2012-11-16 18:21:51 +00:00
|
|
|
.. _acl:
|
|
|
|
|
2012-10-07 21:35:18 +00:00
|
|
|
=====================
|
|
|
|
Access Control System
|
|
|
|
=====================
|
|
|
|
|
|
|
|
.. versionadded:: 0.10.4
|
|
|
|
|
|
|
|
Salt maintains a standard system used to open granular control to non
|
|
|
|
administrative users to execute Salt commands. The access control system
|
|
|
|
has been applied to all systems used to configure access to non administrative
|
|
|
|
control interfaces in Salt.These interfaces include, the ``peer`` system, the
|
2015-10-22 10:04:49 +00:00
|
|
|
``external auth`` system and the ``publisher acl`` system.
|
2012-10-07 21:35:18 +00:00
|
|
|
|
|
|
|
The access control system mandated a standard configuration syntax used in
|
|
|
|
all of the three aforementioned systems. While this adds functionality to the
|
|
|
|
configuration in 0.10.4, it does not negate the old configuration.
|
|
|
|
|
|
|
|
Now specific functions can be opened up to specific minions from specific users
|
2015-10-22 10:04:49 +00:00
|
|
|
in the case of external auth and publisher ACLs, and for specific minions in the
|
2012-10-08 03:40:35 +00:00
|
|
|
case of the peer system.
|
|
|
|
|
2013-02-18 22:13:02 +00:00
|
|
|
The access controls are manifested using matchers in these configurations:
|
2012-10-08 03:40:35 +00:00
|
|
|
|
2012-10-08 19:00:37 +00:00
|
|
|
.. code-block:: yaml
|
2012-10-08 03:40:35 +00:00
|
|
|
|
2015-10-22 10:04:49 +00:00
|
|
|
publisher_acl:
|
2012-10-08 03:40:35 +00:00
|
|
|
fred:
|
|
|
|
- web\*:
|
|
|
|
- pkg.list_pkgs
|
|
|
|
- test.*
|
|
|
|
- apache.*
|
|
|
|
|
|
|
|
In the above example, fred is able to send commands only to minions which match
|
2013-02-18 22:13:02 +00:00
|
|
|
the specified glob target. This can be expanded to include other functions for
|
2012-10-08 03:40:35 +00:00
|
|
|
other minions based on standard targets.
|
|
|
|
|
|
|
|
.. code-block:: yaml
|
|
|
|
|
|
|
|
external_auth:
|
|
|
|
pam:
|
|
|
|
dave:
|
2013-02-18 22:13:02 +00:00
|
|
|
- test.ping
|
2012-10-08 03:40:35 +00:00
|
|
|
- mongo\*:
|
|
|
|
- network.*
|
|
|
|
- log\*:
|
|
|
|
- network.*
|
|
|
|
- pkg.*
|
|
|
|
- 'G@os:RedHat':
|
|
|
|
- kmod.*
|
2013-02-18 22:13:02 +00:00
|
|
|
steve:
|
|
|
|
- .*
|
|
|
|
|
2012-10-08 03:40:35 +00:00
|
|
|
|
|
|
|
The above allows for all minions to be hit by test.ping by dave, and adds a
|
2013-02-18 22:13:02 +00:00
|
|
|
few functions that dave can execute on other minions. It also allows steve
|
2015-10-22 10:04:49 +00:00
|
|
|
unrestricted access to salt commands.
|
2016-01-07 21:08:30 +00:00
|
|
|
|
|
|
|
.. note::
|
2016-01-12 18:55:36 +00:00
|
|
|
Functions are matched using regular expressions.
|
2016-01-07 21:08:30 +00:00
|
|
|
|