Home Explore Help
Register Sign In
nee2c
/
salt
mirror of https://github.com/nee2c/salt.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: de27787df0
Branches Tags
salt
/
doc
/
topics
/
eauth
/
access_control.rst

access_control.rst 2.8 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586 
  1. .. _acl:
    2. 

  2. 

  3. =====================
    4. 

  4. Access Control System
    5. 

  5. =====================
    6. 

  6. 

  7. .. versionadded:: 0.10.4
    8. 

  8. 

  9. Salt maintains a standard system used to open granular control to non
    10. 

  10. administrative users to execute Salt commands. The access control system
    11. 

  11. has been applied to all systems used to configure access to non administrative
    12. 

  12. control interfaces in Salt.
    13. 

  13. 

  14. These interfaces include, the ``peer`` system, the
    15. 

  15. ``external auth`` system and the ``publisher acl`` system.
    16. 

  16. 

  17. The access control system mandated a standard configuration syntax used in
    18. 

  18. all of the three aforementioned systems. While this adds functionality to the
    19. 

  19. configuration in 0.10.4, it does not negate the old configuration.
    20. 

  20. 

  21. Now specific functions can be opened up to specific minions from specific users
    22. 

  22. in the case of external auth and publisher ACLs, and for specific minions in the
    23. 

  23. case of the peer system.
    24. 

  24. 

  25. .. toctree::
    26. 

  26. 

  27.     ../../ref/publisheracl
    28. 

  28.     index
    29. 

  29.     ../../ref/peer
    30. 

  30. 

  31. When to Use Each Authentication System
    32. 

  32. ======================================
    33. 

  33. ``publisher_acl`` is useful for allowing local system users to run Salt
    34. 

  34. commands without giving them root access. If you can log into the Salt
    35. 

  35. master directly, then ``publisher_acl`` allows you to use Salt without
    36. 

  36. root privileges. If the local system is configured to authenticate against
    37. 

  37. a remote system, like LDAP or Active Directory, then ``publisher_acl`` will
    38. 

  38. interact with the remote system transparently.
    39. 

  39. 

  40. ``external_auth`` is useful for ``salt-api`` or for making your own scripts
    41. 

  41. that use Salt's Python API. It can be used at the CLI (with the ``-a``
    42. 

  42. flag) but it is more cumbersome as there are more steps involved.  The only
    43. 

  43. time it is useful at the CLI is when the local system is *not* configured
    44. 

  44. to authenticate against an external service *but* you still want Salt to
    45. 

  45. authenticate against an external service.
    46. 

  46. 

  47. Examples
    48. 

  48. ========
    49. 

  49. 

  50. The access controls are manifested using matchers in these configurations:
    51. 

  51. 

  52. .. code-block:: yaml
    53. 

  53. 

  54.     publisher_acl:
    55. 

  55.       fred:
    56. 

  56.         - web\*:
    57. 

  57.           - pkg.list_pkgs
    58. 

  58.           - test.*
    59. 

  59.           - apache.*
    60. 

  60. 

  61. In the above example, fred is able to send commands only to minions which match
    62. 

  62. the specified glob target. This can be expanded to include other functions for
    63. 

  63. other minions based on standard targets (all matchers are supported except the compound one).
    64. 

  64. 

  65. .. code-block:: yaml
    66. 

  66. 

  67.     external_auth:
    68. 

  68.       pam:
    69. 

  69.         dave:
    70. 

  70.           - test.version
    71. 

  71.           - mongo\*:
    72. 

  72.             - network.*
    73. 

  73.           - log\*:
    74. 

  74.             - network.*
    75. 

  75.             - pkg.*
    76. 

  76.           - 'G@os:RedHat':
    77. 

  77.             - kmod.*
    78. 

  78.         steve:
    79. 

  79.           - .*
    80. 

  80. 

  81. The above allows for all minions to be hit by test.version by dave, and adds a
    82. 

  82. few functions that dave can execute on other minions. It also allows steve
    83. 

  83. unrestricted access to salt commands.
    84. 

  84. 

  85. .. note::
    86. 

  86.     Functions are matched using regular expressions.
    87.