diff --git a/conf/master b/conf/master index f03cc34116..391e20e4e7 100644 --- a/conf/master +++ b/conf/master @@ -327,10 +327,6 @@ # - '^(?!sudo_).*$' # all non sudo users # modules: # - cmd -# -# WARNING: client_acl and client_acl_blacklist options are deprecated and will -# be removed in the future releases. Use publisher_acl and -# publisher_acl_blacklist instead. # Enforce publisher_acl & publisher_acl_blacklist when users have sudo # access to the salt command. diff --git a/doc/ref/configuration/master.rst b/doc/ref/configuration/master.rst index 7112731f12..e2a5938daa 100644 --- a/doc/ref/configuration/master.rst +++ b/doc/ref/configuration/master.rst @@ -867,8 +867,7 @@ membership in the :conf_master:`autosign_file` and the Default: ``{}`` Enable user accounts on the master to execute specific modules. These modules -can be expressed as regular expressions. Note that client_acl option is -deprecated by publisher_acl option and will be removed in future releases. +can be expressed as regular expressions. .. code-block:: yaml @@ -888,8 +887,7 @@ Blacklist users or modules This example would blacklist all non sudo users, including root from running any commands. It would also blacklist any use of the "cmd" -module. Note that client_acl_blacklist option is deprecated by -publisher_acl_blacklist option and will be removed in future releases. +module. This is completely disabled by default. diff --git a/doc/ref/publisheracl.rst b/doc/ref/publisheracl.rst index b365d3016e..eda868b5d2 100644 --- a/doc/ref/publisheracl.rst +++ b/doc/ref/publisheracl.rst @@ -26,10 +26,6 @@ configuration: - test.* - pkg.* -WARNING: client_acl and client_acl_blacklist options are deprecated and will be -removed in the future releases. Use publisher_acl and publisher_acl_blacklist -instead. - Permission Issues ----------------- Directories required for ``publisher_acl`` must be modified to be readable by diff --git a/doc/topics/releases/nitrogen.rst b/doc/topics/releases/nitrogen.rst index 2f0b251e0c..cf4fc5dedc 100644 --- a/doc/topics/releases/nitrogen.rst +++ b/doc/topics/releases/nitrogen.rst @@ -90,6 +90,10 @@ General Deprecations Configuration Option Deprecations --------------------------------- +- The ``client_acl`` configuration option has been removed. Please use + ``publisher_acl`` instead. +- The ``client_acl_blacklist`` configuration option has been removed. + Please use ``publisher_acl_blacklist`` instead. - The ``win_gitrepos`` configuration option has been removed. Please use the ``winrepo_remotes`` option instead. - The ``win_repo`` configuration option has been removed. Please use diff --git a/salt/acl/__init__.py b/salt/acl/__init__.py index 1714214291..dcaddcb43a 100644 --- a/salt/acl/__init__.py +++ b/salt/acl/__init__.py @@ -2,7 +2,7 @@ ''' The acl module handles publisher_acl operations -Additional information on client_acl can be +Additional information on publisher_acl can be found by reading the salt documentation: http://docs.saltstack.com/en/latest/ref/publisheracl.html diff --git a/salt/config/__init__.py b/salt/config/__init__.py index 1a30e69757..e9bf6ac6d2 100644 --- a/salt/config/__init__.py +++ b/salt/config/__init__.py @@ -640,9 +640,7 @@ VALID_OPTS = { 'syndic_failover': str, 'syndic_forward_all_events': bool, 'runner_dirs': list, - 'client_acl': dict, 'client_acl_verify': bool, - 'client_acl_blacklist': dict, 'publisher_acl': dict, 'publisher_acl_blacklist': dict, 'sudo_acl': bool, @@ -1320,9 +1318,7 @@ DEFAULT_MASTER_OPTS = { 'syndic_pidfile': os.path.join(salt.syspaths.PIDFILE_DIR, 'salt-syndic.pid'), 'runner_dirs': [], 'outputter_dirs': [], - 'client_acl': {}, 'client_acl_verify': True, - 'client_acl_blacklist': {}, 'publisher_acl': {}, 'publisher_acl_blacklist': {}, 'sudo_acl': False, diff --git a/salt/daemons/masterapi.py b/salt/daemons/masterapi.py index 0631c005d3..b490e8dcac 100644 --- a/salt/daemons/masterapi.py +++ b/salt/daemons/masterapi.py @@ -240,14 +240,7 @@ def access_keys(opts): # For now users pattern matching will not work for publisher_acl. users = [] keys = {} - if opts['client_acl'] or opts['client_acl_blacklist']: - salt.utils.warn_until( - 'Nitrogen', - 'ACL rules should be configured with \'publisher_acl\' and ' - '\'publisher_acl_blacklist\' not \'client_acl\' and \'client_acl_blacklist\'. ' - 'This functionality will be removed in Salt Nitrogen.' - ) - publisher_acl = opts['publisher_acl'] or opts['client_acl'] + publisher_acl = opts['publisher_acl'] acl_users = set(publisher_acl.keys()) if opts.get('user'): acl_users.add(opts['user']) @@ -1329,16 +1322,7 @@ class LocalFuncs(object): # check blacklist/whitelist # Check if the user is blacklisted - if self.opts['client_acl'] or self.opts['client_acl_blacklist']: - salt.utils.warn_until( - 'Nitrogen', - 'ACL rules should be configured with \'publisher_acl\' and ' - '\'publisher_acl_blacklist\' not \'client_acl\' and \'client_acl_blacklist\'. ' - 'This functionality will be removed in Salt Nitrogen.' - ) - - publisher_acl = salt.acl.PublisherACL( - self.opts['publisher_acl_blacklist'] or self.opts['client_acl_blacklist']) + publisher_acl = salt.acl.PublisherACL(self.opts['publisher_acl_blacklist']) good = not publisher_acl.user_is_blacklisted(load['user']) and \ not publisher_acl.cmd_is_blacklisted(load['fun']) @@ -1477,7 +1461,7 @@ class LocalFuncs(object): ) return '' acl = salt.utils.get_values_of_matching_keys( - self.opts['publisher_acl'] or self.opts['client_acl'], + self.opts['publisher_acl'], load['user']) if load['user'] not in acl: log.warning( diff --git a/salt/master.py b/salt/master.py index 613cb1963c..ac003c9922 100644 --- a/salt/master.py +++ b/salt/master.py @@ -1965,15 +1965,7 @@ class ClearFuncs(object): ''' extra = clear_load.get('kwargs', {}) - if self.opts['client_acl'] or self.opts['client_acl_blacklist']: - salt.utils.warn_until( - 'Nitrogen', - 'ACL rules should be configured with \'publisher_acl\' and ' - '\'publisher_acl_blacklist\' not \'client_acl\' and \'client_acl_blacklist\'. ' - 'This functionality will be removed in Salt Nitrogen.' - ) - publisher_acl = salt.acl.PublisherACL( - self.opts['publisher_acl_blacklist'] or self.opts['client_acl_blacklist']) + publisher_acl = salt.acl.PublisherACL(self.opts['publisher_acl_blacklist']) if publisher_acl.user_is_blacklisted(clear_load['user']) or \ publisher_acl.cmd_is_blacklisted(clear_load['fun']): @@ -2177,7 +2169,7 @@ class ClearFuncs(object): 'Authentication failure of type "user" occurred.' ) return '' - publisher_acl = self.opts['publisher_acl'] or self.opts['client_acl'] + publisher_acl = self.opts['publisher_acl'] if self.opts['sudo_acl'] and publisher_acl: publisher_acl = salt.utils.get_values_of_matching_keys( publisher_acl, @@ -2221,7 +2213,7 @@ class ClearFuncs(object): return '' # Build ACL matching the user name acl = salt.utils.get_values_of_matching_keys( - self.opts['publisher_acl'] or self.opts['client_acl'], + self.opts['publisher_acl'], clear_load['user']) if not acl: log.warning( diff --git a/salt/utils/event.py b/salt/utils/event.py index 5340103bdf..c68e90de8c 100644 --- a/salt/utils/event.py +++ b/salt/utils/event.py @@ -1122,17 +1122,8 @@ class EventPublisher(salt.utils.process.SignalHandlingMultiprocessingProcess): try: self.publisher.start() self.puller.start() - if self.opts['client_acl'] or self.opts['client_acl_blacklist']: - salt.utils.warn_until( - 'Nitrogen', - 'ACL rules should be configured with \'publisher_acl\' and ' - '\'publisher_acl_blacklist\' not \'client_acl\' and ' - '\'client_acl_blacklist\'. This functionality will be removed in Salt ' - 'Nitrogen.' - ) if (self.opts['ipc_mode'] != 'tcp' and ( self.opts['publisher_acl'] or - self.opts['client_acl'] or self.opts['external_auth'])): os.chmod(os.path.join( self.opts['sock_dir'], 'master_event_pub.ipc'), 0o666) diff --git a/salt/utils/parsers.py b/salt/utils/parsers.py index e729bb6a12..27c613da42 100644 --- a/salt/utils/parsers.py +++ b/salt/utils/parsers.py @@ -745,7 +745,7 @@ class LogLevelMixIn(six.with_metaclass(MixInMeta, object)): if self.config['user'] != current_user: # Yep, not the same user! # Is the current user in ACL? - acl = self.config.get('publisher_acl') or self.config.get('client_acl', {}) + acl = self.config.get('publisher_acl') if salt.utils.check_whitelist_blacklist(current_user, whitelist=six.iterkeys(acl)): # Yep, the user is in ACL! # Let's write the logfile to its home directory instead. diff --git a/tests/unit/auth_test.py b/tests/unit/auth_test.py index e40d504424..47a5f6d37a 100644 --- a/tests/unit/auth_test.py +++ b/tests/unit/auth_test.py @@ -79,9 +79,7 @@ class MasterACLTestCase(integration.ModuleCase): @patch('salt.utils.verify.check_path_traversal', MagicMock()) def setUp(self): opts = self.get_config('master', from_scratch=True) - opts['client_acl'] = {} opts['publisher_acl'] = {} - opts['client_acl_blacklist'] = {} opts['publisher_acl_blacklist'] = {} opts['master_job_cache'] = '' opts['sign_pub_messages'] = False @@ -505,9 +503,7 @@ class AuthACLTestCase(integration.ModuleCase): @patch('salt.utils.verify.check_path_traversal', MagicMock()) def setUp(self): opts = self.get_config('master', from_scratch=True) - opts['client_acl'] = {} opts['publisher_acl'] = {} - opts['client_acl_blacklist'] = {} opts['publisher_acl_blacklist'] = {} opts['master_job_cache'] = '' opts['sign_pub_messages'] = False