1
0

access_control.rst 3.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293
  1. .. _acl:
  2. =====================
  3. Access Control System
  4. =====================
  5. .. versionadded:: 0.10.4
  6. Salt maintains a standard system used to open granular control to non
  7. administrative users to execute Salt commands. The access control system
  8. has been applied to all systems used to configure access to non administrative
  9. control interfaces in Salt.
  10. These interfaces include, the ``peer`` system, the
  11. ``external auth`` system and the ``publisher acl`` system.
  12. The access control system mandated a standard configuration syntax used in
  13. all of the three aforementioned systems. While this adds functionality to the
  14. configuration in 0.10.4, it does not negate the old configuration.
  15. Now specific functions can be opened up to specific minions from specific users
  16. in the case of external auth and publisher ACLs, and for specific minions in the
  17. case of the peer system.
  18. .. toctree::
  19. ../../ref/publisheracl
  20. index
  21. ../../ref/peer
  22. .. The two paragraphs below (in the "When to use each authentication system"
  23. heading) are copied in the doc/ref/publisheracl.rst and doc/topics/eauth/index.rst
  24. topics as a note, at the top of the document. If you update the below
  25. content, update it in the other two files as well.
  26. .. _acl_types:
  27. When to Use Each Authentication System
  28. ======================================
  29. ``publisher_acl`` is useful for allowing local system users to run Salt
  30. commands without giving them root access. If you can log into the Salt
  31. master directly, then ``publisher_acl`` allows you to use Salt without
  32. root privileges. If the local system is configured to authenticate against
  33. a remote system, like LDAP or Active Directory, then ``publisher_acl`` will
  34. interact with the remote system transparently.
  35. ``external_auth`` is useful for ``salt-api`` or for making your own scripts
  36. that use Salt's Python API. It can be used at the CLI (with the ``-a``
  37. flag) but it is more cumbersome as there are more steps involved. The only
  38. time it is useful at the CLI is when the local system is *not* configured
  39. to authenticate against an external service *but* you still want Salt to
  40. authenticate against an external service.
  41. Examples
  42. ========
  43. The access controls are manifested using matchers in these configurations:
  44. .. code-block:: yaml
  45. publisher_acl:
  46. fred:
  47. - web\*:
  48. - pkg.list_pkgs
  49. - test.*
  50. - apache.*
  51. In the above example, fred is able to send commands only to minions which match
  52. the specified glob target. This can be expanded to include other functions for
  53. other minions based on standard targets (all matchers are supported except the compound one).
  54. .. code-block:: yaml
  55. external_auth:
  56. pam:
  57. dave:
  58. - test.version
  59. - mongo\*:
  60. - network.*
  61. - log\*:
  62. - network.*
  63. - pkg.*
  64. - 'G@os:RedHat':
  65. - kmod.*
  66. steve:
  67. - .*
  68. The above allows for all minions to be hit by test.version by dave, and adds a
  69. few functions that dave can execute on other minions. It also allows steve
  70. unrestricted access to salt commands.
  71. .. note::
  72. Functions are matched using regular expressions.