mirror of
https://github.com/valitydev/salt.git
synced 2024-11-07 17:09:03 +00:00
f9ffcb697a
* json encode arguments passed to an execution module function call this fixes problems where you could pass a string to a module function, which thanks to the yaml decoder which is used when parsing command line arguments could change its type entirely. for example: __salt__['test.echo')('{foo: bar}') the test.echo function just returns the argument it's given. however, because it's being called through a salt-call process like this: salt-call --local test.echo {foo: bar} salt thinks it's yaml and therefore yaml decodes it. the return value from the test.echo call above is therefore a dict, not a string. * Prevent crash if pygit2 package is requesting re-compilation of the e… (#32652) * Prevent crash if pygit2 package is requesting re-compilation of the entire library on production systems (no *devel packages) * Fix PEP8: move imports to the top of the file * Move logger up * Add log error message in case if exception is not an ImportError * align OS grains from older SLES with current one (#32649) * Fixing critical bug to remove only the specified Host instead of the entire Host cluster (#32640) * yumpkg: Ignore epoch in version comparison for explict versions without an epoch (#32563) * yumpkg: Ignore epoch in version comparison for explict versions without an epoch Also properly handle comparisions for packages with multiple versions. Resolves #32229 * Don't attempt downgrade for kernel and its subpackages Multiple versions are supported since their paths do not conflict. * Lower log level for pillar cache (#32655) This shouldn't show up on salt-call runs * Don't access deprecated Exception.message attribute. (#32556) * Don't access deprecated Exception.message attribute. To avoid a deprecation warning message in logs. There is a new function salt.exceptions.get_error_message(e) instead. * Fixed module docs test. * Fix for issue 32523 (#32672) * Fix routes for redhat < 6 * Handle a couple of arguments better (Azure) (#32683) * backporting a fix from develop where the use of splay would result in seconds=0 in the schedule.list when there was no seconds specified in the origina schedule * Handle when beacon not configured and we try to enable/disable them (#32692) * Handle the situation when the beacon is not configured and we try to disable it * a couple more missing returns in the enable & disable * Check dependencies type before appling str operations (#32693) * Update external auth documentation to list supported matcher. (#32733) Thanks to #31598, all matchers are supported for eauth configuration. But we still have no way to use compound matchers in eauth configuration. Update the documentation to explicitly express this limitation. * modules.win_dacl: consistent case of dacl constants (#32720) * Document pillar cache options (#32643) * Add note about Pillar data cache requirement for Pillar targeting method * Add `saltutil.refresh_pillar` function to the scheduled Minion jobs * Minor fixes in docs * Add note about relations between `pillar_cache` option and Pillar Targeting to Master config comments with small reformatting * Document Pillar Cache Options for Salt Master * Document Minions Targeting with Mine * Remove `saltutil.refresh_pillar` scheduled persistent job * Properly handle minion failback failure. (#32749) * Properly handle minion failback failure. Initiate minion restart if all masters down on __master_disconnect like minion does on the initial master connect on start. * Fixed unit test * Improve documentation on pygit2 versions (#32779) This adds an explanation of the python-cffi dep added in pygit2 0.21.0, and recommends 0.20.3 for LTS distros. It also links to the salt-pack issue which tracks the progress of adding pygit2 to our Debian and Ubuntu repositories. * Pylint fix
87 lines
2.8 KiB
ReStructuredText
87 lines
2.8 KiB
ReStructuredText
.. _acl:
|
|
|
|
=====================
|
|
Access Control System
|
|
=====================
|
|
|
|
.. versionadded:: 0.10.4
|
|
|
|
Salt maintains a standard system used to open granular control to non
|
|
administrative users to execute Salt commands. The access control system
|
|
has been applied to all systems used to configure access to non administrative
|
|
control interfaces in Salt.
|
|
|
|
These interfaces include, the ``peer`` system, the
|
|
``external auth`` system and the ``publisher acl`` system.
|
|
|
|
The access control system mandated a standard configuration syntax used in
|
|
all of the three aforementioned systems. While this adds functionality to the
|
|
configuration in 0.10.4, it does not negate the old configuration.
|
|
|
|
Now specific functions can be opened up to specific minions from specific users
|
|
in the case of external auth and publisher ACLs, and for specific minions in the
|
|
case of the peer system.
|
|
|
|
.. toctree::
|
|
|
|
../../ref/publisheracl
|
|
index
|
|
../../ref/peer
|
|
|
|
When to Use Each Authentication System
|
|
======================================
|
|
``publisher_acl`` is useful for allowing local system users to run Salt
|
|
commands without giving them root access. If you can log into the Salt
|
|
master directly, then ``publisher_acl`` allows you to use Salt without
|
|
root privileges. If the local system is configured to authenticate against
|
|
a remote system, like LDAP or Active Directory, then ``publisher_acl`` will
|
|
interact with the remote system transparently.
|
|
|
|
``external_auth`` is useful for ``salt-api`` or for making your own scripts
|
|
that use Salt's Python API. It can be used at the CLI (with the ``-a``
|
|
flag) but it is more cumbersome as there are more steps involved. The only
|
|
time it is useful at the CLI is when the local system is *not* configured
|
|
to authenticate against an external service *but* you still want Salt to
|
|
authenticate against an external service.
|
|
|
|
Examples
|
|
========
|
|
|
|
The access controls are manifested using matchers in these configurations:
|
|
|
|
.. code-block:: yaml
|
|
|
|
publisher_acl:
|
|
fred:
|
|
- web\*:
|
|
- pkg.list_pkgs
|
|
- test.*
|
|
- apache.*
|
|
|
|
In the above example, fred is able to send commands only to minions which match
|
|
the specified glob target. This can be expanded to include other functions for
|
|
other minions based on standard targets (all matchers are supported except the compound one).
|
|
|
|
.. code-block:: yaml
|
|
|
|
external_auth:
|
|
pam:
|
|
dave:
|
|
- test.ping
|
|
- mongo\*:
|
|
- network.*
|
|
- log\*:
|
|
- network.*
|
|
- pkg.*
|
|
- 'G@os:RedHat':
|
|
- kmod.*
|
|
steve:
|
|
- .*
|
|
|
|
The above allows for all minions to be hit by test.ping by dave, and adds a
|
|
few functions that dave can execute on other minions. It also allows steve
|
|
unrestricted access to salt commands.
|
|
|
|
.. note::
|
|
Functions are matched using regular expressions.
|