Defined Type: splunk::acl

Defined in:
manifests/acl.pp

Overview

splunk::acl()

ensures that the Splunk user can read the file inputs defined optionally set acls on parent paths

not optimal, but I could not find another solution on the puppet forge

Parameters:

  • target (Optional[String]) (defaults to: undef)
  • group (Optional[String]) (defaults to: $splunk::user)
  • type (Optional[String]) (defaults to: 'file')
  • recurse (Optional[Boolean]) (defaults to: false)
  • parents (Optional[Boolean]) (defaults to: false)


8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# File 'manifests/acl.pp', line 8

define splunk::acl(
  Optional[String] $target    = undef,
  Optional[String] $group     = $splunk::user,
  Optional[String] $type      = 'file',
  Optional[Boolean] $recurse  = false,
  Optional[Boolean] $parents  = false
) {

  # Validate parameters
  #
  if $target == undef {
    $object = $title
  } else {
    $object = $target
  }
  if $recurse != true and $recurse != false {
    fail('variable "recurse" must be either true or false')
  }

  if $facts['kernel'] == 'Linux' {

    # returns 0 if the object is a file
    $testdir = "test -d ${object}"

    # Calculate the ACE by combining $group, and $readonly.
    # Set the $subject and $db to later verify that the subject exists.
    #
    $subject = $group
    if $type == 'file' {
      $perm = 'r--'
    } else {
      $perm = 'r-x'
    }
    $acl = "group:${group}:${perm}"
    $gacl = "group:${group}:r-x"

    # returns 0 if the mount containing the object supports ACLs
    $testacl = "getfacl -e ${object} > /dev/null 2>&1"

    exec { "set_acl_${object}":
      command => "setfacl -m ${acl} ${object}",
      onlyif  => $testacl,
      path    => '/bin:/usr/bin:/sbin:/usr/sbin',
    }

    if $recurse == true {
      exec { "set_acl_recursive_${object}":
        command => "setfacl -R -m ${acl} ${object}",
        onlyif  => $testacl,
        path    => '/bin:/usr/bin:/sbin:/usr/sbin',
      }
    }
  }
}