Adding master side acl support for mine.get

2025-04-17 10:10:20 +00:00 · 2013-09-23 12:00:19 -04:00 · 2013-09-23 12:00:19 -04:00 · 2ecaddb484
commit 2ecaddb484
parent 62b10849cd
2 changed files with 35 additions and 0 deletions
--- a/conf/master
+++ b/conf/master
@ -434,6 +434,26 @@
 #  foo.example.com:
 #    - manage.up

+#####         Mine settings     #####
+##########################################
+# Restrict mine.get access from minions. By default any minion has a full access
+# to get all mine data from master cache. In acl definion below, only pcre matches
+# are allowed.
+#
+# mine_get:
+#   .*:
+#     - .*
+#
+# Example below enables minion foo.example.com to get  'network.interfaces' mine data only
+# , minions web* to get all network.* and disk.* mine data and all other minions won't get
+# any mine data.
+#
+# mine_get:
+#   foo.example.com:
+#     - network.inetrfaces
+#   web.*:
+#     - network.*
+#     - disk.*

 #####         Logging settings       #####
 ##########################################
--- a/salt/master.py
+++ b/salt/master.py
@ -901,6 +901,21 @@ class AESFuncs(object):
        '''
        if any(key not in load for key in ('id', 'tgt', 'fun')):
            return {}
+        if 'mine_get' in self.opts:
+            # If master side acl defined.
+            if not isinstance(self.opts['mine_get'],dict):
+                return {}
+            perms = set()
+            for match in self.opts['mine_get']:
+                if re.match(match, load['id']):
+                    if isinstance(self.opts['mine_get'][match], list):
+                            perms.update(self.opts['mine_get'][match])
+            good = False
+            for perm in perms:
+                if re.match(perm, load['fun']):
+                    good = True
+            if not good:
+                return {}
        ret = {}
        if not salt.utils.verify.valid_id(self.opts, load['id']):
            return ret