How to change file permissions with Ansible

Key takeaways:

• Ansible automates configuration and deployment without agents using a central control node.

• File permissions are vital in DevOps for security, limiting access to necessary files only.

• Permissions in Ansible mirror Linux: Read (r), Write (w), Execute (x) for user, group, and other classes.

• The ansible.builtin.file module with mode sets file permissions in octal format.

Ansible is an open-source IT automation software suite used for various tasks, such as managing configurations and application deployment. It is agentless and can connect with multiple system servers simultaneously. Ansible control nodes defined in a host inventory file manage the automation of this process.

File permissions in Ansible

A crucial aspect of DevOps is maintaining security by providing access in the order of least priority. That is, only those files should be accessible which are necessary for operation. This reduces the surface area of attack and increases the system’s security. Moreover, this ensures file integrity by providing access to those who need to work on it. Thus, the management of file permissions is an integral part of DevOps.

Managing file permissions in Ansible is similar to Linux. There are three principal permissions in Ansible:

• Read (r)

• Write (w)

• Execute (x)

The permissions are set for three base classes of users, which correspond to the base entry ACL users:

• user: This class of users has ownership rights of the file.

• group: This is the group of users associated with the file.

• other: This class includes all such users who are neither user nor are a part of a group.

These user classes have different access privileges, which can be effectively modified in Ansible using the mode parameter of the ansible.builtin.file module. The syntax of this module is as follows:

Code to change file permissions in Ansible

To better understand how to change file permissions in Ansible, let’s look at the following code example: We’ll change the access permission of the /usercode/test.txt file by running the /usercode/file.yml Ansible playbook.

Code explanation

In the above code:

• Line 1: The three dashes --- define the start of the Ansible playbook.

• Line 2: This parameter declares the name of the Ansible playbook.

• Line 3: This parameter declares the hosts of the playbook to be localhost.

• Line 4: The connection parameter is set to local, which means that the tasks are to be run on a local machine.

• Line 5: The gather_facts parameter is set to false, which means that the playbook will not gather host information while running.

• Line 7: The playbook tasks are initiated in this block.

• Line 17: The ansible.builtin.file module is used for modifying the file.

  • Line 18: The path attribute tells the path of the file to be modified.

  • Line 19: The mode attribute defines the permissions of the file. The permissions are defined in octal format.

• Line 21: Another task Find file permissions using ACL again is defined in which we’ll display the permissions of the modified file system again.

  • Lines 22–27: The acl (Access control list) module is used again to print the updated permissions of the file system.

Note: This example has been implemented using Ansible==2.9.6.

Conclusion

In conclusion, Ansible provides a powerful and efficient way to manage file permissions across multiple systems, enhancing security and operational integrity in DevOps environments. By utilizing the ansible.builtin.file module, users can easily define and modify permissions in a straightforward manner, ensuring that access is granted based on the principle of least privilege. This capability not only streamlines the management of file permissions but also integrates seamlessly into larger automation workflows. As organizations continue to prioritize security and compliance, mastering Ansible for file permission management becomes an essential skill for IT professionals and DevOps teams alike.