valitydev/salt
14
0
Fork 0
mirror of https://github.com/valitydev/salt.git synced 2024-11-07 17:09:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
01c5c77305
salt/doc/ref/publisheracl.rst
rallytime a9f85f0dbe Remove support for client_acl and client_acl_blacklist 
These have been deprecated for some time and were marked for
removal in Nitrogen.

publisher_acl and publisher_acl_blacklist should be used instead.
2016-12-19 16:18:48 -07:00

62 lines
2.1 KiB
ReStructuredText
Raw Blame History

.. _publisher-acl:
====================
Publisher ACL system
====================
The salt publisher ACL system is a means to allow system users other than root
to have access to execute select salt commands on minions from the master.
The publisher ACL system is configured in the master configuration file via the
``publisher_acl`` configuration option. Under the ``publisher_acl``
configuration option the users open to send commands are specified and then a
list of regular expressions which specify the minion functions which will be
made available to specified user. This configuration is much like the ``peer``
configuration:
.. code-block:: yaml
publisher_acl:
# Allow thatch to execute anything.
thatch:
- .*
# Allow fred to use test and pkg, but only on "web*" minions.
fred:
- web*:
- test.*
- pkg.*
Permission Issues
-----------------
Directories required for ``publisher_acl`` must be modified to be readable by
the users specified:
.. code-block:: bash
chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master
.. note::
In addition to the changes above you will also need to modify the
permissions of /var/log/salt and the existing log file to be writable by
the user(s) which will be running the commands. If you do not wish to do
this then you must disable logging or Salt will generate errors as it
cannot write to the logs as the system users.
If you are upgrading from earlier versions of salt you must also remove any
existing user keys and re-start the Salt master:
.. code-block:: bash
rm /var/cache/salt/.*key
service salt-master restart
Whitelist and Blacklist
-----------------------
Salt's authentication systems can be configured by specifying what is allowed
using a whitelist, or by specifying what is disallowed using a blacklist. If
you specify a whitelist, only specified operations are allowed. If you specify
a blacklist, all operations are allowed except those that are blacklisted.
See :conf_master:`publisher_acl` and :conf_master:`publisher_acl_blacklist`.
Reference in New Issue View Git Blame Copy Permalink