I want to set two groups to a directory
app_group
td-agent
If use file module, there is a group attribute can do
- name: Set group to directory
file:
path: /app
group: app_group
state: directory
recurse: true
mode: '0774'
The current permissions like
$ ls -la /app/app1/
drwxrwx---. 5 root app_group 31 Oct 11 14:12 .
drwxr-xr-x. 3 root root 21 May 12 2021 ..
drwxrwx---. 3 app_user app_group 12 Apr 28 13:30 product
But I want to set Fluentd's user group td-group can also read files in /app directory. Like /app/app1/product/001.log. How to do?
If change mode to mode: o+rx, other user can read/execute the directory. Will it change current permission for app_user and app_group?
Since the underlying operating system seems to be Linux, the answer to your question
How to set permission to a directory with multiple groups?
will be you can't do that. At least not in that way. Ansible can configure only what is available.
So you may have a look into the basic concepts of how to manage Linux permissions for users, groups, and others.
In example
Linux group permissions
Granting write permissions to a group to a folder
How does group permissions work?
and maybe put the fluentd user into app_group. An other approach could be introducing Access Control Lists (ACL).
In example
How can I give permissions of files to multiple groups?
Two Groups Separate Permissions, One Directory?
Related
Since Ansible backup feature is questionable a little with lack of configuration. I'm looking into some solution.
Normally in script I would have backup function that you can call with file name and it would copy the file to separate location with changed name.. for example bkp_location = /tmp/backup//
Lets say I want to backup /etc/systemconf/network I pass it to function and it would copy it to backup directory under etc_systemconf_network ( it replace / with _ so we can tell where it come from )
What would be the best solution in Ansible for something like that ? That I could call it in every role etc...
Maybe one backup.yml in root directory and have it include and pass variable ( file name ) to it, would that work ?
Edit:
Backup feature I speak of:
there is an option backup: yes for some modules ( this is shared function between them as far as I know ) but does not offer any modification to what it does.
Like what would be the backup file name, where it would be located... ? so I have to handle that externally... kind of mid-step between.. but seems like include backup.yml and pass variable to it will do the trick.
cat backup.yml
- name: creating backup
copy: src="{{ path_of_file }}" dest="{{ bkp_location }}/backup{{ path_of_file }}{{ contenttoaddwhilebackingup }}" remote_src=true
in running playbook
include: backup.yml
So if you run a playbook like this
ansible-playbook random.yml -e 'bkp_location=/tmp/backup/ path_of_file=/etc/systemconf/network contenttoaddwhilebackingup=26march2021'
It will create backup like this
ls -lrt /etc/systemconf/
-rw-r--r-- 1 root root 2 Mar 25 15:22 network
ls -lrt /tmp/backup/
-rw-r--r-- 1 root root 2 Mar 25 15:22 backupnetwork26march2021
There are couple of folders in the root dir of HDFS:
dir1
subdir1
table1
table2
subdir2
dir2
subdir1
table1
table2
dir3
They all have subfolders that contain different Parquet files that are queried with Hive.
I can't load one of the subfolders (for example table1 inside dir2) even though the permissions look ok to me, I get the EXECUTE error when trying to load it.
The code is running in a Jupyter notebook.
Users are organized in groups.
I've added rwx permissions for the directory in question to the group by using the following command:
hdfs dfs -setfacl -R -m group:user_group:rwx /dir2/subdir2
The error I'm getting looks like this:
Cannot create staging directory 'hdfs://server:8020/dir2/subdir1/table1/.hive-staging_hive_2019-08-01_13-04-22': Permission denied: user=username, access=EXECUTE, inode="/dir2":hdfs:supergroup:drwxrwx---
I've added read and execute permissions on dir2 to the user group but the error persists. It looks to me from this error that somehow the default permissions are applied and they are ---
So, to summarize;
group has read and execute privileges on the root dir, and read, write and execute privileges on the table directories, but it keeps failing with permissions for root directory.
This is how the permissions look:
# file: /dir2
# owner: hdfs
# group: supergroup
user::rwx
user:some_group1:r-x
group::---
group:some_group2:rwx
group:user_group:r-x
group:hive:rwx
group:some_group3:r-x
group:some_group4:r-x
mask::rwx
other::---
default:user::rwx
default:user:some_group1:r-x
default:group::---
default:group:some_group2:rwx
default:group:hive:rwx
default:group:some_group3:r-x
default:group:some_group4:r-x
default:mask::rwx
default:other::---
# file: /dir2/subdir1/table1
# owner: some_user
# group: supergroup
user::rwx
user:some_group1:r-x
group::---
group:some_group2:rwx
group:user_group:rwx
group:hive:rwx
group:some_group3:r-x
group:some_group4:rwx
mask::rwx
other::---
default:user::rwx
default:user:some_group1:r-x
default:group::---
default:group:some_group2:rwx
default:group:user_group:rwx
default:group:hive:rwx
default:group:some_group3:r-x
default:group:some_group4:rwx
default:mask::rwx
default:other::---
The problem was eventually solved by creating new directories that replaced the old ones. The new directories were created with the correct user and credentials.
For example, I created subdir1_new, moved the data there, renamed subdir1 to subdir1_old and renamed subdir1_new to subdir1. Not a lot of folders were affected by this issue so it didn't take a long time.
I know it's not the actual solution, but I couldn't figure out what exactly was happening and this workaround did the trick.
My apache user generate one file :
# ls -lsa /tmp/reference_file.csv
76 -rwxrwxrwx 1 apache apache 69921 Aug 16 14:14 /tmp/reference_file.csv
the user and the group belong to apache, but when i am trying to change it :
su -l apache -s /bin/bash
-bash-3.00$ whoami
apache
-bash-3.00$ chown explorer:btunix /tmp/reference_file.csv
chown: changing ownership of `/tmp/reference_file.csv': Operation not permitted
I tried to another folder, but the result was the same, I ve also checked attribut :
# lsattr /tmp/reference_file.csv
------------- /tmp/reference_file.csv
there is no immutable attribut
How can I do ?
Thanks
There are criteria associated with chown. Only super-user can chown files willy-nilly. Whether you can give away a file that you own depends on your UNIX flavor and how associated kernel configuration parameters (like K_CHOWN_MAY_GIVE_AWAY, for argument's sake) may have been, well, configured. This is the most GENERALLY correct answer.
I'm trying to create a Samba share on a Linux (SLES10) system, but I'm having trouble with the Samba permissions. I want to create this as a public share, with file permissions controlled at the file-system level (so all users can map the drive, but they can only browse further if they have further file-system permissons).
I've been able to create the share, and map to it with any user. The problem is that I only seem able to obtain sufficient permissions if I login as "root". If I login with another user, even if they have permissions to read and write to the underlying folder, I cannot browse that any folders at all.
Here is the share information from /etc/samba/smb.conf:
[sambatest]
comment = Samba Test
public = yes
path = /var/opt/folder
read only = No
writeable = Yes
write list = user1 user2 user3
browseable = Yes
Here is an example of the directory permissions in the shared folder:
drwxrwxr-x 5 user1 group1 40 Nov 4 17:02 .
drwxr-xr-x 11 user1 group1 4096 Oct 20 09:20 ..
drwxrwx--- 4 user1 group1 41 Nov 4 17:02 BASE
drwxrwx--- 6 user1 group1 78 Oct 28 10:11 Files
drwxrwx--- 2 user1 group1 22 Nov 4 17:02 test
After the mapping the drive with the credentials of "user1", I try to browse "test" from Windows XP, but get a message "Z:\test is not accessible: Access is denied".
If I map the same shared folder using the "root" credentials, it works.
Little help? I'm sure I've come across this before, but can't figure out how to fix it...
I think you need to try chmod that dir with 755 and try with this config
[sambatest]
comment = Samba Test
public = yes
path = /var/opt/folder
read only = yes
writeable = yes
write list = user1 user2 user3
browseable = yes
create mask = 0775
More info on:
http://oreilly.com/openbook/samba/book/ch06_02.html
http://www.cyberciti.biz/tips/how-do-i-set-permissions-to-samba-shares.html
I am currently running Cygwin on a target Windows Server 2003 machine to fire off a shell script that, among other things, creates a bunch of files on disc. However after the files are created I no longer have permissions to manipulate them through Windows.
When the files are created the owner is getting set to 'SYSTEM' and the permissions for Administrators/Creator Group/Creator Owner/system are set to only 'special permissions' and nothing else.
The permissions for Everyone and Users have Read & Execute, List folder contents and Read.
My problem is that I cannot delete/modify the files now through Windows. I would prefer to have something built into my scripts (either the shell script or something to call in Cygwin) that would allow Administrators full control on the folder and all contents.
My current workaround has been to either do file modifications through Cygwin but this is not preferable. I have also used setfacl -r -m default:other:rwx to add write permissions for the 'Users' group but it doesn't appear to have a recursive option and still doesn't give 'full control'
Is there a better way to use setfacl? Can I call the shell script using different/elevated permissions?
Results of getfacl on a newly created directory:
$ getfacl Directory/
# file: Directory/
# owner: SYSTEM
# group: root
user::rwx
group::r-x
group:Users:rwx
mask:rwx
other:r-x
default:user::rwx
default:group::r-x
default:group:Users:rwx
default:mask:rwx
default:other:r-x
You can try setting umask:
umask u=rwx,g=rwx,o=rwx
That should give user, group, and other read/write/execute on any newly created dirs.
If you only want the modified umask permanently, you can add it to your .bash_profile
Edit - Added example of mkdir before/after umask.
Here's the output of getfacl on a directory created before I set umask:
[/cygdrive/c/Documents and Settings/NOYB/Desktop]
==> getfacl test_wo_umask/
# file: test_wo_umask/
# owner: NOYB
# group: Domain Users
user::rwx
group::r-x
group:root:rwx
group:SYSTEM:rwx
mask:rwx
other:r-x
default:user::rwx
default:user:NOYB:rwx
default:group::r-x
default:group:root:rwx
default:group:SYSTEM:rwx
default:mask:rwx
default:other:r-x
Here's the output of getfacl on a directory created after I set umask:
[/cygdrive/c/Documents and Settings/NOYB/Desktop]
==> getfacl test_w_umask/
# file: test_w_umask/
# owner: NOYB
# group: Domain Users
user::rwx
group::rwx
group:root:rwx
group:SYSTEM:rwx
mask:rwx
other:rwx
default:user::rwx
default:user:NOYB:rwx
default:group::rwx
default:group:root:rwx
default:group:SYSTEM:rwx
default:mask:rwx
default:other:rwx