| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394 |
- .. _publisher-acl:
- ====================
- Publisher ACL system
- ====================
- The salt publisher ACL system is a means to allow system users other than root
- to have access to execute select salt commands on minions from the master.
- .. note::
- ``publisher_acl`` is useful for allowing local system users to run Salt
- commands without giving them root access. If you can log into the Salt
- master directly, then ``publisher_acl`` allows you to use Salt without
- root privileges. If the local system is configured to authenticate against
- a remote system, like LDAP or Active Directory, then ``publisher_acl`` will
- interact with the remote system transparently.
- ``external_auth`` is useful for ``salt-api`` or for making your own scripts
- that use Salt's Python API. It can be used at the CLI (with the ``-a``
- flag) but it is more cumbersome as there are more steps involved. The only
- time it is useful at the CLI is when the local system is *not* configured
- to authenticate against an external service *but* you still want Salt to
- authenticate against an external service.
- For more information and examples, see :ref:`this Access Control System
- <acl_types>` section.
- The publisher ACL system is configured in the master configuration file via the
- ``publisher_acl`` configuration option. Under the ``publisher_acl``
- configuration option the users open to send commands are specified and then a
- list of the minion functions which will be made available to specified user.
- Both users and functions could be specified by exact match, shell glob or
- regular expression. This configuration is much like the :ref:`external_auth
- <acl-eauth>` configuration:
- .. code-block:: yaml
- publisher_acl:
- # Allow thatch to execute anything.
- thatch:
- - .*
- # Allow fred to use test and pkg, but only on "web*" minions.
- fred:
- - web*:
- - test.*
- - pkg.*
- # Allow admin and managers to use saltutil module functions
- admin|manager_.*:
- - saltutil.*
- # Allow users to use only my_mod functions on "web*" minions with specific arguments.
- user_.*:
- - web*:
- - 'my_mod.*':
- args:
- - 'a.*'
- - 'b.*'
- kwargs:
- 'kwa': 'kwa.*'
- 'kwb': 'kwb'
- Permission Issues
- -----------------
- Directories required for ``publisher_acl`` must be modified to be readable by
- the users specified:
- .. code-block:: bash
- chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master
- .. note::
- In addition to the changes above you will also need to modify the
- permissions of /var/log/salt and the existing log file to be writable by
- the user(s) which will be running the commands. If you do not wish to do
- this then you must disable logging or Salt will generate errors as it
- cannot write to the logs as the system users.
- If you are upgrading from earlier versions of salt you must also remove any
- existing user keys and re-start the Salt master:
- .. code-block:: bash
- rm /var/cache/salt/.*key
- service salt-master restart
- Whitelist and Blacklist
- -----------------------
- Salt's authentication systems can be configured by specifying what is allowed
- using a whitelist, or by specifying what is disallowed using a blacklist. If
- you specify a whitelist, only specified operations are allowed. If you specify
- a blacklist, all operations are allowed except those that are blacklisted.
- See :conf_master:`publisher_acl` and :conf_master:`publisher_acl_blacklist`.
|
