set acl for read rights

[johanvdw]

This is a proposal. Using the code below it is possible to give the promtail user read access to /var/log regardless of the mode/owner. Is this something desirable for this role? Should it be configurable which paths get this access?

- name: Set ACL for promtail on /var/log
  acl:
    path: /var/log
    entity: promtail
    rights: rX
    recursive: yes
    state: present

[patrickjahns]

Thank you for your suggestion :-) - would you be able to sent a pull request for this?

[eschulma]

The role already adds promtail to the adm group, which has these read rights by default. If someone is hiding a log file from adm (due to sensitive information?) perhaps that should be respected.

[johanvdw]

At least in our setup, I noticed quite a lot of files which were not group-owned by adm, and not all had easy switches to change it. Perhaps a nice intermediate solution would be a list of paths (or files) for which you want this, defaulting to an empty list.