Merged in ITPLT-3785-bugfix-install-dir-perms-issues (pull request #213)

ITPLT-3785 bugfix install dir perms issues

Approved-by: Geoff Jacobs

roles/confluence_config/tasks/main.yml

@@ -66,17 +66,39 @@
     owner: "{{ atl_product_user }}"
     group: "{{ atl_product_user }}"
 
-- name: Limit permissions on the installation directory
+- name: Limit permissions on the installer temp directory, recursively
+  ansible.builtin.file:
+    path: "{{ atl_installer_temp }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+    recurse: true
+  changed_when: false  # For Molecule idempotence check
+
+- name: Limit permissions on the installation directory, non-recursively
   ansible.builtin.file:
     path: "{{ atl_product_installation_versioned }}"
     owner: "root"
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
-    recurse: true
+  changed_when: false  # For Molecule idempotence check
-  with_items:
+
-    - "{{ atl_installer_temp }}"
+- name: Find top-level files/directories in installation directory, excluding working directories
-    - "{{ atl_product_installation_versioned }}"
+  ansible.builtin.find:
-    - "{{ atl_product_version_cache_dir }}"
+    paths: "{{ atl_product_installation_versioned }}"
+    depth: 1
+    file_type: any
+    excludes: logs,temp,work
+  register: atl_product_installation_versioned_file_list
+
+- name: Limit permissions on files and directories in the installation directory, recursively, excluding working directories
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+    recurse: "{{ item.isdir }}"
+  loop: "{{ atl_product_installation_versioned_file_list.files }}"
   changed_when: false  # For Molecule idempotence check
 
 - name: Grant access to the product working directories

roles/crowd_config/tasks/main.yml

@@ -66,17 +66,47 @@
     - "{{ atl_product_shared_plugins }}"
   changed_when: false  # For Molecule idempotence check
 
-- name: Limit permissions on the installation directory
+- name: Limit permissions on the installer temp directory, recursively
   ansible.builtin.file:
-    path: "{{ atl_product_installation_versioned }}"
+    path: "{{ atl_installer_temp }}"
-    owner: "{{ atl_product_user }}"
+    owner: "root"
-    group: "{{ atl_product_user }}"
+    group: "root"
     mode: "u=rwX,g=rX,o=rX"
     recurse: true
-  with_items:
+  changed_when: false  # For Molecule idempotence check
-    - "{{ atl_installer_temp }}"
+
-    - "{{ atl_product_installation_versioned }}"
+- name: Limit permissions on the installation directory, non-recursively
-    - "{{ atl_product_version_cache_dir }}"
+  ansible.builtin.file:
+    path: "{{ atl_product_installation_versioned }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+  changed_when: false  # For Molecule idempotence check
+
+- name: Find top-level files/directories in installation directory, excluding tomcat
+  ansible.builtin.find:
+    paths: "{{ atl_product_installation_versioned }}"
+    depth: 1
+    file_type: any
+    excludes: apache-tomcat
+  register: atl_product_installation_versioned_file_list
+
+- name: Find top-level files/directories in tomcat directory, excluding working directories
+  ansible.builtin.find:
+    paths: "{{ atl_product_installation_versioned }}/apache-tomcat"
+    depth: 1
+    file_type: any
+    excludes: logs,temp,work
+  register: atl_product_installation_versioned_tomcat_file_list
+
+- name: Limit permissions on files and directories in the installation and tomcat directories, recursively, excluding working directories
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+    recurse: "{{ item.isdir }}"
+  loop: "{{ atl_product_installation_versioned_file_list.files + atl_product_installation_versioned_tomcat_file_list.files }}"
   changed_when: false  # For Molecule idempotence check
 
 - name: Grant access to the product working directories

roles/jira_config/tasks/main.yml

@@ -75,18 +75,39 @@
     - "{{ atl_product_shared_plugins }}"
   changed_when: false  # For Molecule idempotence check
 
+- name: Limit permissions on the installer temp directory, recursively
+  ansible.builtin.file:
+    path: "{{ atl_installer_temp }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+    recurse: true
+  changed_when: false  # For Molecule idempotence check
 
-- name: Limit permissions on the installation directory
+- name: Limit permissions on the installation directory, non-recursively
   ansible.builtin.file:
     path: "{{ atl_product_installation_versioned }}"
     owner: "root"
     group: "root"
     mode: "u=rwX,g=rX,o=rX"
-    recurse: true
+  changed_when: false  # For Molecule idempotence check
-  with_items:
+
-    - "{{ atl_installer_temp }}"
+- name: Find top-level files/directories in installation directory, excluding working directories
-    - "{{ atl_product_installation_versioned }}"
+  ansible.builtin.find:
-    - "{{ atl_product_version_cache_dir }}"
+    paths: "{{ atl_product_installation_versioned }}"
+    depth: 1
+    file_type: any
+    excludes: logs,temp,work
+  register: atl_product_installation_versioned_file_list
+
+- name: Limit permissions on files and directories in the installation directory, recursively, excluding working directories
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
+    recurse: "{{ item.isdir }}"
+  loop: "{{ atl_product_installation_versioned_file_list.files }}"
   changed_when: false  # For Molecule idempotence check
 
 - name: Grant access to the product working directories

roles/product_install/tasks/main.yml

@@ -136,6 +136,9 @@
   ansible.builtin.template:
     src: version.j2
     dest: "{{ atl_product_version_cache }}"
+    owner: "root"
+    group: "root"
+    mode: "u=rwX,g=rX,o=rX"
     force: true
 
 # For the first run a temp binary should be downloaded but moved to