Set ACLs on Files Logstash Must Monitor
94 views
Skip to first unread message
Brian Wilkins
Aug 4, 2014, 7:36:06 AM8/4/14
to puppet...@googlegroups.com
Rather than typing out hundreds of files that logstash has to monitor and put it into my profiles::logstash::acl class, how are others maintaining the actions to set the ACLs on files that logstash has to monitor? Right now, I am doing this for every file that logstash has to monitor:
exec { 'allow_input_file_read':
command => "/usr/bin/setfacl -R -m u:logstash:rwx <path>",
subscribe => File_concat['ls-config'],
refreshonly => true,
}
I monitor the changes to the configuration template that is maintained by the puppet forge logstash class so that the ACL is applied or re-applied when the logstash configuration changes.
How are others doing this?
exec { 'allow_input_file_read':
command => "/usr/bin/setfacl -R -m u:logstash:rwx <path>",
subscribe => File_concat['ls-config'],
refreshonly => true,
}
I monitor the changes to the configuration template that is maintained by the puppet forge logstash class so that the ACL is applied or re-applied when the logstash configuration changes.
How are others doing this?
Christopher Wood
Aug 4, 2014, 9:48:17 AM8/4/14
to puppet...@googlegroups.com
I haven't done it, but in your situation I would do something generically like this:
ls | create_yaml_array.rb >/path/to/hiera/nodes/myserver.yaml
---
cats:
concat1:
bits:
- bit1
- bit2
- bit3
path: '/path/to/file1'
Then add a define somewhere to use with create_resources(), and inside that define have each resource notify your exec. That way if any resources are created/updated they'll fire off the exec. You'll need to build in ensure=>absent support in the define, of course.
define ($bits, $path) {
file_concat { $title:
ensure => present,
# other stuff here
}
exec { 'allow_input_file_read':
command => "/usr/bin/setfacl -R -m u:logstash:rwx ${path}",
subscribe => File_concat[$title],
refreshonly => true,
}
}
Not a good example since I haven't used file_concat or logstash myself, but that's where I'd start.
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [1]puppet-users...@googlegroups.com.
> To view this discussion on the web visit
> [2]https://groups.google.com/d/msgid/puppet-users/fdd179e7-a3e4-4819-9173-b749d2540121%40googlegroups.com.
> For more options, visit [3]https://groups.google.com/d/optout.
>
> References
>
> Visible links
> 1. mailto:puppet-users...@googlegroups.com
> 2. https://groups.google.com/d/msgid/puppet-users/fdd179e7-a3e4-4819-9173-b749d2540121%40googlegroups.com?utm_medium=email&utm_source=footer
> 3. https://groups.google.com/d/optout
ls | create_yaml_array.rb >/path/to/hiera/nodes/myserver.yaml
---
cats:
concat1:
bits:
- bit1
- bit2
- bit3
path: '/path/to/file1'
Then add a define somewhere to use with create_resources(), and inside that define have each resource notify your exec. That way if any resources are created/updated they'll fire off the exec. You'll need to build in ensure=>absent support in the define, of course.
define ($bits, $path) {
file_concat { $title:
ensure => present,
# other stuff here
}
exec { 'allow_input_file_read':
command => "/usr/bin/setfacl -R -m u:logstash:rwx ${path}",
subscribe => File_concat[$title],
refreshonly => true,
}
}
Not a good example since I haven't used file_concat or logstash myself, but that's where I'd start.
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [1]puppet-users...@googlegroups.com.
> To view this discussion on the web visit
> [2]https://groups.google.com/d/msgid/puppet-users/fdd179e7-a3e4-4819-9173-b749d2540121%40googlegroups.com.
> For more options, visit [3]https://groups.google.com/d/optout.
>
> References
>
> Visible links
> 1. mailto:puppet-users...@googlegroups.com
> 2. https://groups.google.com/d/msgid/puppet-users/fdd179e7-a3e4-4819-9173-b749d2540121%40googlegroups.com?utm_medium=email&utm_source=footer
> 3. https://groups.google.com/d/optout
Rob Reynolds
Aug 4, 2014, 4:24:06 PM8/4/14
to puppet...@googlegroups.com
Slightly OT, but there is an open ticket on adding support for Linux to the ACL module - https://tickets.puppetlabs.com/browse/MODULES-962
In a perfect world perhaps this work would already be done and the logstash module would use the acl module to do this for you.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/fdd179e7-a3e4-4819-9173-b749d2540121%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Rob Reynolds
Developer, Puppet Labs
Register by September 8th to take advantage of the Final Countdown —save $149!
Reply all
Reply to author
Forward
0 new messages