2012-11-16 18:21:51 +00:00
|
|
|
.. _acl-eauth:
|
2012-11-16 18:12:07 +00:00
|
|
|
|
2012-10-10 01:02:59 +00:00
|
|
|
==============================
|
|
|
|
|
External Authentication System
|
|
|
|
|
==============================
|
|
|
|
|
|
2015-07-06 16:48:04 +00:00
|
|
|
Salt's External Authentication System (eAuth) allows for Salt to pass through
|
2014-02-19 23:40:06 +00:00
|
|
|
command authorization to any external authentication system, such as PAM or LDAP.
|
2012-10-10 01:02:59 +00:00
|
|
|
|
2015-02-16 15:57:24 +00:00
|
|
|
.. note::
|
|
|
|
|
|
2016-01-25 21:32:34 +00:00
|
|
|
eAuth using the PAM external auth system requires salt-master to be run as
|
2015-02-16 15:57:24 +00:00
|
|
|
root as this system needs root access to check authentication.
|
|
|
|
|
|
2016-02-01 03:10:02 +00:00
|
|
|
External Authentication System Configuration
|
|
|
|
|
============================================
|
2012-10-10 01:02:59 +00:00
|
|
|
The external authentication system allows for specific users to be granted
|
|
|
|
|
access to execute specific functions on specific minions. Access is configured
|
2014-02-19 23:40:06 +00:00
|
|
|
in the master configuration file and uses the :ref:`access control system
|
2013-11-15 22:18:19 +00:00
|
|
|
<acl>`:
|
2012-10-10 01:02:59 +00:00
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
external_auth:
|
|
|
|
|
pam:
|
|
|
|
|
thatch:
|
|
|
|
|
- 'web*':
|
|
|
|
|
- test.*
|
|
|
|
|
- network.*
|
2013-02-18 22:19:57 +00:00
|
|
|
steve:
|
|
|
|
|
- .*
|
2012-10-10 01:02:59 +00:00
|
|
|
|
2014-02-19 23:40:06 +00:00
|
|
|
The above configuration allows the user ``thatch`` to execute functions
|
|
|
|
|
in the test and network modules on the minions that match the web* target.
|
|
|
|
|
User ``steve`` is given unrestricted access to minion commands.
|
2012-10-10 01:02:59 +00:00
|
|
|
|
2015-08-19 17:31:26 +00:00
|
|
|
Salt respects the current PAM configuration in place, and uses the 'login'
|
|
|
|
|
service to authenticate.
|
|
|
|
|
|
2013-12-24 03:26:18 +00:00
|
|
|
.. note:: The PAM module does not allow authenticating as ``root``.
|
|
|
|
|
|
2016-02-01 03:10:02 +00:00
|
|
|
.. note:: state.sls and state.highstate will return "Failed to authenticate!"
|
|
|
|
|
if the request timeout is reached. Use -t flag to increase the timeout
|
2015-12-28 17:47:40 +00:00
|
|
|
|
2013-11-15 22:18:39 +00:00
|
|
|
To allow access to :ref:`wheel modules <all-salt.wheel>` or :ref:`runner
|
2013-12-01 07:29:16 +00:00
|
|
|
modules <all-salt.runners>` the following ``@`` syntax must be used:
|
2013-11-15 22:18:39 +00:00
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
external_auth:
|
|
|
|
|
pam:
|
|
|
|
|
thatch:
|
2014-10-13 23:13:23 +00:00
|
|
|
- '@wheel' # to allow access to all wheel modules
|
|
|
|
|
- '@runner' # to allow access to all runner modules
|
|
|
|
|
- '@jobs' # to allow access to the jobs runner and/or wheel module
|
2013-11-15 22:18:39 +00:00
|
|
|
|
2014-10-13 23:13:23 +00:00
|
|
|
.. note::
|
|
|
|
|
The runner/wheel markup is different, since there are no minions to scope the
|
|
|
|
|
acl to.
|
|
|
|
|
|
|
|
|
|
.. note::
|
2014-09-02 22:19:59 +00:00
|
|
|
Globs will not match wheel or runners! They must be explicitly
|
2014-09-02 21:56:25 +00:00
|
|
|
allowed with @wheel or @runner.
|
|
|
|
|
|
2016-06-08 02:52:57 +00:00
|
|
|
.. warning::
|
|
|
|
|
All users that have external authentication privileges are allowed to run
|
|
|
|
|
:mod:`saltutil.findjob <salt.modules.saltutil.find_job>`. Be aware
|
|
|
|
|
that this could inadvertently expose some data such as minion IDs.
|
2012-10-10 01:02:59 +00:00
|
|
|
|
2016-06-08 02:52:57 +00:00
|
|
|
Matching syntax
|
|
|
|
|
---------------
|
2012-10-10 01:02:59 +00:00
|
|
|
|
2016-06-08 02:52:57 +00:00
|
|
|
The structure of the ``external_auth`` dictionary can take the following
|
|
|
|
|
shapes. Function matches are regular expressions; minion matches are compound
|
|
|
|
|
targets.
|
2012-10-10 01:02:59 +00:00
|
|
|
|
2016-06-08 02:52:57 +00:00
|
|
|
By user:
|
|
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
external_auth:
|
|
|
|
|
<eauth backend>:
|
|
|
|
|
<user or group%>:
|
|
|
|
|
- <regex to match function>
|
|
|
|
|
|
|
|
|
|
By user, by minion:
|
|
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
external_auth:
|
|
|
|
|
<eauth backend>:
|
|
|
|
|
<user or group%>:
|
|
|
|
|
<minion compound target>:
|
|
|
|
|
- <regex to match function>
|
|
|
|
|
|
|
|
|
|
Groups
|
|
|
|
|
------
|
2012-10-10 01:02:59 +00:00
|
|
|
|
2014-03-21 19:32:57 +00:00
|
|
|
To apply permissions to a group of users in an external authentication system,
|
|
|
|
|
append a ``%`` to the ID:
|
|
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
external_auth:
|
|
|
|
|
pam:
|
|
|
|
|
admins%:
|
2014-05-05 16:56:13 +00:00
|
|
|
- '*':
|
2014-03-21 19:32:57 +00:00
|
|
|
- 'pkg.*'
|
|
|
|
|
|
2016-06-08 02:52:57 +00:00
|
|
|
Limiting by function arguments
|
|
|
|
|
------------------------------
|
|
|
|
|
|
|
|
|
|
Positional arguments or keyword arguments to functions can also be whitelisted.
|
|
|
|
|
|
|
|
|
|
.. versionadded:: 2016.3.0
|
|
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
external_auth:
|
|
|
|
|
pam:
|
|
|
|
|
my_user:
|
|
|
|
|
- '*':
|
|
|
|
|
- 'my_mod.*':
|
|
|
|
|
args:
|
|
|
|
|
- 'a.*'
|
|
|
|
|
- 'b.*'
|
|
|
|
|
kwargs:
|
|
|
|
|
'kwa': 'kwa.*'
|
|
|
|
|
'kwb': 'kwb'
|
|
|
|
|
|
|
|
|
|
The rules:
|
|
|
|
|
|
|
|
|
|
1. The arguments values are matched as regexp.
|
|
|
|
|
2. If arguments restrictions are specified the only matched are allowed.
|
|
|
|
|
3. If an argument isn't specified any value is allowed.
|
|
|
|
|
4. To skip an arg use "everything" regexp ``.*``. I.e. if ``arg0`` and ``arg2``
|
|
|
|
|
should be limited but ``arg1`` and other arguments could have any value use:
|
|
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
args:
|
|
|
|
|
- 'value0'
|
|
|
|
|
- '.*'
|
|
|
|
|
- 'value2'
|
|
|
|
|
|
|
|
|
|
Usage
|
|
|
|
|
=====
|
|
|
|
|
|
|
|
|
|
The external authentication system can then be used from the command-line by
|
|
|
|
|
any user on the same system as the master with the ``-a`` option:
|
|
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
|
|
$ salt -a pam web\* test.ping
|
|
|
|
|
|
|
|
|
|
The system will ask the user for the credentials required by the
|
|
|
|
|
authentication system and then publish the command.
|
2015-07-30 20:39:15 +00:00
|
|
|
|
2014-12-04 19:08:25 +00:00
|
|
|
.. _salt-token-generation:
|
|
|
|
|
|
2012-10-10 01:02:59 +00:00
|
|
|
Tokens
|
|
|
|
|
------
|
2016-06-08 02:52:57 +00:00
|
|
|
|
2014-02-19 23:40:06 +00:00
|
|
|
With external authentication alone, the authentication credentials will be
|
2012-10-10 01:02:59 +00:00
|
|
|
required with every call to Salt. This can be alleviated with Salt tokens.
|
|
|
|
|
|
2014-02-19 23:40:06 +00:00
|
|
|
Tokens are short term authorizations and can be easily created by just
|
2013-02-18 22:19:57 +00:00
|
|
|
adding a ``-T`` option when authenticating:
|
2012-10-10 01:02:59 +00:00
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
|
|
$ salt -T -a pam web\* test.ping
|
|
|
|
|
|
2015-10-28 22:43:47 +00:00
|
|
|
Now a token will be created that has an expiration of 12 hours (by default).
|
2015-03-04 10:52:51 +00:00
|
|
|
This token is stored in a file named ``salt_token`` in the active user's home
|
2014-02-19 23:40:06 +00:00
|
|
|
directory.
|
|
|
|
|
|
|
|
|
|
Once the token is created, it is sent with all subsequent communications.
|
|
|
|
|
User authentication does not need to be entered again until the token expires.
|
|
|
|
|
|
|
|
|
|
Token expiration time can be set in the Salt master config file.
|
2014-03-21 19:32:57 +00:00
|
|
|
|
|
|
|
|
|
2015-03-25 18:49:35 +00:00
|
|
|
LDAP and Active Directory
|
2015-08-08 04:51:56 +00:00
|
|
|
=========================
|
2015-03-18 19:32:15 +00:00
|
|
|
.. note::
|
|
|
|
|
|
|
|
|
|
LDAP usage requires that you have installed python-ldap.
|
2014-03-21 19:32:57 +00:00
|
|
|
|
2015-03-25 18:49:35 +00:00
|
|
|
Salt supports both user and group authentication for LDAP (and Active Directory
|
|
|
|
|
accessed via its LDAP interface)
|
2014-03-21 19:32:57 +00:00
|
|
|
|
2015-08-08 04:51:56 +00:00
|
|
|
OpenLDAP and similar systems
|
|
|
|
|
----------------------------
|
2014-03-21 19:32:57 +00:00
|
|
|
LDAP configuration happens in the Salt master configuration file.
|
|
|
|
|
|
2015-03-25 18:49:35 +00:00
|
|
|
Server configuration values and their defaults:
|
2014-03-21 19:32:57 +00:00
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
2015-08-08 04:39:37 +00:00
|
|
|
# Server to auth against
|
2014-03-21 19:32:57 +00:00
|
|
|
auth.ldap.server: localhost
|
2015-08-08 04:39:37 +00:00
|
|
|
|
|
|
|
|
# Port to connect via
|
2014-03-21 19:32:57 +00:00
|
|
|
auth.ldap.port: 389
|
2015-08-08 04:39:37 +00:00
|
|
|
|
|
|
|
|
# Use TLS when connecting
|
2014-03-21 19:32:57 +00:00
|
|
|
auth.ldap.tls: False
|
2015-08-08 04:39:37 +00:00
|
|
|
|
|
|
|
|
# LDAP scope level, almost always 2
|
2014-03-21 19:32:57 +00:00
|
|
|
auth.ldap.scope: 2
|
2015-08-08 04:39:37 +00:00
|
|
|
|
|
|
|
|
# Server specified in URI format
|
|
|
|
|
auth.ldap.uri: '' # Overrides .ldap.server, .ldap.port, .ldap.tls above
|
|
|
|
|
|
|
|
|
|
# Verify server's TLS certificate
|
2015-03-25 18:49:35 +00:00
|
|
|
auth.ldap.no_verify: False
|
2015-08-08 04:39:37 +00:00
|
|
|
|
|
|
|
|
# Bind to LDAP anonymously to determine group membership
|
|
|
|
|
# Active Directory does not allow anonymous binds without special configuration
|
2015-03-25 18:49:35 +00:00
|
|
|
auth.ldap.anonymous: False
|
2015-08-08 04:39:37 +00:00
|
|
|
|
|
|
|
|
# FOR TESTING ONLY, this is a VERY insecure setting.
|
|
|
|
|
# If this is True, the LDAP bind password will be ignored and
|
|
|
|
|
# access will be determined by group membership alone with
|
|
|
|
|
# the group memberships being retrieved via anonymous bind
|
|
|
|
|
auth.ldap.auth_by_group_membership_only: False
|
|
|
|
|
|
|
|
|
|
# Require authenticating user to be part of this Organizational Unit
|
|
|
|
|
# This can be blank if your LDAP schema does not use this kind of OU
|
2015-03-25 18:49:35 +00:00
|
|
|
auth.ldap.groupou: 'Groups'
|
2015-08-08 04:39:37 +00:00
|
|
|
|
|
|
|
|
# Object Class for groups. An LDAP search will be done to find all groups of this
|
|
|
|
|
# class to which the authenticating user belongs.
|
2015-03-25 18:49:35 +00:00
|
|
|
auth.ldap.groupclass: 'posixGroup'
|
2015-08-08 04:39:37 +00:00
|
|
|
|
|
|
|
|
# Unique ID attribute name for the user
|
2015-03-25 18:49:35 +00:00
|
|
|
auth.ldap.accountattributename: 'memberUid'
|
|
|
|
|
|
|
|
|
|
# These are only for Active Directory
|
|
|
|
|
auth.ldap.activedirectory: False
|
|
|
|
|
auth.ldap.persontype: 'person'
|
2014-03-21 19:32:57 +00:00
|
|
|
|
[develop] Merge forward from 2016.3 to develop (#33193)
* Add run_on_start docs to schedule.rst (#32958)
Fixes #22580
* Backport #33021 manually to 2015.5 (#33044)
* Saltfile with pillar tests (#33045)
* add file.managed with pillar data tests
* do not require git for other tests
* Fix minor document error of test.assertion (#33067)
* test pillar.items output (#33060)
* File and User test fixes for 2015.5 on Fedora23 (#33055)
* Fix file_test.test_symlink on 2015.5
* Fix failing user present test
* add test for installing package while using salt-call --local (#33025)
* add test for installing package while using salt-call --local
* fix pylint
* ssh docs: install py-2.6 for RHEL 5
* Bugfix: Restore boolean values from the repo configuration
* Add test data for repos
* Add repo config test
* Bugfix (follow-up): setting priority requires non-positive integer
* modules.npm: do not log npm --version at info level (#33084)
* salt-cloud: fix ipv6-only virtual machines (#32865)
* salt-cloud: fix ipv6-only virtual machines
* fix hostname for rsync fallback in scp_file function
* use 4 spaces instead of 2
* remove global variable, use direct socket call instead
* Use saltstack repo in buildpackage.py on CentOS 5 (#33080)
* Lower display of msgpack failure msg to debug (#33078)
Closes #33074
* cloud.query needs to define mapper.opts (#33098)
* clarify docs that map is designed to be run once. is not stateful (#33102)
* Moved _finger_fail method to parent class.
Method _finger_fail method from SAuth to AsyncAuth class to make method available
in both class and fix an issue where _finger_Fail is called inside AsyncAuth.
* Fix 33058 (#33099)
* Fix servermanager module
- Added check for 2008 version of windows
- Added Import-Module ServerManager to _pshell_json.
Apparently this needs to run each time we issue a
servermanager command.
* Fix list_available
* salt.utils.gitfs: fix formatting for warning messages (#33064)
* salt.utils.gitfs: fix formatting for warning messages
When git_pillar support was added to salt.utils.gitfs, the
recommendation globals had string formatting placeholders added to them,
but the locations where these values are referenced do not call
``.format()`` to properly replace them. This commit fixes that
oversight.
* Remove more gitfs and master-specific wording from log messages
* Add a check that the cmdline of the found proc matches (#33129)
* Doc mock decorators (#33132)
* Add mock function for mocking decorators
* Mock the stdlib user module because importing it will open the repl
* Fix broken parsing of usermgmt.conf on OpenBSD (#33135)
When creating a new user, if a group of the same name already exists,
the usermgmt.conf file is consulted to determine the primary group.
It's in these cases that the parsing bug is triggered.
This code change addresses several of the existing issues:
- The previous split statement explicitly specified a single space.
Since a config line may have any number of spaces and/or tabs
surrounding the entries, the resulting array's elements may be
incorrect.
- According to the man pages for usermgmt.conf, the "group" config
entry accpets a single parameter -- so we shouldn't iterate.
- The "val[1]" was returning the 2nd letter of each word and not the
second word on the config line as intended.
* Move salt-ssh thin dir location to /var/tmp (#33130)
* Move salt-ssh thin dir location to /var/tmp
Closes #32771
* Remove performance penelty language
* If cache_jobs: True is set, populate the local job cache when running salt-call (#33100)
* If cache_jobs: True is set, populate the local job cache
Fixes #32834
Allows a masterless minion to query the job cache.
* Refactor cache_jobs functionality to be DRY
* Skipping salt-call --local test
* Back-port #31769 to 2015.8 (#33139)
* Handle empty acl_name in linux_acl state
Calls to setfacl interpret an empty group or user name to mean to be the
owner of the file they're operating on. For example, for a directory
owned by group 'admin', the ACL 'default:group::rwx' is equivalent to
'default:group:admin:rwx'.
The output of the getfacl execution module returns ACLs in the format of
'group:admin:rwx' instead of 'group::rwx'. This commit changes the
acl.present state to look for the owner of the file if the acl_name
paremeter is empty.
* Fix acl.present/acl.absent changing default ACLs
The behaviour of the acl.present and acl.absent is to check the data
structure returned by getfacl contains a key by the name of acl_type.
However, this data structure does not contain any default ACLs if none
exist, so this check will fail. We omit the check if a default ACL was
passed into the state functions.
Unfortunately, the call to modfacl may fail if the user passes in an
acl_type such as 'default:random'. In this case the state will appear to
succeed, but do nothing.
This fixes the state module to allow setting default ACLs on files which
have none.
* Fix regression in 2016.3 HEAD when version is specified (#33146)
Resolves #33013.
* Hash fileclients by opts (#33142)
* Hash fileclients by opts
There was an issue whereby the cache of the fileclient was being overwritten
by dueling minion instances in multimaster mode. This protects them by hashing
by the id of opts.
Closes #25040
* Silly typo!
* Remove tests which do not test any actual functionality or are too tightly coupled to the implementation
* Strip ldap fqdn (#33127)
* Add option to strip off domain names on computer names that come from LDAP/AD
* Add strip_domains option for ldap.
* Add documentation for auth.ldap.minion_stripdomains.
* [2015.5] Update to latest bootstrap script v2016.05.10 (#33155)
* [2015.8] Update to latest bootstrap script v2016.05.10 (#33156)
* [2016.3] Update to latest bootstrap script v2016.05.10 (#33157)
* add 2015.5.11 release notes (#33160)
* add 2015.8.9 release notes (#33161)
* Pip fix (#33180)
* fix pip!!
* make it work with old pip as well
* Added resiliency
* Don't need to check, just get the right name
* [2015.5] Update to latest bootstrap script v2016.05.11 (#33185)
2016-05-12 14:53:39 +00:00
|
|
|
auth.ldap.minion_stripdomains: []
|
|
|
|
|
|
2015-10-28 22:43:47 +00:00
|
|
|
There are two phases to LDAP authentication. First, Salt authenticates to search for a users' Distinguished Name
|
2015-08-08 04:51:56 +00:00
|
|
|
and group membership. The user it authenticates as in this phase is often a special LDAP system user with
|
|
|
|
|
read-only access to the LDAP directory. After Salt searches the directory to determine the actual user's DN
|
|
|
|
|
and groups, it re-authenticates as the user running the Salt commands.
|
|
|
|
|
|
|
|
|
|
If you are already aware of the structure of your DNs and permissions in your LDAP store are set such that
|
|
|
|
|
users can look up their own group memberships, then the first and second users can be the same. To tell Salt this is
|
2015-10-28 22:43:47 +00:00
|
|
|
the case, omit the ``auth.ldap.bindpw`` parameter. You can template the ``binddn`` like this:
|
2014-03-21 19:32:57 +00:00
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
2014-03-24 16:12:56 +00:00
|
|
|
|
2014-03-21 19:32:57 +00:00
|
|
|
auth.ldap.basedn: dc=saltstack,dc=com
|
2015-08-08 04:51:56 +00:00
|
|
|
auth.ldap.binddn: uid={{ username }},cn=users,cn=accounts,dc=saltstack,dc=com
|
2014-03-21 19:32:57 +00:00
|
|
|
|
2015-08-08 04:51:56 +00:00
|
|
|
Salt will use the password entered on the salt command line in place of the bindpw.
|
2014-03-21 19:32:57 +00:00
|
|
|
|
2015-08-08 04:51:56 +00:00
|
|
|
To use two separate users, specify the LDAP lookup user in the binddn directive, and include a bindpw like so
|
2014-03-21 19:32:57 +00:00
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
2014-03-24 16:12:56 +00:00
|
|
|
|
2015-08-08 04:51:56 +00:00
|
|
|
auth.ldap.binddn: uid=ldaplookup,cn=sysaccounts,cn=etc,dc=saltstack,dc=com
|
2014-03-21 19:32:57 +00:00
|
|
|
auth.ldap.bindpw: mypassword
|
|
|
|
|
|
2015-08-08 04:51:56 +00:00
|
|
|
As mentioned before, Salt uses a filter to find the DN associated with a user. Salt
|
2015-03-25 18:49:35 +00:00
|
|
|
substitutes the ``{{ username }}`` value for the username when querying LDAP
|
2014-03-21 19:32:57 +00:00
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
2014-03-24 16:12:56 +00:00
|
|
|
|
2014-03-21 19:32:57 +00:00
|
|
|
auth.ldap.filter: uid={{ username }}
|
|
|
|
|
|
2015-03-25 18:49:35 +00:00
|
|
|
For OpenLDAP, to determine group membership, one can specify an OU that contains
|
|
|
|
|
group data. This is prepended to the basedn to create a search path. Then
|
|
|
|
|
the results are filtered against ``auth.ldap.groupclass``, default
|
|
|
|
|
``posixGroup``, and the account's 'name' attribute, ``memberUid`` by default.
|
2014-03-21 19:32:57 +00:00
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
2014-03-24 16:12:56 +00:00
|
|
|
|
2014-03-21 19:32:57 +00:00
|
|
|
auth.ldap.groupou: Groups
|
|
|
|
|
|
[develop] Merge forward from 2016.3 to develop (#33193)
* Add run_on_start docs to schedule.rst (#32958)
Fixes #22580
* Backport #33021 manually to 2015.5 (#33044)
* Saltfile with pillar tests (#33045)
* add file.managed with pillar data tests
* do not require git for other tests
* Fix minor document error of test.assertion (#33067)
* test pillar.items output (#33060)
* File and User test fixes for 2015.5 on Fedora23 (#33055)
* Fix file_test.test_symlink on 2015.5
* Fix failing user present test
* add test for installing package while using salt-call --local (#33025)
* add test for installing package while using salt-call --local
* fix pylint
* ssh docs: install py-2.6 for RHEL 5
* Bugfix: Restore boolean values from the repo configuration
* Add test data for repos
* Add repo config test
* Bugfix (follow-up): setting priority requires non-positive integer
* modules.npm: do not log npm --version at info level (#33084)
* salt-cloud: fix ipv6-only virtual machines (#32865)
* salt-cloud: fix ipv6-only virtual machines
* fix hostname for rsync fallback in scp_file function
* use 4 spaces instead of 2
* remove global variable, use direct socket call instead
* Use saltstack repo in buildpackage.py on CentOS 5 (#33080)
* Lower display of msgpack failure msg to debug (#33078)
Closes #33074
* cloud.query needs to define mapper.opts (#33098)
* clarify docs that map is designed to be run once. is not stateful (#33102)
* Moved _finger_fail method to parent class.
Method _finger_fail method from SAuth to AsyncAuth class to make method available
in both class and fix an issue where _finger_Fail is called inside AsyncAuth.
* Fix 33058 (#33099)
* Fix servermanager module
- Added check for 2008 version of windows
- Added Import-Module ServerManager to _pshell_json.
Apparently this needs to run each time we issue a
servermanager command.
* Fix list_available
* salt.utils.gitfs: fix formatting for warning messages (#33064)
* salt.utils.gitfs: fix formatting for warning messages
When git_pillar support was added to salt.utils.gitfs, the
recommendation globals had string formatting placeholders added to them,
but the locations where these values are referenced do not call
``.format()`` to properly replace them. This commit fixes that
oversight.
* Remove more gitfs and master-specific wording from log messages
* Add a check that the cmdline of the found proc matches (#33129)
* Doc mock decorators (#33132)
* Add mock function for mocking decorators
* Mock the stdlib user module because importing it will open the repl
* Fix broken parsing of usermgmt.conf on OpenBSD (#33135)
When creating a new user, if a group of the same name already exists,
the usermgmt.conf file is consulted to determine the primary group.
It's in these cases that the parsing bug is triggered.
This code change addresses several of the existing issues:
- The previous split statement explicitly specified a single space.
Since a config line may have any number of spaces and/or tabs
surrounding the entries, the resulting array's elements may be
incorrect.
- According to the man pages for usermgmt.conf, the "group" config
entry accpets a single parameter -- so we shouldn't iterate.
- The "val[1]" was returning the 2nd letter of each word and not the
second word on the config line as intended.
* Move salt-ssh thin dir location to /var/tmp (#33130)
* Move salt-ssh thin dir location to /var/tmp
Closes #32771
* Remove performance penelty language
* If cache_jobs: True is set, populate the local job cache when running salt-call (#33100)
* If cache_jobs: True is set, populate the local job cache
Fixes #32834
Allows a masterless minion to query the job cache.
* Refactor cache_jobs functionality to be DRY
* Skipping salt-call --local test
* Back-port #31769 to 2015.8 (#33139)
* Handle empty acl_name in linux_acl state
Calls to setfacl interpret an empty group or user name to mean to be the
owner of the file they're operating on. For example, for a directory
owned by group 'admin', the ACL 'default:group::rwx' is equivalent to
'default:group:admin:rwx'.
The output of the getfacl execution module returns ACLs in the format of
'group:admin:rwx' instead of 'group::rwx'. This commit changes the
acl.present state to look for the owner of the file if the acl_name
paremeter is empty.
* Fix acl.present/acl.absent changing default ACLs
The behaviour of the acl.present and acl.absent is to check the data
structure returned by getfacl contains a key by the name of acl_type.
However, this data structure does not contain any default ACLs if none
exist, so this check will fail. We omit the check if a default ACL was
passed into the state functions.
Unfortunately, the call to modfacl may fail if the user passes in an
acl_type such as 'default:random'. In this case the state will appear to
succeed, but do nothing.
This fixes the state module to allow setting default ACLs on files which
have none.
* Fix regression in 2016.3 HEAD when version is specified (#33146)
Resolves #33013.
* Hash fileclients by opts (#33142)
* Hash fileclients by opts
There was an issue whereby the cache of the fileclient was being overwritten
by dueling minion instances in multimaster mode. This protects them by hashing
by the id of opts.
Closes #25040
* Silly typo!
* Remove tests which do not test any actual functionality or are too tightly coupled to the implementation
* Strip ldap fqdn (#33127)
* Add option to strip off domain names on computer names that come from LDAP/AD
* Add strip_domains option for ldap.
* Add documentation for auth.ldap.minion_stripdomains.
* [2015.5] Update to latest bootstrap script v2016.05.10 (#33155)
* [2015.8] Update to latest bootstrap script v2016.05.10 (#33156)
* [2016.3] Update to latest bootstrap script v2016.05.10 (#33157)
* add 2015.5.11 release notes (#33160)
* add 2015.8.9 release notes (#33161)
* Pip fix (#33180)
* fix pip!!
* make it work with old pip as well
* Added resiliency
* Don't need to check, just get the right name
* [2015.5] Update to latest bootstrap script v2016.05.11 (#33185)
2016-05-12 14:53:39 +00:00
|
|
|
When using the `ldap('DC=domain,DC=com')` eauth operator, sometimes the records returned
|
|
|
|
|
from LDAP or Active Directory have fully-qualified domain names attached, while minion IDs
|
|
|
|
|
instead are simple hostnames. The parameter below allows the administrator to strip
|
|
|
|
|
off a certain set of domain names so the hostnames looked up in the directory service
|
|
|
|
|
can match the minion IDs.
|
|
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
auth.ldap.minion_stripdomains: ['.external.bigcorp.com', '.internal.bigcorp.com']
|
|
|
|
|
|
2015-08-08 04:51:56 +00:00
|
|
|
Active Directory
|
|
|
|
|
----------------
|
|
|
|
|
|
2015-03-25 18:49:35 +00:00
|
|
|
Active Directory handles group membership differently, and does not utilize the
|
|
|
|
|
``groupou`` configuration variable. AD needs the following options in
|
|
|
|
|
the master config:
|
|
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
auth.ldap.activedirectory: True
|
|
|
|
|
auth.ldap.filter: sAMAccountName={{username}}
|
|
|
|
|
auth.ldap.accountattributename: sAMAccountName
|
|
|
|
|
auth.ldap.groupclass: group
|
|
|
|
|
auth.ldap.persontype: person
|
|
|
|
|
|
|
|
|
|
To determine group membership in AD, the username and password that is entered
|
|
|
|
|
when LDAP is requested as the eAuth mechanism on the command line is used to
|
2015-07-06 16:48:04 +00:00
|
|
|
bind to AD's LDAP interface. If this fails, then it doesn't matter what groups
|
2015-10-28 22:43:47 +00:00
|
|
|
the user belongs to, he or she is denied access. Next, the ``distinguishedName``
|
2015-03-25 18:49:35 +00:00
|
|
|
of the user is looked up with the following LDAP search:
|
|
|
|
|
|
2015-03-25 19:01:37 +00:00
|
|
|
.. code-block:: text
|
|
|
|
|
|
|
|
|
|
(&(<value of auth.ldap.accountattributename>={{username}})
|
|
|
|
|
(objectClass=<value of auth.ldap.persontype>)
|
|
|
|
|
)
|
2015-03-25 18:49:35 +00:00
|
|
|
|
|
|
|
|
This should return a distinguishedName that we can use to filter for group
|
2015-08-08 04:51:56 +00:00
|
|
|
membership. Then the following LDAP query is executed:
|
2015-03-25 18:49:35 +00:00
|
|
|
|
2015-03-25 19:01:37 +00:00
|
|
|
.. code-block:: text
|
|
|
|
|
|
|
|
|
|
(&(member=<distinguishedName from search above>)
|
|
|
|
|
(objectClass=<value of auth.ldap.groupclass>)
|
|
|
|
|
)
|
2015-03-25 18:49:35 +00:00
|
|
|
|
2014-03-21 19:32:57 +00:00
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
external_auth:
|
|
|
|
|
ldap:
|
|
|
|
|
test_ldap_user:
|
2015-06-05 10:32:21 +00:00
|
|
|
- '*':
|
|
|
|
|
- test.ping
|
2014-03-21 19:32:57 +00:00
|
|
|
|
2015-10-28 22:43:47 +00:00
|
|
|
To configure a LDAP group, append a ``%`` to the ID:
|
2014-03-21 19:32:57 +00:00
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
external_auth:
|
2015-06-05 17:21:26 +00:00
|
|
|
ldap:
|
|
|
|
|
test_ldap_group%:
|
|
|
|
|
- '*':
|
|
|
|
|
- test.echo
|
[develop] Merge forward from 2016.3 to develop (#33193)
* Add run_on_start docs to schedule.rst (#32958)
Fixes #22580
* Backport #33021 manually to 2015.5 (#33044)
* Saltfile with pillar tests (#33045)
* add file.managed with pillar data tests
* do not require git for other tests
* Fix minor document error of test.assertion (#33067)
* test pillar.items output (#33060)
* File and User test fixes for 2015.5 on Fedora23 (#33055)
* Fix file_test.test_symlink on 2015.5
* Fix failing user present test
* add test for installing package while using salt-call --local (#33025)
* add test for installing package while using salt-call --local
* fix pylint
* ssh docs: install py-2.6 for RHEL 5
* Bugfix: Restore boolean values from the repo configuration
* Add test data for repos
* Add repo config test
* Bugfix (follow-up): setting priority requires non-positive integer
* modules.npm: do not log npm --version at info level (#33084)
* salt-cloud: fix ipv6-only virtual machines (#32865)
* salt-cloud: fix ipv6-only virtual machines
* fix hostname for rsync fallback in scp_file function
* use 4 spaces instead of 2
* remove global variable, use direct socket call instead
* Use saltstack repo in buildpackage.py on CentOS 5 (#33080)
* Lower display of msgpack failure msg to debug (#33078)
Closes #33074
* cloud.query needs to define mapper.opts (#33098)
* clarify docs that map is designed to be run once. is not stateful (#33102)
* Moved _finger_fail method to parent class.
Method _finger_fail method from SAuth to AsyncAuth class to make method available
in both class and fix an issue where _finger_Fail is called inside AsyncAuth.
* Fix 33058 (#33099)
* Fix servermanager module
- Added check for 2008 version of windows
- Added Import-Module ServerManager to _pshell_json.
Apparently this needs to run each time we issue a
servermanager command.
* Fix list_available
* salt.utils.gitfs: fix formatting for warning messages (#33064)
* salt.utils.gitfs: fix formatting for warning messages
When git_pillar support was added to salt.utils.gitfs, the
recommendation globals had string formatting placeholders added to them,
but the locations where these values are referenced do not call
``.format()`` to properly replace them. This commit fixes that
oversight.
* Remove more gitfs and master-specific wording from log messages
* Add a check that the cmdline of the found proc matches (#33129)
* Doc mock decorators (#33132)
* Add mock function for mocking decorators
* Mock the stdlib user module because importing it will open the repl
* Fix broken parsing of usermgmt.conf on OpenBSD (#33135)
When creating a new user, if a group of the same name already exists,
the usermgmt.conf file is consulted to determine the primary group.
It's in these cases that the parsing bug is triggered.
This code change addresses several of the existing issues:
- The previous split statement explicitly specified a single space.
Since a config line may have any number of spaces and/or tabs
surrounding the entries, the resulting array's elements may be
incorrect.
- According to the man pages for usermgmt.conf, the "group" config
entry accpets a single parameter -- so we shouldn't iterate.
- The "val[1]" was returning the 2nd letter of each word and not the
second word on the config line as intended.
* Move salt-ssh thin dir location to /var/tmp (#33130)
* Move salt-ssh thin dir location to /var/tmp
Closes #32771
* Remove performance penelty language
* If cache_jobs: True is set, populate the local job cache when running salt-call (#33100)
* If cache_jobs: True is set, populate the local job cache
Fixes #32834
Allows a masterless minion to query the job cache.
* Refactor cache_jobs functionality to be DRY
* Skipping salt-call --local test
* Back-port #31769 to 2015.8 (#33139)
* Handle empty acl_name in linux_acl state
Calls to setfacl interpret an empty group or user name to mean to be the
owner of the file they're operating on. For example, for a directory
owned by group 'admin', the ACL 'default:group::rwx' is equivalent to
'default:group:admin:rwx'.
The output of the getfacl execution module returns ACLs in the format of
'group:admin:rwx' instead of 'group::rwx'. This commit changes the
acl.present state to look for the owner of the file if the acl_name
paremeter is empty.
* Fix acl.present/acl.absent changing default ACLs
The behaviour of the acl.present and acl.absent is to check the data
structure returned by getfacl contains a key by the name of acl_type.
However, this data structure does not contain any default ACLs if none
exist, so this check will fail. We omit the check if a default ACL was
passed into the state functions.
Unfortunately, the call to modfacl may fail if the user passes in an
acl_type such as 'default:random'. In this case the state will appear to
succeed, but do nothing.
This fixes the state module to allow setting default ACLs on files which
have none.
* Fix regression in 2016.3 HEAD when version is specified (#33146)
Resolves #33013.
* Hash fileclients by opts (#33142)
* Hash fileclients by opts
There was an issue whereby the cache of the fileclient was being overwritten
by dueling minion instances in multimaster mode. This protects them by hashing
by the id of opts.
Closes #25040
* Silly typo!
* Remove tests which do not test any actual functionality or are too tightly coupled to the implementation
* Strip ldap fqdn (#33127)
* Add option to strip off domain names on computer names that come from LDAP/AD
* Add strip_domains option for ldap.
* Add documentation for auth.ldap.minion_stripdomains.
* [2015.5] Update to latest bootstrap script v2016.05.10 (#33155)
* [2015.8] Update to latest bootstrap script v2016.05.10 (#33156)
* [2016.3] Update to latest bootstrap script v2016.05.10 (#33157)
* add 2015.5.11 release notes (#33160)
* add 2015.8.9 release notes (#33161)
* Pip fix (#33180)
* fix pip!!
* make it work with old pip as well
* Added resiliency
* Don't need to check, just get the right name
* [2015.5] Update to latest bootstrap script v2016.05.11 (#33185)
2016-05-12 14:53:39 +00:00
|
|
|
|
|
|
|
|
In addition, if there are a set of computers in the directory service that should
|
|
|
|
|
be part of the eAuth definition, they can be specified like this:
|
|
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
external_auth:
|
|
|
|
|
ldap:
|
|
|
|
|
test_ldap_group%:
|
|
|
|
|
- ldap('DC=corp,DC=example,DC=com'):
|
|
|
|
|
- test.echo
|
|
|
|
|
|
|
|
|
|
The string inside `ldap()` above is any valid LDAP/AD tree limiter. `OU=` in
|
|
|
|
|
particular is permitted as long as it would return a list of computer objects.
|
