salt/doc/topics/eauth/access_control.rst

62 lines
1.8 KiB
ReStructuredText
Raw Normal View History

.. _acl:
2012-10-07 21:35:18 +00:00
=====================
Access Control System
=====================
.. versionadded:: 0.10.4
Salt maintains a standard system used to open granular control to non
administrative users to execute Salt commands. The access control system
has been applied to all systems used to configure access to non administrative
control interfaces in Salt.These interfaces include, the ``peer`` system, the
``external auth`` system and the ``publisher acl`` system.
2012-10-07 21:35:18 +00:00
The access control system mandated a standard configuration syntax used in
all of the three aforementioned systems. While this adds functionality to the
configuration in 0.10.4, it does not negate the old configuration.
Now specific functions can be opened up to specific minions from specific users
in the case of external auth and publisher ACLs, and for specific minions in the
2012-10-08 03:40:35 +00:00
case of the peer system.
The access controls are manifested using matchers in these configurations:
2012-10-08 03:40:35 +00:00
2012-10-08 19:00:37 +00:00
.. code-block:: yaml
2012-10-08 03:40:35 +00:00
publisher_acl:
2012-10-08 03:40:35 +00:00
fred:
- web\*:
- pkg.list_pkgs
- test.*
- apache.*
In the above example, fred is able to send commands only to minions which match
the specified glob target. This can be expanded to include other functions for
2012-10-08 03:40:35 +00:00
other minions based on standard targets.
.. code-block:: yaml
external_auth:
pam:
dave:
- test.ping
2012-10-08 03:40:35 +00:00
- mongo\*:
- network.*
- log\*:
- network.*
- pkg.*
- 'G@os:RedHat':
- kmod.*
steve:
- .*
2012-10-08 03:40:35 +00:00
The above allows for all minions to be hit by test.ping by dave, and adds a
few functions that dave can execute on other minions. It also allows steve
unrestricted access to salt commands.
.. note::
Functions are matched using regular expressions.