Status: Need more Info
Affects Version/s: None
Fix Version/s: None
Consider this case:
I have a path like this:
And I have a symlink to that top level that looks like this:
/var/cfengine/masterfiles/deploy/repo/branch/prod -> /var/cfengine/masterfiles/deploy/repo/branch/prod.a8453e93aea31f47e925a22fa747ca218652656e
What I would like to be able to do is create an access promise for this promisee:
comment => "Grant access to wildfly dev files to wildfly dev machines",
I see two problems with this:
1) cf-serverd is calling realpath() when processing access rules, and so the symlink at prod is evaluated to prod.a8453e93aea31f47e925a22fa747ca218652656e. In our environment, we are using symlinks to give us atomic deployments by deploying each git rev to a new directory, and using mv -T to atomically move a temporary link over top of the old prod link.
2) Pattern matching isn't supported in access rules.
I'm not sure if (2) is easily solvable, but I believe (1) could be solved by just disabling the call to ResolveFilename() inside AccessControl(). I would still need an rule for each branch under the branch/ directory, but pushing branches up to our servers doesn't happen all that often, and for the case of our private repository, we would want a little more access control over it.