salt/doc/ref/clientacl.rst

=================
Client ACL system
=================

The salt client ACL system is a means to allow system users other than root to
have access to execute select salt commands on minions from the master.

The client ACL system is configured in the master configuration file via the
``client_acl`` configuration option. Under the ``client_acl`` configuration
option the users open to send commands are specified and then a list of regular
expressions which specify the minion functions which will be made available to
specified user. This configuration is much like the ``peer`` configuration:

.. code-block:: yaml

    client_acl:
      # Allow thatch to execute anything.
      thatch:
        - .*
      # Allow fred to use test and pkg, but only on "web*" minions.
      fred:
        - web*:
          - test.*
          - pkg.*

Permission Issues
=================

Directories required for ``client_acl`` must be modified to be readable by the
users specified:

.. code-block:: bash

    chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master

.. note::

    In addition to the changes above you will also need to modify the
    permissions of /var/log/salt and the existing log file to be writable by
    the user(s) which will be running the commands. If you do not wish to do
    this then you must disable logging or Salt will generate errors as it
    cannot write to the logs as the system users.

If you are upgrading from earlier versions of salt you must also remove any
existing user keys and re-start the Salt master:

.. code-block:: bash

    rm /var/cache/salt/.*key
    service salt-master restart
Add docs for new client_acl capabilities 2012-09-10 16:10:55 +00:00			`=================`
			`Client ACL system`
			`=================`

Fixed several minor misspellings and acronym capitalizations. 2013-03-18 19:59:27 +00:00			`The salt client ACL system is a means to allow system users other than root to`
Add docs for new client_acl capabilities 2012-09-10 16:10:55 +00:00			`have access to execute select salt commands on minions from the master.`

Fixed several minor misspellings and acronym capitalizations. 2013-03-18 19:59:27 +00:00			`The client ACL system is configured in the master configuration file via the`
Add docs for new client_acl capabilities 2012-09-10 16:10:55 +00:00			``client_acl`` configuration option. Under the ``client_acl`` configuration
			`option the users open to send commands are specified and then a list of regular`
			`expressions which specify the minion functions which will be made available to`
			specified user. This configuration is much like the ``peer`` configuration:

			`.. code-block:: yaml`

			`client_acl:`
Demonstrate per-minion client_acl. The client_acl system supports setting restrictions based on minion name. Update the Client ACL System reference page to reflect this. 2015-07-14 02:59:43 +00:00			`# Allow thatch to execute anything.`
Add docs for new client_acl capabilities 2012-09-10 16:10:55 +00:00			`thatch:`
			`- .*`
Typo in client_acl ref doc. 2015-07-14 03:40:01 +00:00			`# Allow fred to use test and pkg, but only on "web*" minions.`
Add docs for new client_acl capabilities 2012-09-10 16:10:55 +00:00			`fred:`
Typo in client_acl ref doc. 2015-07-14 03:40:01 +00:00			`- web*:`
Demonstrate per-minion client_acl. The client_acl system supports setting restrictions based on minion name. Update the Client ACL System reference page to reflect this. 2015-07-14 02:59:43 +00:00			`- test.*`
			`- pkg.*`
Add docs for new client_acl capabilities 2012-09-10 16:10:55 +00:00
			`Permission Issues`
			`=================`

make it not a bug 2012-09-26 02:24:33 +00:00			Directories required for ``client_acl`` must be modified to be readable by the
			`users specified:`

			`.. code-block:: bash`

Add one additional folder and clarification to client_acl docs 2014-11-17 21:55:08 +00:00			`chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master`
make it not a bug 2012-09-26 02:24:33 +00:00
Updated clientacl docs to resolve 6802. 2013-12-14 05:45:31 +00:00			`.. note::`

			`In addition to the changes above you will also need to modify the`
Add one additional folder and clarification to client_acl docs 2014-11-17 21:55:08 +00:00			`permissions of /var/log/salt and the existing log file to be writable by`
			`the user(s) which will be running the commands. If you do not wish to do`
			`this then you must disable logging or Salt will generate errors as it`
			`cannot write to the logs as the system users.`
Updated clientacl docs to resolve 6802. 2013-12-14 05:45:31 +00:00
make it not a bug 2012-09-26 02:24:33 +00:00			`If you are upgrading from earlier versions of salt you must also remove any`
			`existing user keys and re-start the Salt master:`
Add docs for new client_acl capabilities 2012-09-10 16:10:55 +00:00
			`.. code-block:: bash`

Update doc/ref/clientacl.rst delete extra 's' on the key removal 2012-10-04 17:48:12 +00:00			`rm /var/cache/salt/.*key`
Demonstrate per-minion client_acl. The client_acl system supports setting restrictions based on minion name. Update the Client ACL System reference page to reflect this. 2015-07-14 02:59:43 +00:00			`service salt-master restart`