From 65520bf520147571588ac493106beba23e2af04c Mon Sep 17 00:00:00 2001
From: Johan Van de Wauw <johan@fluves.com>
Date: Tue, 30 Apr 2024 10:04:37 +0200
Subject: [PATCH] Add option to grant read access to paths

Closes #212 : allows adding a list of paths which should
get read access
---
 README.md         |  3 ++-
 defaults/main.yml |  2 ++
 tasks/install.yml | 10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c5af033..54d9580 100644
--- a/README.md
+++ b/README.md
@@ -42,8 +42,9 @@ All variables which can be overridden are stored in [defaults/main.yml](defaults
 | `promtail_log_level`                             | "info"                                                           | Loglevel of promtail (one of: `debug`,`info`,`warn`,`error` )                                                          |
 | `promtail_config_include_default_file_sd_config` | "True"                                                           | When set to false, the default `file_sd` will not be provisioned                                                       |
 | `promtail_apt_update_cache`                      | "True"                                                           | When set to false the role will not update the APT cache on its own                                                    |
+| `promtail_acl_read_paths`                        | []                                                               | Paths (folders or files) to which promtail should receive read access through acl, regardless of owner/group           |
 
-For each section (`promtail_config_clients`, `promtail_config_server`,`promtail_config_positions`,`promtail_config_scrape_configs`,`promtail_target_config`) the configuration can be passed accrodingly to the [official promtail configuration](https://github.com/grafana/loki/blob/master/docs/clients/promtail/configuration.md).
+For each section (`promtail_config_clients`, `promtail_config_server`,`promtail_config_positions`,`promtail_config_scrape_configs`,`promtail_target_config`) the configuration can be passed accordingly to the [official promtail configuration](https://github.com/grafana/loki/blob/master/docs/clients/promtail/configuration.md).
 The role will converte the ansible vars into the respective yaml configuration for loki.
 
 ## Example Playbook
diff --git a/defaults/main.yml b/defaults/main.yml
index 6ed8888..dbdeac7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -58,6 +58,8 @@ promtail_config_default_file_sd_config:
           - "{{ promtail_config_file_sd_dir }}/*.yaml"
           - "{{ promtail_config_file_sd_dir }}/*.json"
 
+promtail_acl_read_paths: []
+
 promtail_target_config: {}
 #  promtail_target_config:
 #    sync_period: "10s"
diff --git a/tasks/install.yml b/tasks/install.yml
index 5ec2ea5..fa88b4d 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -134,3 +134,13 @@
     src: "{{ promtail_systemd_service_template_file }}"
     dest: "/etc/systemd/system/{{ promtail_systemd_service }}.service"
     mode: 0644
+
+- name: Grant promtail read access to configured paths
+  acl:
+    path: "{{ item }}"
+    entity: "{{ promtail_system_user }}"
+    etype: user
+    permissions: rX
+    recursive: yes
+    state: present
+  with_items: "{{ promtail_acl_read_paths }}"