Merge pull request #38361 from rallytime/deprecate-client_acl-client_acl_blacklist

Remove support for client_acl and client_acl_blacklist

conf/master

@@ -327,10 +327,6 @@
 #    - '^(?!sudo_).*$'   #  all non sudo users
 #  modules:
 #    - cmd
-#
-# WARNING: client_acl and client_acl_blacklist options are deprecated and will
-# be removed in the future releases. Use publisher_acl and
-# publisher_acl_blacklist instead.
 
 # Enforce publisher_acl & publisher_acl_blacklist when users have sudo
 # access to the salt command.

doc/ref/configuration/master.rst

@@ -867,8 +867,7 @@ membership in the :conf_master:`autosign_file` and the
 Default: ``{}``
 
 Enable user accounts on the master to execute specific modules. These modules
-can be expressed as regular expressions. Note that client_acl option is
-deprecated by publisher_acl option and will be removed in future releases.
+can be expressed as regular expressions.
 
 .. code-block:: yaml
 
@@ -888,8 +887,7 @@ Blacklist users or modules
 
 This example would blacklist all non sudo users, including root from
 running any commands. It would also blacklist any use of the "cmd"
-module. Note that client_acl_blacklist option is deprecated by
-publisher_acl_blacklist option and will be removed in future releases.
+module.
 
 This is completely disabled by default.
 

doc/ref/publisheracl.rst

@@ -26,10 +26,6 @@ configuration:
           - test.*
           - pkg.*
 
-WARNING: client_acl and client_acl_blacklist options are deprecated and will be
-removed in the future releases. Use publisher_acl and publisher_acl_blacklist
-instead.
-
 Permission Issues
 -----------------
 Directories required for ``publisher_acl`` must be modified to be readable by

doc/topics/releases/nitrogen.rst

@@ -90,6 +90,10 @@ General Deprecations
 Configuration Option Deprecations
 ---------------------------------
 
+- The ``client_acl`` configuration option has been removed. Please use
+  ``publisher_acl`` instead.
+- The ``client_acl_blacklist`` configuration option has been removed.
+  Please use ``publisher_acl_blacklist`` instead.
 - The ``win_gitrepos`` configuration option has been removed. Please use
   the ``winrepo_remotes`` option instead.
 - The ``win_repo`` configuration option has been removed. Please use

salt/acl/__init__.py

@@ -2,7 +2,7 @@
 '''
 The acl module handles publisher_acl operations
 
-Additional information on client_acl can be
+Additional information on publisher_acl can be
 found by reading the salt documentation:
 
     http://docs.saltstack.com/en/latest/ref/publisheracl.html

salt/config/__init__.py

@@ -640,9 +640,7 @@ VALID_OPTS = {
     'syndic_failover': str,
     'syndic_forward_all_events': bool,
     'runner_dirs': list,
-    'client_acl': dict,
     'client_acl_verify': bool,
-    'client_acl_blacklist': dict,
     'publisher_acl': dict,
     'publisher_acl_blacklist': dict,
     'sudo_acl': bool,
@@ -1320,9 +1318,7 @@ DEFAULT_MASTER_OPTS = {
     'syndic_pidfile': os.path.join(salt.syspaths.PIDFILE_DIR, 'salt-syndic.pid'),
     'runner_dirs': [],
     'outputter_dirs': [],
-    'client_acl': {},
     'client_acl_verify': True,
-    'client_acl_blacklist': {},
     'publisher_acl': {},
     'publisher_acl_blacklist': {},
     'sudo_acl': False,

salt/daemons/masterapi.py

@@ -240,14 +240,7 @@ def access_keys(opts):
     #       For now users pattern matching will not work for publisher_acl.
     users = []
     keys = {}
-    if opts['client_acl'] or opts['client_acl_blacklist']:
-        salt.utils.warn_until(
-                'Nitrogen',
-                'ACL rules should be configured with \'publisher_acl\' and '
-                '\'publisher_acl_blacklist\' not \'client_acl\' and \'client_acl_blacklist\'. '
-                'This functionality will be removed in Salt Nitrogen.'
-                )
-    publisher_acl = opts['publisher_acl'] or opts['client_acl']
+    publisher_acl = opts['publisher_acl']
     acl_users = set(publisher_acl.keys())
     if opts.get('user'):
         acl_users.add(opts['user'])
@@ -1329,16 +1322,7 @@ class LocalFuncs(object):
 
         # check blacklist/whitelist
         # Check if the user is blacklisted
-        if self.opts['client_acl'] or self.opts['client_acl_blacklist']:
-            salt.utils.warn_until(
-                    'Nitrogen',
-                    'ACL rules should be configured with \'publisher_acl\' and '
-                    '\'publisher_acl_blacklist\' not \'client_acl\' and \'client_acl_blacklist\'. '
-                    'This functionality will be removed in Salt Nitrogen.'
-                    )
-
-        publisher_acl = salt.acl.PublisherACL(
-                self.opts['publisher_acl_blacklist'] or self.opts['client_acl_blacklist'])
+        publisher_acl = salt.acl.PublisherACL(self.opts['publisher_acl_blacklist'])
         good = not publisher_acl.user_is_blacklisted(load['user']) and \
                 not publisher_acl.cmd_is_blacklisted(load['fun'])
 
@@ -1477,7 +1461,7 @@ class LocalFuncs(object):
                         )
                         return ''
                     acl = salt.utils.get_values_of_matching_keys(
-                            self.opts['publisher_acl'] or self.opts['client_acl'],
+                            self.opts['publisher_acl'],
                             load['user'])
                     if load['user'] not in acl:
                         log.warning(

salt/master.py

@@ -1965,15 +1965,7 @@ class ClearFuncs(object):
         '''
         extra = clear_load.get('kwargs', {})
 
-        if self.opts['client_acl'] or self.opts['client_acl_blacklist']:
-            salt.utils.warn_until(
-                    'Nitrogen',
-                    'ACL rules should be configured with \'publisher_acl\' and '
-                    '\'publisher_acl_blacklist\' not \'client_acl\' and \'client_acl_blacklist\'. '
-                    'This functionality will be removed in Salt Nitrogen.'
-                    )
-        publisher_acl = salt.acl.PublisherACL(
-                self.opts['publisher_acl_blacklist'] or self.opts['client_acl_blacklist'])
+        publisher_acl = salt.acl.PublisherACL(self.opts['publisher_acl_blacklist'])
 
         if publisher_acl.user_is_blacklisted(clear_load['user']) or \
                 publisher_acl.cmd_is_blacklisted(clear_load['fun']):
@@ -2177,7 +2169,7 @@ class ClearFuncs(object):
                         'Authentication failure of type "user" occurred.'
                     )
                     return ''
-                publisher_acl = self.opts['publisher_acl'] or self.opts['client_acl']
+                publisher_acl = self.opts['publisher_acl']
                 if self.opts['sudo_acl'] and publisher_acl:
                     publisher_acl = salt.utils.get_values_of_matching_keys(
                             publisher_acl,
@@ -2221,7 +2213,7 @@ class ClearFuncs(object):
                         return ''
                     # Build ACL matching the user name
                     acl = salt.utils.get_values_of_matching_keys(
-                            self.opts['publisher_acl'] or self.opts['client_acl'],
+                            self.opts['publisher_acl'],
                             clear_load['user'])
                     if not acl:
                         log.warning(

salt/utils/event.py

@@ -1122,17 +1122,8 @@ class EventPublisher(salt.utils.process.SignalHandlingMultiprocessingProcess):
             try:
                 self.publisher.start()
                 self.puller.start()
-                if self.opts['client_acl'] or self.opts['client_acl_blacklist']:
-                    salt.utils.warn_until(
-                            'Nitrogen',
-                            'ACL rules should be configured with \'publisher_acl\' and '
-                            '\'publisher_acl_blacklist\' not \'client_acl\' and '
-                            '\'client_acl_blacklist\'. This functionality will be removed in Salt '
-                            'Nitrogen.'
-                            )
                 if (self.opts['ipc_mode'] != 'tcp' and (
                         self.opts['publisher_acl'] or
-                        self.opts['client_acl'] or
                         self.opts['external_auth'])):
                     os.chmod(os.path.join(
                         self.opts['sock_dir'], 'master_event_pub.ipc'), 0o666)

salt/utils/parsers.py

@@ -745,7 +745,7 @@ class LogLevelMixIn(six.with_metaclass(MixInMeta, object)):
             if self.config['user'] != current_user:
                 # Yep, not the same user!
                 # Is the current user in ACL?
-                acl = self.config.get('publisher_acl') or self.config.get('client_acl', {})
+                acl = self.config.get('publisher_acl')
                 if salt.utils.check_whitelist_blacklist(current_user, whitelist=six.iterkeys(acl)):
                     # Yep, the user is in ACL!
                     # Let's write the logfile to its home directory instead.

tests/unit/auth_test.py

@@ -79,9 +79,7 @@ class MasterACLTestCase(integration.ModuleCase):
     @patch('salt.utils.verify.check_path_traversal', MagicMock())
     def setUp(self):
         opts = self.get_config('master', from_scratch=True)
-        opts['client_acl'] = {}
         opts['publisher_acl'] = {}
-        opts['client_acl_blacklist'] = {}
         opts['publisher_acl_blacklist'] = {}
         opts['master_job_cache'] = ''
         opts['sign_pub_messages'] = False
@@ -505,9 +503,7 @@ class AuthACLTestCase(integration.ModuleCase):
     @patch('salt.utils.verify.check_path_traversal', MagicMock())
     def setUp(self):
         opts = self.get_config('master', from_scratch=True)
-        opts['client_acl'] = {}
         opts['publisher_acl'] = {}
-        opts['client_acl_blacklist'] = {}
         opts['publisher_acl_blacklist'] = {}
         opts['master_job_cache'] = ''
         opts['sign_pub_messages'] = False