100-Days-Of-DevOps-Challenge-KodeKloud

Managing ACLs Using Ansible

There are some files that need to be created on all app servers in Stratos DC. The Nautilus DevOps team want these files to be owned by user root only however, they also want that the app specific user to have a set of permissions on these files. All tasks must be done using Ansible only, so they need to create a playbook. Below you can find more information about the task.

Create a playbook named playbook.yml under /home/thor/ansible directory on jump host, an inventory file is already present under /home/thor/ansible directory on Jump Server itself.

Create an empty file blog.txt under /opt/devops/ directory on app server 1. Set some acl properties for this file. Using acl provide read '(r)' permissions to group tony (i.e entity is tony and etype is group).
Create an empty file story.txt under /opt/devops/ directory on app server 2. Set some acl properties for this file. Using acl provide read + write '(rw)' permissions to user steve (i.e entity is steve and etype is user).
Create an empty file media.txt under /opt/devops/ on app server 3. Set some acl properties for this file. Using acl provide read + write ‘(rw)’ permissions to group banner (i.e entity is banner and etype is group).

Note: Validation will try to run the playbook using command ansible-playbook -i inventory playbook.yml so please make sure the playbook works this way, without passing any extra arguments.

Steps

Move into Ansible directory
```
 cd ansible
 ls
```
Check inventory file:
```
 cat inventory
```
Create an empty playbook.yml file
```
 touch playbook.yml
```
Update playbook.yml file with copy-paste contents from this YAML file

Run the playbook command:

 ansible-playbook -i inventory playbook.yml

Good to Know?

Access Control Lists (ACLs)

ACLs extend traditional Unix permissions beyond owner/group/other
Allow fine-grained permissions for specific users and groups
Entity Types: user, group, mask, other
Permissions: r (read), w (write), x (execute)

Ansible ACL Module

Module: ansible.posix.acl - manages file/directory ACLs
Key Parameters:
- path: Target file/directory path
- entity: User/group name for ACL entry
- etype: Entity type (user, group, mask, other)
- permissions: Permission string (r, w, x, rw, rwx)
- state: present (default) or absent

ACL Commands

View ACLs: getfacl filename
Set ACLs: setfacl -m u:user:rw filename
Remove ACLs: setfacl -x u:user filename

Best Practices

Always specify etype and entity for clarity
Use minimal permissions required
Test ACL changes before production deployment
Document ACL requirements in playbook comments

This site is open source. Improve this page.