salt/doc/ref/publisheracl.rst

.. _publisher-acl:

====================
Publisher ACL system
====================

The salt publisher ACL system is a means to allow system users other than root
to have access to execute select salt commands on minions from the master.

.. note::

    ``publisher_acl`` is useful for allowing local system users to run Salt
    commands without giving them root access. If you can log into the Salt
    master directly, then ``publisher_acl`` allows you to use Salt without
    root privileges. If the local system is configured to authenticate against
    a remote system, like LDAP or Active Directory, then ``publisher_acl`` will
    interact with the remote system transparently.

    ``external_auth`` is useful for ``salt-api`` or for making your own scripts
    that use Salt's Python API. It can be used at the CLI (with the ``-a``
    flag) but it is more cumbersome as there are more steps involved.  The only
    time it is useful at the CLI is when the local system is *not* configured
    to authenticate against an external service *but* you still want Salt to
    authenticate against an external service.

    For more information and examples, see :ref:`this Access Control System
    <acl_types>` section.

The publisher ACL system is configured in the master configuration file via the
``publisher_acl`` configuration option. Under the ``publisher_acl``
configuration option the users open to send commands are specified and then a
list of the minion functions which will be made available to specified user.
Both users and functions could be specified by exact match, shell glob or
regular expression. This configuration is much like the :ref:`external_auth
<acl-eauth>` configuration:

.. code-block:: yaml

    publisher_acl:
      # Allow thatch to execute anything.
      thatch:
        - .*
      # Allow fred to use test and pkg, but only on "web*" minions.
      fred:
        - web*:
          - test.*
          - pkg.*
      # Allow admin and managers to use saltutil module functions
      admin|manager_.*:
        - saltutil.*
      # Allow users to use only my_mod functions on "web*" minions with specific arguments.
      user_.*:
        - web*:
          - 'my_mod.*':
              args:
                - 'a.*'
                - 'b.*'
              kwargs:
                'kwa': 'kwa.*'
                'kwb': 'kwb'

Permission Issues
-----------------
Directories required for ``publisher_acl`` must be modified to be readable by
the users specified:

.. code-block:: bash

    chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master

.. note::

    In addition to the changes above you will also need to modify the
    permissions of /var/log/salt and the existing log file to be writable by
    the user(s) which will be running the commands. If you do not wish to do
    this then you must disable logging or Salt will generate errors as it
    cannot write to the logs as the system users.

If you are upgrading from earlier versions of salt you must also remove any
existing user keys and re-start the Salt master:

.. code-block:: bash

    rm /var/cache/salt/.*key
    service salt-master restart

Whitelist and Blacklist
-----------------------
Salt's authentication systems can be configured by specifying what is allowed
using a whitelist, or by specifying what is disallowed using a blacklist. If
you specify a whitelist, only specified operations are allowed. If you specify
a blacklist, all operations are allowed except those that are blacklisted.

See :conf_master:`publisher_acl` and :conf_master:`publisher_acl_blacklist`.
Doc restructuring, organization, and cleanup. Updated the doc navigation. 2016-01-31 20:10:02 -07:00			`.. _publisher-acl:`

Deprecate client_acl with publisher_acl (rename) Keeping client_acl support 2015-10-22 13:04:49 +03:00			`====================`
			`Publisher ACL system`
			`====================`
Add docs for new client_acl capabilities 2012-09-10 10:10:55 -06:00
Deprecate client_acl with publisher_acl (rename) Keeping client_acl support 2015-10-22 13:04:49 +03:00			`The salt publisher ACL system is a means to allow system users other than root`
			`to have access to execute select salt commands on minions from the master.`
Add docs for new client_acl capabilities 2012-09-10 10:10:55 -06:00
Port #49617 to master 2020-05-07 17:44:07 +03:00			`.. note::`

			``publisher_acl`` is useful for allowing local system users to run Salt
			`commands without giving them root access. If you can log into the Salt`
			master directly, then ``publisher_acl`` allows you to use Salt without
			`root privileges. If the local system is configured to authenticate against`
			a remote system, like LDAP or Active Directory, then ``publisher_acl`` will
			`interact with the remote system transparently.`

			``external_auth`` is useful for ``salt-api`` or for making your own scripts
			that use Salt's Python API. It can be used at the CLI (with the ``-a``
			`flag) but it is more cumbersome as there are more steps involved. The only`
			`time it is useful at the CLI is when the local system is not configured`
			`to authenticate against an external service but you still want Salt to`
			`authenticate against an external service.`

			For more information and examples, see :ref:`this Access Control System
			<acl_types>` section.

Deprecate client_acl with publisher_acl (rename) Keeping client_acl support 2015-10-22 13:04:49 +03:00			`The publisher ACL system is configured in the master configuration file via the`
			``publisher_acl`` configuration option. Under the ``publisher_acl``
			`configuration option the users open to send commands are specified and then a`
Doc note about user names regex matching in pub acl and eauth. 2018-01-17 10:49:35 +03:00			`list of the minion functions which will be made available to specified user.`
			`Both users and functions could be specified by exact match, shell glob or`
			regular expression. This configuration is much like the :ref:`external_auth
			<acl-eauth>` configuration:
Add docs for new client_acl capabilities 2012-09-10 10:10:55 -06:00
			`.. code-block:: yaml`

Deprecate client_acl with publisher_acl (rename) Keeping client_acl support 2015-10-22 13:04:49 +03:00			`publisher_acl:`
Demonstrate per-minion client_acl. The client_acl system supports setting restrictions based on minion name. Update the Client ACL System reference page to reflect this. 2015-07-14 12:59:43 +10:00			`# Allow thatch to execute anything.`
Add docs for new client_acl capabilities 2012-09-10 10:10:55 -06:00			`thatch:`
			`- .*`
Typo in client_acl ref doc. 2015-07-14 13:40:01 +10:00			`# Allow fred to use test and pkg, but only on "web*" minions.`
Add docs for new client_acl capabilities 2012-09-10 10:10:55 -06:00			`fred:`
Typo in client_acl ref doc. 2015-07-14 13:40:01 +10:00			`- web*:`
Demonstrate per-minion client_acl. The client_acl system supports setting restrictions based on minion name. Update the Client ACL System reference page to reflect this. 2015-07-14 12:59:43 +10:00			`- test.*`
			`- pkg.*`
Doc note about user names regex matching in pub acl and eauth. 2018-01-17 10:49:35 +03:00			`# Allow admin and managers to use saltutil module functions`
			`admin\|manager_.*:`
Support regex in publisher_acl. 2017-09-12 23:10:06 +03:00			`- saltutil.*`
Docs update for function args limit in pub acl. 2018-01-11 18:07:46 +03:00			`# Allow users to use only my_mod functions on "web*" minions with specific arguments.`
			`user_.*:`
			`- web*:`
			`- 'my_mod.*':`
			`args:`
			`- 'a.*'`
			`- 'b.*'`
			`kwargs:`
			`'kwa': 'kwa.*'`
			`'kwb': 'kwb'`
Add docs for new client_acl capabilities 2012-09-10 10:10:55 -06:00
			`Permission Issues`
Doc restructuring, organization, and cleanup. Updated the doc navigation. 2016-01-31 20:10:02 -07:00			`-----------------`
Deprecate client_acl with publisher_acl (rename) Keeping client_acl support 2015-10-22 13:04:49 +03:00			Directories required for ``publisher_acl`` must be modified to be readable by
			`the users specified:`
make it not a bug 2012-09-25 19:24:33 -07:00
			`.. code-block:: bash`

Add one additional folder and clarification to client_acl docs 2014-11-17 14:55:08 -07:00			`chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master`
make it not a bug 2012-09-25 19:24:33 -07:00
Updated clientacl docs to resolve 6802. 2013-12-14 05:45:31 +00:00			`.. note::`

			`In addition to the changes above you will also need to modify the`
Add one additional folder and clarification to client_acl docs 2014-11-17 14:55:08 -07:00			`permissions of /var/log/salt and the existing log file to be writable by`
			`the user(s) which will be running the commands. If you do not wish to do`
			`this then you must disable logging or Salt will generate errors as it`
			`cannot write to the logs as the system users.`
Updated clientacl docs to resolve 6802. 2013-12-14 05:45:31 +00:00
make it not a bug 2012-09-25 19:24:33 -07:00			`If you are upgrading from earlier versions of salt you must also remove any`
			`existing user keys and re-start the Salt master:`
Add docs for new client_acl capabilities 2012-09-10 10:10:55 -06:00
			`.. code-block:: bash`

Update doc/ref/clientacl.rst delete extra 's' on the key removal 2012-10-04 10:48:12 -07:00			`rm /var/cache/salt/.*key`
Demonstrate per-minion client_acl. The client_acl system supports setting restrictions based on minion name. Update the Client ACL System reference page to reflect this. 2015-07-14 12:59:43 +10:00			`service salt-master restart`
Doc restructuring, organization, and cleanup. Updated the doc navigation. 2016-01-31 20:10:02 -07:00
			`Whitelist and Blacklist`
			`-----------------------`
			`Salt's authentication systems can be configured by specifying what is allowed`
			`using a whitelist, or by specifying what is disallowed using a blacklist. If`
			`you specify a whitelist, only specified operations are allowed. If you specify`
			`a blacklist, all operations are allowed except those that are blacklisted.`

			See :conf_master:`publisher_acl` and :conf_master:`publisher_acl_blacklist`.