How do I create a directory with multiple groups owning it using Puppet?
I would like to have users in 'group1' and 'group2' to all have access to the directory.
I tried the code below and it only grants ownership to group1.
file { [ "some/path1", "some/path2" ]:
ensure => directory,
owner => 'root',
group => ['group1', 'group2'],
mode => 0770,
}
As far as I know, the basic file type in Puppet only handles discretionary permissions that only allow for one group and one owner. It is a limitation of the underlying system.
Depending on your client's platform you can use ACLs to grant varied permissions to more than one group or user. To do this in Puppet you would have to use an Exec and invoke setfacl (if you were on Linux, for example) directly.
There are some third-party modules available in the PuppetForge ( puppet-acl I think ) that provide this functionality; however it is not in native puppet at this moment in time though I believe the feature request is under consideration.
Puppet's file{} resource type only implement the Unix permissions, sometime known as User-Group-Other (UGO)... so only one group since Puppet does the same as chown, chgrp, chmod:
file { [ '/path/to/file' ]:
owner => 'root',
group => 'marketing',
mode => 0770,
ensure => directory,
}
There are many extra modules available to manage ACL with Puppet:
puppet-acl for POSIX, mentioned by Steve Shipway, which I use a lot.
fooacl for POSIX
puppetlabs-acl for Windows ACLs
I use the puppet-acl. Here is an example :
acl {'/path/to/file' :
action => 'set',
permission => ['user::rwx',
'group::rwx',
'group:sales:rwx',
'mask::rwx',
'other::---',
'default:user::rwx',
'default:group:sales:rwx',
'default:group:marketing:rwx',
'default:mask::rwx',
'default:other::---'],
require => File['/path/to/file']
}
Side notes:
RTFM, there are many interesting options (recursive, action=strict|unset|purge)...
make sure the file{} and acl{} permissions for user: and group: and other: are consistent (otherwise the permission will balance at each puppet run).
Related
I tried accessing data with FileZilla and additionally downloading it. This worked. However, now I tried accessing the same file with the same user with nodeJS with "GET". Here I get the Error "Access Denied".
I looked into the permissions, and the owner and group of the file are able to read and write the file, but no public permissions. My user is part of the "Group". However, I am now wondering, if the file needs to have public permissions to read and write in order to access the file via nodeJs?
Quick Info: I access the file both with FileZilla and NodeJS via SFTP. All configs / user etc. are the same.
Code:
let Client = require('ssh2-sftp-client');
let sftp = new Client();
sftp.connect({
host: config.development.host,
port: config.development.port,
username: config.development.username,
password: config.development.password
}).then(() => {
return sftp.get(`${config.development.pathToFile}/${filename}`);
}).then(async (data) => {
console.log('data', data);
csv({
noheader: true,
output: "csv"
})
Thanks!
Does NodeJs needs public file permissons to access file?
As long as the user that spawned the Node.js process has read permissions for the specific file, you shouldn't encounter any problems.
I would suggest learning how multi-user environments & permissions management works.
Recommended reading :
Learning the shell - Lesson 9: Permissions
Linux Tutorial - 8. Understand Permissions
Recommended further reading :
The default Linux security model is a bit inflexible. To give special
access (such as modification privileges) to a group of people, you
have to get your system administrator to create a group with those
people in it. Furthermore, if you would like to give a different set
of access privileges (such as read access) to another group of people,
you can’t do it because you can only assign one group owner per file
or directory. To solve this problem, you can use ACLs (Access Control
Lists). You can learn more about them from this link: ACLs
(Quote extracted from here)
After all, it will come in handy and it wont take you much effort to understand.
I need guidance in below situation -
I am migrating RHDS to openLDAP. I managed to convert the DIT and their attributes and Schemas. However, I am stuck at Access control.
In RHDS, currently, the access control is as below -
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target = ldap:///uid=*,ou=household,dc=example,dc=com) (targetattr="*") (version 3.0; acl "Household Itms Consumer subtree read - aci"; allow (read, compare, search) (userdn = "ldap:///*,ou=applications,dc=example,dc=com") ;);
Could some please guide me in creating the OLC LDIF format?
Access control is not part of the LDAPv3 standard and thus attribute aci is specific to RHDS and similar implementations.
You have to define new ACLs for your OpenLDAP setup.
I'd recommend to read the following docs:
OpenLDAP Admin Guide -- Access control
slapd.access(5)
FAQ-O-MATIC: Access Control
FAQ-O-MATIC: Sets in Access Control
I'm developing a Parse App and currently checking the backend security. I'm a bit lost regarding the Installation Class permissions. It is (by default) readable and writable by everyone. Thus, any user could delete every object of the class.
My question is: is it protected by default like the User class? Or should I add ACL for every new registration to push notifications? Or change the class level permissions?
Many thanks for your help,
Parse defaults to public read/write access for everything outside of User to streamline development.
Security measures will vary from one app to another depending on use-case, but assuming that you have associated each Installation to a User, I would highly recommend applying an ACL which gives public read and limits writes to the specific user.
In case you are not already associating each Installation to a User, here's a nice piece of cloud code to take care of it for you.
Parse.Cloud.beforeSave(Parse.Installation, function(request, response) {
Parse.Cloud.useMasterKey();
if (request.user) {
request.object.set('user', request.user);
} else {
request.object.unset('user');
}
response.success();
});
It's a good place to start by creating ACLs which provide public read and user-specific write access. That one step alone will drastically improve security.
I need to add new user roles, such as "TYPO3.Neos:Creator"
Typo3-neos Currently supported roles:"TYPO3.Neos:Editor", "TYPO3.Neos:Administrator". How can I do it?
Not sure, but it seems available roles are not stored in database, but rather are gathered from yaml configuration files (and stored in cache??).
So, add a role in any Policy.yaml file, like:
roles:
'My.Package:CreatorOfDoomRole':
privileges: []
After that you can use the flow CLI command ./flow user:addrole <username> <role> to add a new role to a user (the roles are stored as comma-separated list in table typo3_flow_security_account, field roleidentifiers).
(Some more info about how yaml is cached: "The yaml files are cached, in development context that cache should be purged on every request (and on master that's a bit optimized so they will only be flushed in development context if there was really a change to the yaml). Stored in file: Data/Temporary/Production/Configuration/ProductionConfigurations.php")
Our SVN administrator is on holidays, and I need to add a new user to subversion.
We're using Collabnet Subversion on a RedHat box.
I've found the CollabNet_Subversion/conf/ directory with all the configuration files, including an auth file that I can see contains all our users and the groups that they belong to.
All our users need to log in with their LDAP credentials, so I don't need to change any of that.
It looks something like this:
company_auth_production
`[groups]
it-leads = jsmith, hsimpson, pgriffin
it-all = ajolie, rwitherspoon, #it-leads
[/]
* =
[prod:/]
#it-all = rw
`
So I added the new user and restarted subversion. But that doesn't seem to have done the trick. Am I missing something else ? Thanks
a. You have mention that there is "company_auth_production" file. Please check if there is some other authorization file, probably "authz". Can you please provide more information on this.
As per the structure in your file
[prod:/]
#it-all = rw
should have given the read write access to all the users of "it-all" till the path "prod".
b. If this is not working then please try using "VisualSVN Server". It has a very nice gui to add users and give them priviledges also.
Hope this helps.
In your apache Configuration is usually a require directive (eg "require group" or "require user"). Often there is a specific group which user has to belong to access svn (eg svnusers, etc...)