Acasă Explorează Ajutor
Înregistrare Autentificare
nee2c
/
salt
oglindă de https://github.com/nee2c/salt.git
1
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Ramură: 2019.2.3
Ramuri Etichete
salt
/
doc
/
ref
/
publisheracl.rst

publisheracl.rst 2.6 KB
Permalink Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475 
  1. .. _publisher-acl:
    2. 

  2. 

  3. ====================
    4. 

  4. Publisher ACL system
    5. 

  5. ====================
    6. 

  6. 

  7. The salt publisher ACL system is a means to allow system users other than root
    8. 

  8. to have access to execute select salt commands on minions from the master.
    9. 

  9. 

  10. The publisher ACL system is configured in the master configuration file via the
    11. 

  11. ``publisher_acl`` configuration option. Under the ``publisher_acl``
    12. 

  12. configuration option the users open to send commands are specified and then a
    13. 

  13. list of the minion functions which will be made available to specified user.
    14. 

  14. Both users and functions could be specified by exact match, shell glob or
    15. 

  15. regular expression. This configuration is much like the :ref:`external_auth
    16. 

  16. <acl-eauth>` configuration:
    17. 

  17. 

  18. .. code-block:: yaml
    19. 

  19. 

  20.     publisher_acl:
    21. 

  21.       # Allow thatch to execute anything.
    22. 

  22.       thatch:
    23. 

  23.         - .*
    24. 

  24.       # Allow fred to use test and pkg, but only on "web*" minions.
    25. 

  25.       fred:
    26. 

  26.         - web*:
    27. 

  27.           - test.*
    28. 

  28.           - pkg.*
    29. 

  29.       # Allow admin and managers to use saltutil module functions
    30. 

  30.       admin|manager_.*:
    31. 

  31.         - saltutil.*
    32. 

  32.       # Allow users to use only my_mod functions on "web*" minions with specific arguments.
    33. 

  33.       user_.*:
    34. 

  34.         - web*:
    35. 

  35.           - 'my_mod.*':
    36. 

  36.               args:
    37. 

  37.                 - 'a.*'
    38. 

  38.                 - 'b.*'
    39. 

  39.               kwargs:
    40. 

  40.                 'kwa': 'kwa.*'
    41. 

  41.                 'kwb': 'kwb'
    42. 

  42. 

  43. Permission Issues
    44. 

  44. -----------------
    45. 

  45. Directories required for ``publisher_acl`` must be modified to be readable by
    46. 

  46. the users specified:
    47. 

  47. 

  48. .. code-block:: bash
    49. 

  49. 

  50.     chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master
    51. 

  51. 

  52. .. note::
    53. 

  53. 

  54.     In addition to the changes above you will also need to modify the
    55. 

  55.     permissions of /var/log/salt and the existing log file to be writable by
    56. 

  56.     the user(s) which will be running the commands. If you do not wish to do
    57. 

  57.     this then you must disable logging or Salt will generate errors as it
    58. 

  58.     cannot write to the logs as the system users.
    59. 

  59. 

  60. If you are upgrading from earlier versions of salt you must also remove any
    61. 

  61. existing user keys and re-start the Salt master:
    62. 

  62. 

  63. .. code-block:: bash
    64. 

  64. 

  65.     rm /var/cache/salt/.*key
    66. 

  66.     service salt-master restart
    67. 

  67. 

  68. Whitelist and Blacklist
    69. 

  69. -----------------------
    70. 

  70. Salt's authentication systems can be configured by specifying what is allowed
    71. 

  71. using a whitelist, or by specifying what is disallowed using a blacklist. If
    72. 

  72. you specify a whitelist, only specified operations are allowed. If you specify
    73. 

  73. a blacklist, all operations are allowed except those that are blacklisted.
    74. 

  74. 

  75. See :conf_master:`publisher_acl` and :conf_master:`publisher_acl_blacklist`.
    76.