Creating a directory with multiple groups ownership using Puppet?

Question

How do I create a directory with multiple groups owning it using Puppet?

I would like to have users in 'group1' and 'group2' to all have access to the directory.

I tried the code below and it only grants ownership to group1.

file { [ "some/path1", "some/path2" ]:
  ensure => directory,
  owner  => 'root',
  group  => ['group1', 'group2'],
  mode   => 0770,
}

Answer 1

Puppet's file{} resource type only implement the Unix permissions, sometime known as User-Group-Other (UGO)... so only one group since Puppet does the same as chown, chgrp, chmod:

file { [ '/path/to/file' ]:
  owner  => 'root',
  group  => 'marketing',
  mode   => 0770,
  ensure => directory,
}

There are many extra modules available to manage ACL with Puppet:

• puppet-acl for POSIX, mentioned by Steve Shipway, which I use a lot.
• fooacl for POSIX
• puppetlabs-acl for Windows ACLs

I use the puppet-acl. Here is an example :

acl {'/path/to/file' :
  action     => 'set',
  permission => ['user::rwx',
                 'group::rwx',
                 'group:sales:rwx',
                 'mask::rwx',
                 'other::---',
                 'default:user::rwx',
                 'default:group:sales:rwx',
                 'default:group:marketing:rwx',
                 'default:mask::rwx',
                 'default:other::---'],
  require    => File['/path/to/file']
}

Side notes:

• RTFM, there are many interesting options (recursive, action=strict|unset|purge)...
• make sure the file{} and acl{} permissions for user: and group: and other: are consistent (otherwise the permission will balance at each puppet run).

Answer 2

There are some third-party modules available in the PuppetForge ( puppet-acl I think ) that provide this functionality; however it is not in native puppet at this moment in time though I believe the feature request is under consideration.

Answer 3

As far as I know, the basic file type in Puppet only handles discretionary permissions that only allow for one group and one owner. It is a limitation of the underlying system.

Depending on your client's platform you can use ACLs to grant varied permissions to more than one group or user. To do this in Puppet you would have to use an Exec and invoke setfacl (if you were on Linux, for example) directly.