1
0

index.rst 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439
  1. .. _acl-eauth:
  2. ==============================
  3. External Authentication System
  4. ==============================
  5. Salt's External Authentication System (eAuth) allows for Salt to pass through
  6. command authorization to any external authentication system, such as PAM or LDAP.
  7. .. note::
  8. eAuth using the PAM external auth system requires salt-master to be run as
  9. root as this system needs root access to check authentication.
  10. .. note::
  11. ``publisher_acl`` is useful for allowing local system users to run Salt
  12. commands without giving them root access. If you can log into the Salt
  13. master directly, then ``publisher_acl`` allows you to use Salt without
  14. root privileges. If the local system is configured to authenticate against
  15. a remote system, like LDAP or Active Directory, then ``publisher_acl`` will
  16. interact with the remote system transparently.
  17. ``external_auth`` is useful for ``salt-api`` or for making your own scripts
  18. that use Salt's Python API. It can be used at the CLI (with the ``-a``
  19. flag) but it is more cumbersome as there are more steps involved. The only
  20. time it is useful at the CLI is when the local system is *not* configured
  21. to authenticate against an external service *but* you still want Salt to
  22. authenticate against an external service.
  23. For more information and examples, see :ref:`this Access Control System
  24. <acl_types>` section.
  25. External Authentication System Configuration
  26. ============================================
  27. The external authentication system allows for specific users to be granted
  28. access to execute specific functions on specific minions. Access is configured
  29. in the master configuration file and uses the :ref:`access control system
  30. <acl>`:
  31. .. code-block:: yaml
  32. external_auth:
  33. pam:
  34. thatch:
  35. - 'web*':
  36. - test.*
  37. - network.*
  38. steve|admin.*:
  39. - .*
  40. The above configuration allows the user ``thatch`` to execute functions in the
  41. test and network modules on the minions that match the web* target. User
  42. ``steve`` and the users whose logins start with ``admin``, are granted
  43. unrestricted access to minion commands.
  44. Salt respects the current PAM configuration in place, and uses the 'login'
  45. service to authenticate.
  46. .. note:: The PAM module does not allow authenticating as ``root``.
  47. .. note:: state.sls and state.highstate will return "Failed to authenticate!"
  48. if the request timeout is reached. Use -t flag to increase the timeout
  49. To allow access to :ref:`wheel modules <all-salt.wheel>` or :ref:`runner
  50. modules <all-salt.runners>` the following ``@`` syntax must be used:
  51. .. code-block:: yaml
  52. external_auth:
  53. pam:
  54. thatch:
  55. - '@wheel' # to allow access to all wheel modules
  56. - '@runner' # to allow access to all runner modules
  57. - '@jobs' # to allow access to the jobs runner and/or wheel module
  58. .. note::
  59. The runner/wheel markup is different, since there are no minions to scope the
  60. acl to.
  61. .. note::
  62. Globs will not match wheel or runners! They must be explicitly
  63. allowed with @wheel or @runner.
  64. .. warning::
  65. All users that have external authentication privileges are allowed to run
  66. :mod:`saltutil.findjob <salt.modules.saltutil.find_job>`. Be aware
  67. that this could inadvertently expose some data such as minion IDs.
  68. Matching syntax
  69. ---------------
  70. The structure of the ``external_auth`` dictionary can take the following
  71. shapes. User and function matches are exact matches, shell glob patterns or
  72. regular expressions; minion matches are compound targets.
  73. By user:
  74. .. code-block:: yaml
  75. external_auth:
  76. <eauth backend>:
  77. <user or group%>:
  78. - <regex to match function>
  79. By user, by minion:
  80. .. code-block:: yaml
  81. external_auth:
  82. <eauth backend>:
  83. <user or group%>:
  84. <minion compound target>:
  85. - <regex to match function>
  86. By user, by runner/wheel:
  87. .. code-block:: yaml
  88. external_auth:
  89. <eauth backend>:
  90. <user or group%>:
  91. <@runner or @wheel>:
  92. - <regex to match function>
  93. By user, by runner+wheel module:
  94. .. code-block:: yaml
  95. external_auth:
  96. <eauth backend>:
  97. <user or group%>:
  98. <@module_name>:
  99. - <regex to match function without module_name>
  100. Groups
  101. ------
  102. To apply permissions to a group of users in an external authentication system,
  103. append a ``%`` to the ID:
  104. .. code-block:: yaml
  105. external_auth:
  106. pam:
  107. admins%:
  108. - '*':
  109. - 'pkg.*'
  110. Limiting by function arguments
  111. ------------------------------
  112. Positional arguments or keyword arguments to functions can also be whitelisted.
  113. .. versionadded:: 2016.3.0
  114. .. code-block:: yaml
  115. external_auth:
  116. pam:
  117. my_user:
  118. - '*':
  119. - 'my_mod.*':
  120. args:
  121. - 'a.*'
  122. - 'b.*'
  123. kwargs:
  124. 'kwa': 'kwa.*'
  125. 'kwb': 'kwb'
  126. - '@runner':
  127. - 'runner_mod.*':
  128. args:
  129. - 'a.*'
  130. - 'b.*'
  131. kwargs:
  132. 'kwa': 'kwa.*'
  133. 'kwb': 'kwb'
  134. The rules:
  135. 1. The arguments values are matched as regexp.
  136. 2. If arguments restrictions are specified the only matched are allowed.
  137. 3. If an argument isn't specified any value is allowed.
  138. 4. To skip an arg use "everything" regexp ``.*``. I.e. if ``arg0`` and ``arg2``
  139. should be limited but ``arg1`` and other arguments could have any value use:
  140. .. code-block:: yaml
  141. args:
  142. - 'value0'
  143. - '.*'
  144. - 'value2'
  145. Usage
  146. =====
  147. The external authentication system can then be used from the command-line by
  148. any user on the same system as the master with the ``-a`` option:
  149. .. code-block:: bash
  150. $ salt -a pam web\* test.version
  151. The system will ask the user for the credentials required by the
  152. authentication system and then publish the command.
  153. .. _salt-token-generation:
  154. Tokens
  155. ------
  156. With external authentication alone, the authentication credentials will be
  157. required with every call to Salt. This can be alleviated with Salt tokens.
  158. Tokens are short term authorizations and can be easily created by just
  159. adding a ``-T`` option when authenticating:
  160. .. code-block:: bash
  161. $ salt -T -a pam web\* test.version
  162. Now a token will be created that has an expiration of 12 hours (by default).
  163. This token is stored in a file named ``salt_token`` in the active user's home
  164. directory.
  165. Once the token is created, it is sent with all subsequent communications.
  166. User authentication does not need to be entered again until the token expires.
  167. Token expiration time can be set in the Salt master config file.
  168. LDAP and Active Directory
  169. =========================
  170. .. note::
  171. LDAP usage requires that you have installed python-ldap.
  172. Salt supports both user and group authentication for LDAP (and Active Directory
  173. accessed via its LDAP interface)
  174. OpenLDAP and similar systems
  175. ----------------------------
  176. LDAP configuration happens in the Salt master configuration file.
  177. Server configuration values and their defaults:
  178. .. code-block:: yaml
  179. # Server to auth against
  180. auth.ldap.server: localhost
  181. # Port to connect via
  182. auth.ldap.port: 389
  183. # Use TLS when connecting
  184. auth.ldap.tls: False
  185. # Use STARTTLS when connecting
  186. auth.ldap.starttls: False
  187. # LDAP scope level, almost always 2
  188. auth.ldap.scope: 2
  189. # Server specified in URI format
  190. auth.ldap.uri: '' # Overrides .ldap.server, .ldap.port, .ldap.tls above
  191. # Verify server's TLS certificate
  192. auth.ldap.no_verify: False
  193. # Bind to LDAP anonymously to determine group membership
  194. # Active Directory does not allow anonymous binds without special configuration
  195. # In addition, if auth.ldap.anonymous is True, empty bind passwords are not permitted.
  196. auth.ldap.anonymous: False
  197. # FOR TESTING ONLY, this is a VERY insecure setting.
  198. # If this is True, the LDAP bind password will be ignored and
  199. # access will be determined by group membership alone with
  200. # the group memberships being retrieved via anonymous bind
  201. auth.ldap.auth_by_group_membership_only: False
  202. # Require authenticating user to be part of this Organizational Unit
  203. # This can be blank if your LDAP schema does not use this kind of OU
  204. auth.ldap.groupou: 'Groups'
  205. # Object Class for groups. An LDAP search will be done to find all groups of this
  206. # class to which the authenticating user belongs.
  207. auth.ldap.groupclass: 'posixGroup'
  208. # Unique ID attribute name for the user
  209. auth.ldap.accountattributename: 'memberUid'
  210. # These are only for Active Directory
  211. auth.ldap.activedirectory: False
  212. auth.ldap.persontype: 'person'
  213. auth.ldap.minion_stripdomains: []
  214. # Redhat Identity Policy Audit
  215. auth.ldap.freeipa: False
  216. Authenticating to the LDAP Server
  217. +++++++++++++++++++++++++++++++++
  218. There are two phases to LDAP authentication. First, Salt authenticates to search for a users' Distinguished Name
  219. and group membership. The user it authenticates as in this phase is often a special LDAP system user with
  220. read-only access to the LDAP directory. After Salt searches the directory to determine the actual user's DN
  221. and groups, it re-authenticates as the user running the Salt commands.
  222. If you are already aware of the structure of your DNs and permissions in your LDAP store are set such that
  223. users can look up their own group memberships, then the first and second users can be the same. To tell Salt this is
  224. the case, omit the ``auth.ldap.bindpw`` parameter. Note this is not the same thing as using an anonymous bind.
  225. Most LDAP servers will not permit anonymous bind, and as mentioned above, if `auth.ldap.anonymous` is False you
  226. cannot use an empty password.
  227. You can template the ``binddn`` like this:
  228. .. code-block:: yaml
  229. auth.ldap.basedn: dc=saltstack,dc=com
  230. auth.ldap.binddn: uid={{ username }},cn=users,cn=accounts,dc=saltstack,dc=com
  231. Salt will use the password entered on the salt command line in place of the bindpw.
  232. To use two separate users, specify the LDAP lookup user in the binddn directive, and include a bindpw like so
  233. .. code-block:: yaml
  234. auth.ldap.binddn: uid=ldaplookup,cn=sysaccounts,cn=etc,dc=saltstack,dc=com
  235. auth.ldap.bindpw: mypassword
  236. As mentioned before, Salt uses a filter to find the DN associated with a user. Salt
  237. substitutes the ``{{ username }}`` value for the username when querying LDAP
  238. .. code-block:: yaml
  239. auth.ldap.filter: uid={{ username }}
  240. Determining Group Memberships (OpenLDAP / non-Active Directory)
  241. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  242. For OpenLDAP, to determine group membership, one can specify an OU that contains
  243. group data. This is prepended to the basedn to create a search path. Then
  244. the results are filtered against ``auth.ldap.groupclass``, default
  245. ``posixGroup``, and the account's 'name' attribute, ``memberUid`` by default.
  246. .. code-block:: yaml
  247. auth.ldap.groupou: Groups
  248. Note that as of 2017.7, auth.ldap.groupclass can refer to either a groupclass or an objectClass.
  249. For some LDAP servers (notably OpenLDAP without the ``memberOf`` overlay enabled) to determine group
  250. membership we need to know both the ``objectClass`` and the ``memberUid`` attributes. Usually for these
  251. servers you will want a ``auth.ldap.groupclass`` of ``posixGroup`` and an ``auth.ldap.groupattribute`` of
  252. ``memberUid``.
  253. LDAP servers with the ``memberOf`` overlay will have entries similar to ``auth.ldap.groupclass: person`` and
  254. ``auth.ldap.groupattribute: memberOf``.
  255. When using the ``ldap('DC=domain,DC=com')`` eauth operator, sometimes the records returned
  256. from LDAP or Active Directory have fully-qualified domain names attached, while minion IDs
  257. instead are simple hostnames. The parameter below allows the administrator to strip
  258. off a certain set of domain names so the hostnames looked up in the directory service
  259. can match the minion IDs.
  260. .. code-block:: yaml
  261. auth.ldap.minion_stripdomains: ['.external.bigcorp.com', '.internal.bigcorp.com']
  262. Determining Group Memberships (Active Directory)
  263. ++++++++++++++++++++++++++++++++++++++++++++++++
  264. Active Directory handles group membership differently, and does not utilize the
  265. ``groupou`` configuration variable. AD needs the following options in
  266. the master config:
  267. .. code-block:: yaml
  268. auth.ldap.activedirectory: True
  269. auth.ldap.filter: sAMAccountName={{username}}
  270. auth.ldap.accountattributename: sAMAccountName
  271. auth.ldap.groupclass: group
  272. auth.ldap.persontype: person
  273. To determine group membership in AD, the username and password that is entered
  274. when LDAP is requested as the eAuth mechanism on the command line is used to
  275. bind to AD's LDAP interface. If this fails, then it doesn't matter what groups
  276. the user belongs to, he or she is denied access. Next, the ``distinguishedName``
  277. of the user is looked up with the following LDAP search:
  278. .. code-block:: text
  279. (&(<value of auth.ldap.accountattributename>={{username}})
  280. (objectClass=<value of auth.ldap.persontype>)
  281. )
  282. This should return a distinguishedName that we can use to filter for group
  283. membership. Then the following LDAP query is executed:
  284. .. code-block:: text
  285. (&(member=<distinguishedName from search above>)
  286. (objectClass=<value of auth.ldap.groupclass>)
  287. )
  288. .. code-block:: yaml
  289. external_auth:
  290. ldap:
  291. test_ldap_user:
  292. - '*':
  293. - test.ping
  294. To configure a LDAP group, append a ``%`` to the ID:
  295. .. code-block:: yaml
  296. external_auth:
  297. ldap:
  298. test_ldap_group%:
  299. - '*':
  300. - test.echo
  301. In addition, if there are a set of computers in the directory service that should
  302. be part of the eAuth definition, they can be specified like this:
  303. .. code-block:: yaml
  304. external_auth:
  305. ldap:
  306. test_ldap_group%:
  307. - ldap('DC=corp,DC=example,DC=com'):
  308. - test.echo
  309. The string inside ``ldap()`` above is any valid LDAP/AD tree limiter. ``OU=`` in
  310. particular is permitted as long as it would return a list of computer objects.