Default ACL are not set recursively if file is present in subfolder

[Apollo3zehn]

SUMMARY

I would like to recursively apply a default ACL but nothing happens, i.e. Ansible says there is nothing to change which is obviously wrong.

ISSUE TYPE

• Bug Report

COMPONENT NAME

ansible.posix.acl

ANSIBLE VERSION

ansible [core 2.17.5]
  config file = /home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/ansible.cfg
  configured module search path = ['/home/vincent/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/.venv/lib/python3.12/site-packages/ansible
  ansible collection location = /home/vincent/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/.venv/bin/ansible
  python version = 3.12.7 (main, Oct  1 2024, 11:15:50) [GCC 14.2.1 20240910] (/home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/.venv/bin/python)
  jinja version = 3.1.4
  libyaml = True

COLLECTION VERSION

# /home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/.venv/lib/python3.12/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 9.5.0

CONFIGURATION

CONFIG_FILE() = /home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/ansible.cfg
EDITOR(env: EDITOR) = nano
INJECT_FACTS_AS_VARS(/home/vincent/Documents/Git/GitIWES/iwes-softwaredev/iwes-server-management/ansible.cfg) = False

OS / ENVIRONMENT

Endeavour OS

STEPS TO REPRODUCE

1. Create a user named data
2. Prepare the environment (a folder with a file inside):

cd /tmp
mkdir TEST
cd TEST
touch file

3. Print the current ACL:

getfacl .

# file: .
# owner: wilvin
# group: wilvin
user::rwx
group::r-x
other::r-x

4. Run ansible.posix.acl with the following parameters

  - path: /mnt/TEST
    entity: data
    default: true
    etype: user
    permissions: rwx
    recursive: true
    state: present

5. Find that Ansible thinks has no reason to change anything ("user:data:rwx is present"), which is wrong:

ok: [hpc-1] => (item={'path': '/tmp/TEST', 'entity': 'data', 'default': True, 'etype': 'user', 'permissions': 'rwx', 'recursive': True, 'state': 'present'}) => {"acl": [], "ansible_loop_var": "item", "changed": false, "item": {"default": true, "entity": "data", "etype": "user", "path": "/tmp/TEST", "permissions": "rwx", "recursive": true, "state": "present"}, "msg": "user:data:rwx is present"}

6. Confirm that nothing has changed:

getfacl .

# file: .
# owner: wilvin
# group: wilvin
user::rwx
group::r-x
other::r-x

EXPECTED RESULTS

I expect the default ACL to be set for the user named data.

ACTUAL RESULTS

The ACLs have not changed.

I think this is caused because of the following line which checks for the presence of *,* in the command output of setfacl --test:

ansible.posix/plugins/modules/acl.py

Line 247 in c654bf0

if line.endswith('*,*') and not use_nfsv4_acls:

When there is a file in the folder to be modified, the output of setfacl --test returns *,* for every file in that folder hierarchy, thus actively preventing the ACLs from being applied:

wilvin@hpc-1 /t/TEST> setfacl --test --recursive --modify d:u:data:rwx .
.: *,d:u::rwx,d:u:data:rwx,d:g::r-x,d:m::rwx,d:o::r-x
./file: *,*