Add option to grant read access to paths

Closes patrickjahns#212 : allows adding a list of paths which should get read access
johanvdw · Apr 30, 2024 · 65520bf · 65520bf
1 parent 6c3c60c
commit 65520bf
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -42,8 +42,9 @@ All variables which can be overridden are stored in [defaults/main.yml](defaults
 | `promtail_log_level`                             | "info"                                                           | Loglevel of promtail (one of: `debug`,`info`,`warn`,`error` )                                                          |
 | `promtail_config_include_default_file_sd_config` | "True"                                                           | When set to false, the default `file_sd` will not be provisioned                                                       |
 | `promtail_apt_update_cache`                      | "True"                                                           | When set to false the role will not update the APT cache on its own                                                    |
+| `promtail_acl_read_paths`                        | []                                                               | Paths (folders or files) to which promtail should receive read access through acl, regardless of owner/group           |
 
-For each section (`promtail_config_clients`, `promtail_config_server`,`promtail_config_positions`,`promtail_config_scrape_configs`,`promtail_target_config`) the configuration can be passed accrodingly to the [official promtail configuration](https://github.com/grafana/loki/blob/master/docs/clients/promtail/configuration.md).
+For each section (`promtail_config_clients`, `promtail_config_server`,`promtail_config_positions`,`promtail_config_scrape_configs`,`promtail_target_config`) the configuration can be passed accordingly to the [official promtail configuration](https://github.com/grafana/loki/blob/master/docs/clients/promtail/configuration.md).
 The role will converte the ansible vars into the respective yaml configuration for loki.
 
 ## Example Playbook

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -58,6 +58,8 @@ promtail_config_default_file_sd_config:
           - "{{ promtail_config_file_sd_dir }}/*.yaml"
           - "{{ promtail_config_file_sd_dir }}/*.json"
 
+promtail_acl_read_paths: []
+
 promtail_target_config: {}
 #  promtail_target_config:
 #    sync_period: "10s"
diff --git a/tasks/install.yml b/tasks/install.yml
@@ -134,3 +134,13 @@
     src: "{{ promtail_systemd_service_template_file }}"
     dest: "/etc/systemd/system/{{ promtail_systemd_service }}.service"
     mode: 0644
+
+- name: Grant promtail read access to configured paths
+  acl:
+    path: "{{ item }}"
+    entity: "{{ promtail_system_user }}"
+    etype: user
+    permissions: rX
+    recursive: yes
+    state: present
+  with_items: "{{ promtail_acl_read_paths }}"