Add option to enable clients in netapi

Adds an option to allow you to enable clients (eg ssh, wheel) in the netapi. By default all clients will be disabled. Does the check before any attempts to authenticate.
2025-04-15 09:10:20 +00:00 · 2020-11-03 21:29:38 +00:00 · 2020-11-03 21:29:38 +00:00 · 1780e503b7
commit 1780e503b7
parent eb4aeab301
3 changed files with 11 additions and 0 deletions
--- a/conf/master
+++ b/conf/master
@ -1340,3 +1340,6 @@
 ############################################
 # Allow the raw_shell parameter to be used when calling Salt SSH client via API
 #netapi_allow_raw_shell: True
+
+# Set a list of clients to enable in in the API
+#netapi_enable_clients: []
--- a/salt/config/init.py
+++ b/salt/config/init.py
@ -954,6 +954,8 @@ VALID_OPTS = immutabletypes.freeze(
        # Allow raw_shell option when using the ssh
        # client via the Salt API
        "netapi_allow_raw_shell": bool,
+        # Enable clients in the Salt API
+        "netapi_enable_clients": list,
        "disabled_requisites": (str, list),
        "global_state_conditions": (type(None), dict),
        # Feature flag config
@ -1618,6 +1620,7 @@ DEFAULT_MASTER_OPTS = immutabletypes.freeze(
        "pass_strict_fetch": False,
        "pass_gnupghome": "",
        "pass_dir": "",
+        "netapi_enable_clients": [],
    }
 )

--- a/salt/netapi/init.py
+++ b/salt/netapi/init.py
@ -157,6 +157,11 @@ class NetapiClient:
                "Invalid client specified: '{}'".format(low.get("client"))
            )

+        if low.get("client") not in self.opts.get("netapi_enable_clients"):
+            raise salt.exceptions.SaltInvocationError(
+                "Client disabled: '{}'".format(low.get("client"))
+            )
+
        if not ("token" in low or "eauth" in low):
            raise salt.exceptions.EauthAuthenticationError(
                "No authentication credentials given"