The salt publisher ACL system is a means to allow system users other than root to have access to execute select salt commands on minions from the master.
publisher_acl is useful for allowing local system users to run Salt
commands without giving them root access. If you can log into the Salt
master directly, then
publisher_acl allows you to use Salt without
root privileges. If the local system is configured to authenticate against
a remote system, like LDAP or Active Directory, then
interact with the remote system transparently.
external_auth is useful for
salt-api or for making your own scripts
that use Salt's Python API. It can be used at the CLI (with the
flag) but it is more cumbersome as there are more steps involved. The only
time it is useful at the CLI is when the local system is not configured
to authenticate against an external service but you still want Salt to
authenticate against an external service.
For more information and examples, see this Access Control System section.
The publisher ACL system is configured in the master configuration file via the
publisher_acl configuration option. Under the
configuration option the users open to send commands are specified and then a
list of the minion functions which will be made available to specified user.
Both users and functions could be specified by exact match, shell glob or
regular expression. This configuration is much like the external_auth configuration:
publisher_acl: # Allow thatch to execute anything. thatch: - .* # Allow fred to use test and pkg, but only on "web*" minions. fred: - web*: - test.* - pkg.* # Allow admin and managers to use saltutil module functions admin|manager_.*: - saltutil.* # Allow users to use only my_mod functions on "web*" minions with specific arguments. user_.*: - web*: - 'my_mod.*': args: - 'a.*' - 'b.*' kwargs: 'kwa': 'kwa.*' 'kwb': 'kwb'
Directories required for
publisher_acl must be modified to be readable by
the users specified:
chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master
In addition to the changes above you will also need to modify the permissions of /var/log/salt and the existing log file to be writable by the user(s) which will be running the commands. If you do not wish to do this then you must disable logging or Salt will generate errors as it cannot write to the logs as the system users.
If you are upgrading from earlier versions of salt you must also remove any existing user keys and re-start the Salt master:
rm /var/cache/salt/.*key service salt-master restart
Salt's authentication systems can be configured by specifying what is allowed using a whitelist, or by specifying what is disallowed using a blacklist. If you specify a whitelist, only specified operations are allowed. If you specify a blacklist, all operations are allowed except those that are blacklisted.