search

ansible-collections / ansible.posix

Ansible Collection for Posix
Other
159 stars 153 forks source link

Default ACL are not set recursively if file is present in subfolder #592

Open Apollo3zehn opened 1 week ago

Apollo3zehn commented 1 week ago
SUMMARY

I would like to recursively apply a default ACL but nothing happens, i.e. Ansible says there is nothing to change which is obviously wrong.

ISSUE TYPE
COMPONENT NAME

ansible.posix.acl

ANSIBLE VERSION
ansible [core 2.17.5]
  config file = /home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/ansible.cfg
  configured module search path = ['/home/vincent/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/.venv/lib/python3.12/site-packages/ansible
  ansible collection location = /home/vincent/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/.venv/bin/ansible
  python version = 3.12.7 (main, Oct  1 2024, 11:15:50) [GCC 14.2.1 20240910] (/home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/.venv/bin/python)
  jinja version = 3.1.4
  libyaml = True
COLLECTION VERSION
# /home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/.venv/lib/python3.12/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 9.5.0
CONFIGURATION
CONFIG_FILE() = /home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/ansible.cfg
EDITOR(env: EDITOR) = nano
INJECT_FACTS_AS_VARS(/home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/ansible.cfg) = False
OS / ENVIRONMENT

Endeavour OS

STEPS TO REPRODUCE
  1. Create a user named data
  2. Prepare the environment (a folder with a file inside):
cd /tmp
mkdir TEST
cd TEST
touch file
  1. Print the current ACL:
getfacl .
# file: .
# owner: wilvin
# group: wilvin
user::rwx
group::r-x
other::r-x
  1. Run ansible.posix.acl with the following parameters
  - path: /mnt/TEST
    entity: data
    default: true
    etype: user
    permissions: rwx
    recursive: true
    state: present
  1. Find that Ansible thinks has no reason to change anything ("user:data:rwx is present"), which is wrong:
ok: [hpc-1] => (item={'path': '/tmp/TEST', 'entity': 'data', 'default': True, 'etype': 'user', 'permissions': 'rwx', 'recursive': True, 'state': 'present'}) => {"acl": [], "ansible_loop_var": "item", "changed": false, "item": {"default": true, "entity": "data", "etype": "user", "path": "/tmp/TEST", "permissions": "rwx", "recursive": true, "state": "present"}, "msg": "user:data:rwx is present"}
  1. Confirm that nothing has changed:
getfacl .
# file: .
# owner: wilvin
# group: wilvin
user::rwx
group::r-x
other::r-x
EXPECTED RESULTS

I expect the default ACL to be set for the user named data.

ACTUAL RESULTS

The ACLs have not changed.

I think this is caused because of the following line which checks for the presence of *,* in the command output of setfacl --test:

https://github.com/ansible-collections/ansible.posix/blob/c654bf0b4c0b7af1ae2d57a2bf7fb1de0fdb1bf3/plugins/modules/acl.py#L247

When there is a file in the folder to be modified, the output of setfacl --test returns *,* for every file in that folder hierarchy, thus actively preventing the ACLs from being applied:

wilvin@hpc-1 /t/TEST> setfacl --test --recursive --modify d:u:data:rwx .
.: *,d:u::rwx,d:u:data:rwx,d:g::r-x,d:m::rwx,d:o::r-x
./file: *,*