salt/doc/topics/eauth/access_control.rst

.. _acl:

=====================
Access Control System
=====================

.. versionadded:: 0.10.4

Salt maintains a standard system used to open granular control to non
administrative users to execute Salt commands. The access control system
has been applied to all systems used to configure access to non administrative
control interfaces in Salt.

These interfaces include, the ``peer`` system, the
``external auth`` system and the ``publisher acl`` system.

The access control system mandated a standard configuration syntax used in
all of the three aforementioned systems. While this adds functionality to the
configuration in 0.10.4, it does not negate the old configuration.

Now specific functions can be opened up to specific minions from specific users
in the case of external auth and publisher ACLs, and for specific minions in the
case of the peer system.

.. toctree::

    ../../ref/publisheracl
    index
    ../../ref/peer

When to Use Each Authentication System
======================================
``publisher_acl`` is useful for allowing local system users to run Salt
commands without giving them root access. If you can log into the Salt
master directly, then ``publisher_acl`` allows you to use Salt without
root privileges. If the local system is configured to authenticate against
a remote system, like LDAP or Active Directory, then ``publisher_acl`` will
interact with the remote system transparently.

``external_auth`` is useful for ``salt-api`` or for making your own scripts
that use Salt's Python API. It can be used at the CLI (with the ``-a``
flag) but it is more cumbersome as there are more steps involved.  The only
time it is useful at the CLI is when the local system is *not* configured
to authenticate against an external service *but* you still want Salt to
authenticate against an external service.

Examples
========

The access controls are manifested using matchers in these configurations:

.. code-block:: yaml

    publisher_acl:
      fred:
        - web\*:
          - pkg.list_pkgs
          - test.*
          - apache.*

In the above example, fred is able to send commands only to minions which match
the specified glob target. This can be expanded to include other functions for
other minions based on standard targets (all matchers are supported except the compound one).

.. code-block:: yaml

    external_auth:
      pam:
        dave:
          - test.ping
          - mongo\*:
            - network.*
          - log\*:
            - network.*
            - pkg.*
          - 'G@os:RedHat':
            - kmod.*
        steve:
          - .*

The above allows for all minions to be hit by test.ping by dave, and adds a
few functions that dave can execute on other minions. It also allows steve
unrestricted access to salt commands.

.. note::
    Functions are matched using regular expressions.
Added / updated targets for the acl and eauth docs 2012-11-16 18:21:51 +00:00			`.. _acl:`

Start access control doc 2012-10-07 21:35:18 +00:00			`=====================`
			`Access Control System`
			`=====================`

			`.. versionadded:: 0.10.4`

			`Salt maintains a standard system used to open granular control to non`
			`administrative users to execute Salt commands. The access control system`
			`has been applied to all systems used to configure access to non administrative`
Doc restructuring, organization, and cleanup. Updated the doc navigation. 2016-02-01 03:10:02 +00:00			`control interfaces in Salt.`

			These interfaces include, the ``peer`` system, the
Deprecate client_acl with publisher_acl (rename) Keeping client_acl support 2015-10-22 10:04:49 +00:00			``external auth`` system and the ``publisher acl`` system.
Start access control doc 2012-10-07 21:35:18 +00:00
			`The access control system mandated a standard configuration syntax used in`
			`all of the three aforementioned systems. While this adds functionality to the`
			`configuration in 0.10.4, it does not negate the old configuration.`

			`Now specific functions can be opened up to specific minions from specific users`
Deprecate client_acl with publisher_acl (rename) Keeping client_acl support 2015-10-22 10:04:49 +00:00			`in the case of external auth and publisher ACLs, and for specific minions in the`
Add to access control 2012-10-08 03:40:35 +00:00			`case of the peer system.`

Doc restructuring, organization, and cleanup. Updated the doc navigation. 2016-02-01 03:10:02 +00:00			`.. toctree::`

			`../../ref/publisheracl`
			`index`
			`../../ref/peer`

			`When to Use Each Authentication System`
			`======================================`
			``publisher_acl`` is useful for allowing local system users to run Salt
			`commands without giving them root access. If you can log into the Salt`
			master directly, then ``publisher_acl`` allows you to use Salt without
			`root privileges. If the local system is configured to authenticate against`
			a remote system, like LDAP or Active Directory, then ``publisher_acl`` will
			`interact with the remote system transparently.`

			``external_auth`` is useful for ``salt-api`` or for making your own scripts
			that use Salt's Python API. It can be used at the CLI (with the ``-a``
			`flag) but it is more cumbersome as there are more steps involved. The only`
			`time it is useful at the CLI is when the local system is not configured`
			`to authenticate against an external service but you still want Salt to`
			`authenticate against an external service.`

			`Examples`
			`========`

typo fix. added example of unrestricted access. 2013-02-18 22:13:02 +00:00			`The access controls are manifested using matchers in these configurations:`
Add to access control 2012-10-08 03:40:35 +00:00
typo in "code-block" tag 2012-10-08 19:00:37 +00:00			`.. code-block:: yaml`
Add to access control 2012-10-08 03:40:35 +00:00
Deprecate client_acl with publisher_acl (rename) Keeping client_acl support 2015-10-22 10:04:49 +00:00			`publisher_acl:`
Add to access control 2012-10-08 03:40:35 +00:00			`fred:`
			`- web\*:`
			`- pkg.list_pkgs`
			`- test.*`
			`- apache.*`

			`In the above example, fred is able to send commands only to minions which match`
typo fix. added example of unrestricted access. 2013-02-18 22:13:02 +00:00			`the specified glob target. This can be expanded to include other functions for`
[2016.3] Merge forward from 2015.8 to 2016.3 (#32784) * json encode arguments passed to an execution module function call this fixes problems where you could pass a string to a module function, which thanks to the yaml decoder which is used when parsing command line arguments could change its type entirely. for example: __salt__['test.echo')('{foo: bar}') the test.echo function just returns the argument it's given. however, because it's being called through a salt-call process like this: salt-call --local test.echo {foo: bar} salt thinks it's yaml and therefore yaml decodes it. the return value from the test.echo call above is therefore a dict, not a string. * Prevent crash if pygit2 package is requesting re-compilation of the e… (#32652) * Prevent crash if pygit2 package is requesting re-compilation of the entire library on production systems (no devel packages) Fix PEP8: move imports to the top of the file * Move logger up * Add log error message in case if exception is not an ImportError * align OS grains from older SLES with current one (#32649) * Fixing critical bug to remove only the specified Host instead of the entire Host cluster (#32640) * yumpkg: Ignore epoch in version comparison for explict versions without an epoch (#32563) * yumpkg: Ignore epoch in version comparison for explict versions without an epoch Also properly handle comparisions for packages with multiple versions. Resolves #32229 * Don't attempt downgrade for kernel and its subpackages Multiple versions are supported since their paths do not conflict. * Lower log level for pillar cache (#32655) This shouldn't show up on salt-call runs * Don't access deprecated Exception.message attribute. (#32556) * Don't access deprecated Exception.message attribute. To avoid a deprecation warning message in logs. There is a new function salt.exceptions.get_error_message(e) instead. * Fixed module docs test. * Fix for issue 32523 (#32672) * Fix routes for redhat < 6 * Handle a couple of arguments better (Azure) (#32683) * backporting a fix from develop where the use of splay would result in seconds=0 in the schedule.list when there was no seconds specified in the origina schedule * Handle when beacon not configured and we try to enable/disable them (#32692) * Handle the situation when the beacon is not configured and we try to disable it * a couple more missing returns in the enable & disable * Check dependencies type before appling str operations (#32693) * Update external auth documentation to list supported matcher. (#32733) Thanks to #31598, all matchers are supported for eauth configuration. But we still have no way to use compound matchers in eauth configuration. Update the documentation to explicitly express this limitation. * modules.win_dacl: consistent case of dacl constants (#32720) * Document pillar cache options (#32643) * Add note about Pillar data cache requirement for Pillar targeting method * Add `saltutil.refresh_pillar` function to the scheduled Minion jobs * Minor fixes in docs * Add note about relations between `pillar_cache` option and Pillar Targeting to Master config comments with small reformatting * Document Pillar Cache Options for Salt Master * Document Minions Targeting with Mine * Remove `saltutil.refresh_pillar` scheduled persistent job * Properly handle minion failback failure. (#32749) * Properly handle minion failback failure. Initiate minion restart if all masters down on __master_disconnect like minion does on the initial master connect on start. * Fixed unit test * Improve documentation on pygit2 versions (#32779) This adds an explanation of the python-cffi dep added in pygit2 0.21.0, and recommends 0.20.3 for LTS distros. It also links to the salt-pack issue which tracks the progress of adding pygit2 to our Debian and Ubuntu repositories. * Pylint fix 2016-04-25 21:26:09 +00:00			`other minions based on standard targets (all matchers are supported except the compound one).`
Add to access control 2012-10-08 03:40:35 +00:00
			`.. code-block:: yaml`

			`external_auth:`
			`pam:`
			`dave:`
typo fix. added example of unrestricted access. 2013-02-18 22:13:02 +00:00			`- test.ping`
Add to access control 2012-10-08 03:40:35 +00:00			`- mongo\*:`
			`- network.*`
			`- log\*:`
			`- network.*`
			`- pkg.*`
			`- 'G@os:RedHat':`
			`- kmod.*`
typo fix. added example of unrestricted access. 2013-02-18 22:13:02 +00:00			`steve:`
			`- .*`

Add to access control 2012-10-08 03:40:35 +00:00			`The above allows for all minions to be hit by test.ping by dave, and adds a`
typo fix. added example of unrestricted access. 2013-02-18 22:13:02 +00:00			`few functions that dave can execute on other minions. It also allows steve`
Deprecate client_acl with publisher_acl (rename) Keeping client_acl support 2015-10-22 10:04:49 +00:00			`unrestricted access to salt commands.`
Assorted doc bug fixes Refs #4381 Refs #8146 Refs #13036 Refs #6853 Refs #9319 Refs #13777 Refs #2229 Refs #14946 Refs #15042 2016-01-07 21:08:30 +00:00
			`.. note::`
Changed notes to indicate that functions are matched using regular expressions instead of minions 2016-01-12 18:55:36 +00:00			`Functions are matched using regular expressions.`