2016-02-01 03:10:02 +00:00
|
|
|
.. _publisher-acl:
|
|
|
|
|
|
2015-10-22 10:04:49 +00:00
|
|
|
====================
|
|
|
|
|
Publisher ACL system
|
|
|
|
|
====================
|
2012-09-10 16:10:55 +00:00
|
|
|
|
2015-10-22 10:04:49 +00:00
|
|
|
The salt publisher ACL system is a means to allow system users other than root
|
|
|
|
|
to have access to execute select salt commands on minions from the master.
|
2012-09-10 16:10:55 +00:00
|
|
|
|
2015-10-22 10:04:49 +00:00
|
|
|
The publisher ACL system is configured in the master configuration file via the
|
|
|
|
|
``publisher_acl`` configuration option. Under the ``publisher_acl``
|
|
|
|
|
configuration option the users open to send commands are specified and then a
|
|
|
|
|
list of regular expressions which specify the minion functions which will be
|
|
|
|
|
made available to specified user. This configuration is much like the ``peer``
|
|
|
|
|
configuration:
|
2012-09-10 16:10:55 +00:00
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
2015-10-22 10:04:49 +00:00
|
|
|
publisher_acl:
|
2015-07-14 02:59:43 +00:00
|
|
|
# Allow thatch to execute anything.
|
2012-09-10 16:10:55 +00:00
|
|
|
thatch:
|
|
|
|
|
- .*
|
2015-07-14 03:40:01 +00:00
|
|
|
# Allow fred to use test and pkg, but only on "web*" minions.
|
2012-09-10 16:10:55 +00:00
|
|
|
fred:
|
2015-07-14 03:40:01 +00:00
|
|
|
- web*:
|
2015-07-14 02:59:43 +00:00
|
|
|
- test.*
|
|
|
|
|
- pkg.*
|
2012-09-10 16:10:55 +00:00
|
|
|
|
2015-10-22 10:04:49 +00:00
|
|
|
WARNING: client_acl and client_acl_blacklist options are deprecated and will be
|
|
|
|
|
removed in the future releases. Use publisher_acl and publisher_acl_blacklist
|
|
|
|
|
instead.
|
|
|
|
|
|
2012-09-10 16:10:55 +00:00
|
|
|
Permission Issues
|
2016-02-01 03:10:02 +00:00
|
|
|
-----------------
|
2015-10-22 10:04:49 +00:00
|
|
|
Directories required for ``publisher_acl`` must be modified to be readable by
|
|
|
|
|
the users specified:
|
2012-09-26 02:24:33 +00:00
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
2014-11-17 21:55:08 +00:00
|
|
|
chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master
|
2012-09-26 02:24:33 +00:00
|
|
|
|
2013-12-14 05:45:31 +00:00
|
|
|
.. note::
|
|
|
|
|
|
|
|
|
|
In addition to the changes above you will also need to modify the
|
2014-11-17 21:55:08 +00:00
|
|
|
permissions of /var/log/salt and the existing log file to be writable by
|
|
|
|
|
the user(s) which will be running the commands. If you do not wish to do
|
|
|
|
|
this then you must disable logging or Salt will generate errors as it
|
|
|
|
|
cannot write to the logs as the system users.
|
2013-12-14 05:45:31 +00:00
|
|
|
|
2012-09-26 02:24:33 +00:00
|
|
|
If you are upgrading from earlier versions of salt you must also remove any
|
|
|
|
|
existing user keys and re-start the Salt master:
|
2012-09-10 16:10:55 +00:00
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
2012-10-04 17:48:12 +00:00
|
|
|
rm /var/cache/salt/.*key
|
2015-07-14 02:59:43 +00:00
|
|
|
service salt-master restart
|
2016-02-01 03:10:02 +00:00
|
|
|
|
|
|
|
|
Whitelist and Blacklist
|
|
|
|
|
-----------------------
|
|
|
|
|
Salt's authentication systems can be configured by specifying what is allowed
|
|
|
|
|
using a whitelist, or by specifying what is disallowed using a blacklist. If
|
|
|
|
|
you specify a whitelist, only specified operations are allowed. If you specify
|
|
|
|
|
a blacklist, all operations are allowed except those that are blacklisted.
|
|
|
|
|
|
|
|
|
|
See :conf_master:`publisher_acl` and :conf_master:`publisher_acl_blacklist`.
|
