2012-11-16 18:21:51 +00:00
|
|
|
.. _acl-eauth:
|
2012-11-16 18:12:07 +00:00
|
|
|
|
2012-10-10 01:02:59 +00:00
|
|
|
==============================
|
|
|
|
|
External Authentication System
|
|
|
|
|
==============================
|
|
|
|
|
|
2014-02-19 23:40:06 +00:00
|
|
|
Salt's External Authentication System (eAuth) allows for Salt to pass through
|
|
|
|
|
command authorization to any external authentication system, such as PAM or LDAP.
|
2012-10-10 01:02:59 +00:00
|
|
|
|
|
|
|
|
The external authentication system allows for specific users to be granted
|
|
|
|
|
access to execute specific functions on specific minions. Access is configured
|
2014-02-19 23:40:06 +00:00
|
|
|
in the master configuration file and uses the :ref:`access control system
|
2013-11-15 22:18:19 +00:00
|
|
|
<acl>`:
|
2012-10-10 01:02:59 +00:00
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
external_auth:
|
|
|
|
|
pam:
|
|
|
|
|
thatch:
|
|
|
|
|
- 'web*':
|
|
|
|
|
- test.*
|
|
|
|
|
- network.*
|
2013-02-18 22:19:57 +00:00
|
|
|
steve:
|
|
|
|
|
- .*
|
2012-10-10 01:02:59 +00:00
|
|
|
|
2014-02-19 23:40:06 +00:00
|
|
|
The above configuration allows the user ``thatch`` to execute functions
|
|
|
|
|
in the test and network modules on the minions that match the web* target.
|
|
|
|
|
User ``steve`` is given unrestricted access to minion commands.
|
2012-10-10 01:02:59 +00:00
|
|
|
|
2013-12-24 03:26:18 +00:00
|
|
|
.. note:: The PAM module does not allow authenticating as ``root``.
|
|
|
|
|
|
2013-11-15 22:18:39 +00:00
|
|
|
To allow access to :ref:`wheel modules <all-salt.wheel>` or :ref:`runner
|
2013-12-01 07:29:16 +00:00
|
|
|
modules <all-salt.runners>` the following ``@`` syntax must be used:
|
2013-11-15 22:18:39 +00:00
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
|
|
external_auth:
|
|
|
|
|
pam:
|
|
|
|
|
thatch:
|
|
|
|
|
- '@wheel'
|
|
|
|
|
- '@runner'
|
|
|
|
|
|
2014-02-19 23:40:06 +00:00
|
|
|
The external authentication system can then be used from the command-line by
|
|
|
|
|
any user on the same system as the master with the ``-a`` option:
|
2012-10-10 01:02:59 +00:00
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
|
|
$ salt -a pam web\* test.ping
|
|
|
|
|
|
2013-01-09 01:27:30 +00:00
|
|
|
The system will ask the user for the credentials required by the
|
2012-10-10 01:02:59 +00:00
|
|
|
authentication system and then publish the command.
|
|
|
|
|
|
|
|
|
|
Tokens
|
|
|
|
|
------
|
|
|
|
|
|
2014-02-19 23:40:06 +00:00
|
|
|
With external authentication alone, the authentication credentials will be
|
2012-10-10 01:02:59 +00:00
|
|
|
required with every call to Salt. This can be alleviated with Salt tokens.
|
|
|
|
|
|
2014-02-19 23:40:06 +00:00
|
|
|
Tokens are short term authorizations and can be easily created by just
|
2013-02-18 22:19:57 +00:00
|
|
|
adding a ``-T`` option when authenticating:
|
2012-10-10 01:02:59 +00:00
|
|
|
|
|
|
|
|
.. code-block:: bash
|
|
|
|
|
|
|
|
|
|
$ salt -T -a pam web\* test.ping
|
|
|
|
|
|
2014-02-19 23:40:06 +00:00
|
|
|
Now a token will be created that has a expiration of 12 hours (by default).
|
2013-02-18 22:19:57 +00:00
|
|
|
This token is stored in a file named ``.salt_token`` in the active user's home
|
2014-02-19 23:40:06 +00:00
|
|
|
directory.
|
|
|
|
|
|
|
|
|
|
Once the token is created, it is sent with all subsequent communications.
|
|
|
|
|
User authentication does not need to be entered again until the token expires.
|
|
|
|
|
|
|
|
|
|
Token expiration time can be set in the Salt master config file.
|
