1
0

publisheracl.rst 2.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475
  1. .. _publisher-acl:
  2. ====================
  3. Publisher ACL system
  4. ====================
  5. The salt publisher ACL system is a means to allow system users other than root
  6. to have access to execute select salt commands on minions from the master.
  7. The publisher ACL system is configured in the master configuration file via the
  8. ``publisher_acl`` configuration option. Under the ``publisher_acl``
  9. configuration option the users open to send commands are specified and then a
  10. list of the minion functions which will be made available to specified user.
  11. Both users and functions could be specified by exact match, shell glob or
  12. regular expression. This configuration is much like the :ref:`external_auth
  13. <acl-eauth>` configuration:
  14. .. code-block:: yaml
  15. publisher_acl:
  16. # Allow thatch to execute anything.
  17. thatch:
  18. - .*
  19. # Allow fred to use test and pkg, but only on "web*" minions.
  20. fred:
  21. - web*:
  22. - test.*
  23. - pkg.*
  24. # Allow admin and managers to use saltutil module functions
  25. admin|manager_.*:
  26. - saltutil.*
  27. # Allow users to use only my_mod functions on "web*" minions with specific arguments.
  28. user_.*:
  29. - web*:
  30. - 'my_mod.*':
  31. args:
  32. - 'a.*'
  33. - 'b.*'
  34. kwargs:
  35. 'kwa': 'kwa.*'
  36. 'kwb': 'kwb'
  37. Permission Issues
  38. -----------------
  39. Directories required for ``publisher_acl`` must be modified to be readable by
  40. the users specified:
  41. .. code-block:: bash
  42. chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master
  43. .. note::
  44. In addition to the changes above you will also need to modify the
  45. permissions of /var/log/salt and the existing log file to be writable by
  46. the user(s) which will be running the commands. If you do not wish to do
  47. this then you must disable logging or Salt will generate errors as it
  48. cannot write to the logs as the system users.
  49. If you are upgrading from earlier versions of salt you must also remove any
  50. existing user keys and re-start the Salt master:
  51. .. code-block:: bash
  52. rm /var/cache/salt/.*key
  53. service salt-master restart
  54. Whitelist and Blacklist
  55. -----------------------
  56. Salt's authentication systems can be configured by specifying what is allowed
  57. using a whitelist, or by specifying what is disallowed using a blacklist. If
  58. you specify a whitelist, only specified operations are allowed. If you specify
  59. a blacklist, all operations are allowed except those that are blacklisted.
  60. See :conf_master:`publisher_acl` and :conf_master:`publisher_acl_blacklist`.