Default ACL are not set recursively if file is present in subfolder #592
Description
SUMMARY
I would like to recursively apply a default ACL but nothing happens, i.e. Ansible says there is nothing to change which is obviously wrong.
ISSUE TYPE
- Bug Report
COMPONENT NAME
ansible.posix.acl
ANSIBLE VERSION
ansible [core 2.17.5]
config file = /home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/ansible.cfg
configured module search path = ['/home/vincent/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/.venv/lib/python3.12/site-packages/ansible
ansible collection location = /home/vincent/.ansible/collections:/usr/share/ansible/collections
executable location = /home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/.venv/bin/ansible
python version = 3.12.7 (main, Oct 1 2024, 11:15:50) [GCC 14.2.1 20240910] (/home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/.venv/bin/python)
jinja version = 3.1.4
libyaml = True
COLLECTION VERSION
# /home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/.venv/lib/python3.12/site-packages/ansible_collections
Collection Version
----------------- -------
community.general 9.5.0
CONFIGURATION
CONFIG_FILE() = /home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/ansible.cfg
EDITOR(env: EDITOR) = nano
INJECT_FACTS_AS_VARS(/home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/ansible.cfg) = False
OS / ENVIRONMENT
Endeavour OS
STEPS TO REPRODUCE
- Create a user named
data - Prepare the environment (a folder with a file inside):
cd /tmp
mkdir TEST
cd TEST
touch file- Print the current ACL:
getfacl .
# file: .
# owner: wilvin
# group: wilvin
user::rwx
group::r-x
other::r-x
- Run
ansible.posix.aclwith the following parameters
- path: /mnt/TEST
entity: data
default: true
etype: user
permissions: rwx
recursive: true
state: present
- Find that Ansible thinks has no reason to change anything (
"user:data:rwx is present"), which is wrong:
ok: [hpc-1] => (item={'path': '/tmp/TEST', 'entity': 'data', 'default': True, 'etype': 'user', 'permissions': 'rwx', 'recursive': True, 'state': 'present'}) => {"acl": [], "ansible_loop_var": "item", "changed": false, "item": {"default": true, "entity": "data", "etype": "user", "path": "/tmp/TEST", "permissions": "rwx", "recursive": true, "state": "present"}, "msg": "user:data:rwx is present"}
- Confirm that nothing has changed:
getfacl .
# file: .
# owner: wilvin
# group: wilvin
user::rwx
group::r-x
other::r-x
EXPECTED RESULTS
I expect the default ACL to be set for the user named data.
ACTUAL RESULTS
The ACLs have not changed.
I think this is caused because of the following line which checks for the presence of *,* in the command output of setfacl --test:
ansible.posix/plugins/modules/acl.py
Line 247 in c654bf0
When there is a file in the folder to be modified, the output of setfacl --test returns *,* for every file in that folder hierarchy, thus actively preventing the ACLs from being applied:
wilvin@hpc-1 /t/TEST> setfacl --test --recursive --modify d:u:data:rwx .
.: *,d:u::rwx,d:u:data:rwx,d:g::r-x,d:m::rwx,d:o::r-x
./file: *,*