Keywords: | ||||
| Votes: | 5 |
Description
being able to set file system acls (setfacl et all) on a file type would be very useful. More of a further extension of the existing file type I would think.
something perhaps along the line of:
file { "/tmp/foo":
mode => 0644,
owner => foo,
group => bar,
acl => u:rxw:g:foo:rxw,
...
}
History
Updated by Luke Kanies over 2 years ago
Is that really sufficient for the ACLs? Won’t people want a lot more flexibility?
I frankly have no idea, since I’ve not used ACLs.
Updated by Chris MacLeod over 2 years ago
I’m not sure what additional flexibility would be required. the above example is an explicit acl string, the acl itself is broken up into parts (basically delimited by the :’s)
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/fs-acl.html
It seems like low-hanging fruit to add an attribute to set an explicit acl on a file object, if there’s more flexibility needed it should come out as people use it and the explicit acl s insufficient.
Updated by Redmine Admin about 2 years ago
- Status changed from 1 to Needs design decision
Updated by Luke Kanies almost 2 years ago
- Status changed from Needs design decision to Accepted
- Affected version set to 0.24.4
Updated by James Turnbull about 1 year ago
- Assignee deleted (
Puppet Community)
Updated by Stefan Schlesinger 11 months ago
I’d also like to see this integrated into puppet.
Remember that there a two diffent types of filesystem ACLs:
- default ACLs on folders (they are inherited)
- ACLs on files and folders (actual permissions)
And of course you can set this as the “standard ACL” which represents owner/group/other, but as well for users and groups. A fully fledged FS ACLs could look like:
getfacl: Removing leading ‘/’ from absolute path names
file: srv/ftp/web/press
owner: press
group: ftpusers
user::rwx user:ftpadmin:rwx user:customer0:rwx user:pres:r— group::r-x mask::rwx other::r-x default:user::rwx default:user:ftpadmin:rwx default:user:customer0:rwx default:user:press:r— default:group::r-x default:mask::rwx default:other::r-x
Updated by Joe McDonagh 11 months ago
Note that ZFS uses NFSv4 FACLs, and I’ve heard speculation that this will overtake the posix draft facls. It would be probably be better to have facls as a separate type, because of that, and sometimes you want to use a facl restore file. I do this often, setfacl —restore=/perms.bak say will restore from your working directory all facls. That way you could point to some local file that is filled with the recursive facl listing for a directory, and update any differences between your proper permissions and the machine.
Updated by Joe McDonagh 11 months ago
By ‘local’ I meant local to the master.