valitydev/salt
14
0
Fork 0
mirror of https://github.com/valitydev/salt.git synced 2024-11-07 17:09:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
ccf790a83f
salt/doc/topics/eauth/access_control.rst
Nicole Thomas f9ffcb697a [2016.3] Merge forward from 2015.8 to 2016.3 (#32784) 
* json encode arguments passed to an execution module function call

this fixes problems where you could pass a string to a module function,
which thanks to the yaml decoder which is used when parsing command line
arguments could change its type entirely. for example:

__salt__['test.echo')('{foo: bar}')

the test.echo function just returns the argument it's given. however,
because it's being called through a salt-call process like this:

salt-call --local test.echo {foo: bar}

salt thinks it's yaml and therefore yaml decodes it. the return value
from the test.echo call above is therefore a dict, not a string.

* Prevent crash if pygit2 package is requesting re-compilation of the e… (#32652)

* Prevent crash if pygit2 package is requesting re-compilation of the entire library on production systems (no *devel packages)

* Fix PEP8: move imports to the top of the file

* Move logger up

* Add log error message in case if exception is not an ImportError

* align OS grains from older SLES with current one (#32649)

* Fixing critical bug to remove only the specified Host instead of the entire Host cluster (#32640)

* yumpkg: Ignore epoch in version comparison for explict versions without an epoch (#32563)

* yumpkg: Ignore epoch in version comparison for explict versions without an epoch

Also properly handle comparisions for packages with multiple versions.

Resolves #32229

* Don't attempt downgrade for kernel and its subpackages

Multiple versions are supported since their paths do not conflict.

* Lower log level for pillar cache (#32655)

This shouldn't show up on salt-call runs

* Don't access deprecated Exception.message attribute. (#32556)

* Don't access deprecated Exception.message attribute.

To avoid a deprecation warning message in logs.
There is a new function salt.exceptions.get_error_message(e) instead.

* Fixed module docs test.

* Fix for issue 32523 (#32672)

* Fix routes for redhat < 6

* Handle a couple of arguments better (Azure) (#32683)

* backporting a fix from develop where the use of splay would result in seconds=0 in the schedule.list when there was no seconds specified in the origina schedule

* Handle when beacon not configured and we try to enable/disable them (#32692)

* Handle the situation when the beacon is not configured and we try to disable it

* a couple more missing returns in the enable & disable

* Check dependencies type before appling str operations (#32693)

* Update external auth documentation to list supported matcher. (#32733)

Thanks to #31598, all matchers are supported for eauth configuration.
But we still have no way to use compound matchers in eauth configuration.
Update the documentation to explicitly express this limitation.

* modules.win_dacl: consistent case of dacl constants (#32720)

* Document pillar cache options (#32643)

* Add note about Pillar data cache requirement for Pillar targeting method

* Add `saltutil.refresh_pillar` function to the scheduled Minion jobs

* Minor fixes in docs

* Add note about relations between `pillar_cache` option and Pillar Targeting
to Master config comments with small reformatting

* Document Pillar Cache Options for Salt Master

* Document Minions Targeting with Mine

* Remove `saltutil.refresh_pillar` scheduled persistent job

* Properly handle minion failback failure. (#32749)

* Properly handle minion failback failure.

Initiate minion restart if all masters down on __master_disconnect like
minion does on the initial master connect on start.

* Fixed unit test

* Improve documentation on pygit2 versions (#32779)

This adds an explanation of the python-cffi dep added in pygit2 0.21.0,
and recommends 0.20.3 for LTS distros. It also links to the salt-pack
issue which tracks the progress of adding pygit2 to our Debian and
Ubuntu repositories.

* Pylint fix
2016-04-25 15:26:09 -06:00

87 lines
2.8 KiB
ReStructuredText
Raw Blame History

.. _acl:
=====================
Access Control System
=====================
.. versionadded:: 0.10.4
Salt maintains a standard system used to open granular control to non
administrative users to execute Salt commands. The access control system
has been applied to all systems used to configure access to non administrative
control interfaces in Salt.
These interfaces include, the ``peer`` system, the
``external auth`` system and the ``publisher acl`` system.
The access control system mandated a standard configuration syntax used in
all of the three aforementioned systems. While this adds functionality to the
configuration in 0.10.4, it does not negate the old configuration.
Now specific functions can be opened up to specific minions from specific users
in the case of external auth and publisher ACLs, and for specific minions in the
case of the peer system.
.. toctree::
../../ref/publisheracl
index
../../ref/peer
When to Use Each Authentication System
======================================
``publisher_acl`` is useful for allowing local system users to run Salt
commands without giving them root access. If you can log into the Salt
master directly, then ``publisher_acl`` allows you to use Salt without
root privileges. If the local system is configured to authenticate against
a remote system, like LDAP or Active Directory, then ``publisher_acl`` will
interact with the remote system transparently.
``external_auth`` is useful for ``salt-api`` or for making your own scripts
that use Salt's Python API. It can be used at the CLI (with the ``-a``
flag) but it is more cumbersome as there are more steps involved. The only
time it is useful at the CLI is when the local system is *not* configured
to authenticate against an external service *but* you still want Salt to
authenticate against an external service.
Examples
========
The access controls are manifested using matchers in these configurations:
.. code-block:: yaml
publisher_acl:
fred:
- web\*:
- pkg.list_pkgs
- test.*
- apache.*
In the above example, fred is able to send commands only to minions which match
the specified glob target. This can be expanded to include other functions for
other minions based on standard targets (all matchers are supported except the compound one).
.. code-block:: yaml
external_auth:
pam:
dave:
- test.ping
- mongo\*:
- network.*
- log\*:
- network.*
- pkg.*
- 'G@os:RedHat':
- kmod.*
steve:
- .*
The above allows for all minions to be hit by test.ping by dave, and adds a
few functions that dave can execute on other minions. It also allows steve
unrestricted access to salt commands.
.. note::
Functions are matched using regular expressions.
Reference in New Issue View Git Blame Copy Permalink