Merge pull request #43467 from DSRCorporation/bugs/43124_users_regex

Bugs/43124 users regex

doc/ref/publisheracl.rst

@@ -25,6 +25,9 @@ configuration:
         - web*:
           - test.*
           - pkg.*
+      # Allow managers to use saltutil module functions
+      manager_.*:
+        - saltutil.*
 
 Permission Issues
 -----------------

salt/auth/__init__.py

@@ -377,46 +377,13 @@ class LoadAuth(object):
         eauth_config = self.opts['external_auth'][eauth]
         if not groups:
             groups = []
-        group_perm_keys = [item for item in eauth_config if item.endswith('%')]  # The configured auth groups
-
-        # First we need to know if the user is allowed to proceed via any of their group memberships.
-        group_auth_match = False
-        for group_config in group_perm_keys:
-            if group_config.rstrip('%') in groups:
-                group_auth_match = True
-                break
-        # If a group_auth_match is set it means only that we have a
-        # user which matches at least one or more of the groups defined
-        # in the configuration file.
-
-        external_auth_in_db = False
-        for entry in eauth_config:
-            if entry.startswith('^'):
-                external_auth_in_db = True
-                break
-
-        # If neither a catchall, a named membership or a group
-        # membership is found, there is no need to continue. Simply
-        # deny the user access.
-        if not ((name in eauth_config) |
-                ('*' in eauth_config) |
-                group_auth_match | external_auth_in_db):
-            # Auth successful, but no matching user found in config
-            log.warning('Authorization failure occurred.')
-            return None
 
         # We now have an authenticated session and it is time to determine
         # what the user has access to.
-        auth_list = []
-        if name in eauth_config:
-            auth_list = eauth_config[name]
-        elif '*' in eauth_config:
-            auth_list = eauth_config['*']
-        if group_auth_match:
-            auth_list = self.ckminions.fill_auth_list_from_groups(
-                    eauth_config,
-                    groups,
-                    auth_list)
+        auth_list = self.ckminions.fill_auth_list(
+                eauth_config,
+                name,
+                groups)
 
         auth_list = self.__process_acl(load, auth_list)
 

salt/config/__init__.py

@@ -717,6 +717,10 @@ VALID_OPTS = {
     'fileserver_limit_traversal': bool,
     'fileserver_verify_config': bool,
 
+    # Optionally apply '*' permissioins to any user. By default '*' is a fallback case that is
+    # applied only if the user didn't matched by other matchers.
+    'permissive_acl': bool,
+
     # Optionally enables keeping the calculated user's auth list in the token file.
     'keep_acl_in_token': bool,
 
@@ -1466,6 +1470,7 @@ DEFAULT_MASTER_OPTS = {
     'external_auth': {},
     'token_expire': 43200,
     'token_expire_user_override': False,
+    'permissive_acl': False,
     'keep_acl_in_token': False,
     'eauth_acl_module': '',
     'extension_modules': os.path.join(salt.syspaths.CACHE_DIR, 'master', 'extmods'),

salt/daemons/masterapi.py

@@ -204,6 +204,14 @@ def clean_old_jobs(opts):
 
 
 def mk_key(opts, user):
+    if HAS_PWD:
+        uid = None
+        try:
+            uid = pwd.getpwnam(user).pw_uid
+        except KeyError:
+            # User doesn't exist in the system
+            if opts['client_acl_verify']:
+                return None
     if salt.utils.is_windows():
         # The username may contain '\' if it is in Windows
         # 'DOMAIN\username' format. Fix this for the keyfile path.
@@ -231,9 +239,9 @@ def mk_key(opts, user):
     # Write access is necessary since on subsequent runs, if the file
     # exists, it needs to be written to again. Windows enforces this.
     os.chmod(keyfile, 0o600)
-    if HAS_PWD:
+    if HAS_PWD and uid is not None:
         try:
-            os.chown(keyfile, pwd.getpwnam(user).pw_uid, -1)
+            os.chown(keyfile, uid, -1)
         except OSError:
             # The master is not being run as root and can therefore not
             # chown the key file
@@ -248,27 +256,26 @@ def access_keys(opts):
     '''
     # TODO: Need a way to get all available users for systems not supported by pwd module.
     #       For now users pattern matching will not work for publisher_acl.
-    users = []
     keys = {}
     publisher_acl = opts['publisher_acl']
     acl_users = set(publisher_acl.keys())
     if opts.get('user'):
         acl_users.add(opts['user'])
     acl_users.add(salt.utils.get_user())
+    for user in acl_users:
+        log.info('Preparing the %s key for local communication', user)
+        key = mk_key(opts, user)
+        if key is not None:
+            keys[user] = key
+
+    # Check other users matching ACL patterns
     if opts['client_acl_verify'] and HAS_PWD:
         log.profile('Beginning pwd.getpwall() call in masterarpi access_keys function')
         for user in pwd.getpwall():
-            users.append(user.pw_name)
-        log.profile('End pwd.getpwall() call in masterarpi access_keys function')
-    for user in acl_users:
-        log.info('Preparing the %s key for local communication', user)
-        keys[user] = mk_key(opts, user)
-
-    # Check other users matching ACL patterns
-    if HAS_PWD:
-        for user in users:
+            user = user.pw_name
             if user not in keys and salt.utils.check_whitelist_blacklist(user, whitelist=acl_users):
                 keys[user] = mk_key(opts, user)
+        log.profile('End pwd.getpwall() call in masterarpi access_keys function')
 
     return keys
 

salt/utils/minions.py

@@ -985,10 +985,37 @@ class CkMinions(object):
                         auth_list.append(matcher)
         return auth_list
 
+    def fill_auth_list(self, auth_provider, name, groups, auth_list=None, permissive=None):
+        '''
+        Returns a list of authorisation matchers that a user is eligible for.
+        This list is a combination of the provided personal matchers plus the
+        matchers of any group the user is in.
+        '''
+        if auth_list is None:
+            auth_list = []
+        if permissive is None:
+            permissive = self.opts.get('permissive_acl')
+        name_matched = False
+        for match in auth_provider:
+            if match == '*' and not permissive:
+                continue
+            if match.endswith('%'):
+                if match.rstrip('%') in groups:
+                    auth_list.extend(auth_provider[match])
+            else:
+                if salt.utils.expr_match(match, name):
+                    name_matched = True
+                    auth_list.extend(auth_provider[match])
+        if not permissive and not name_matched and '*' in auth_provider:
+            auth_list.extend(auth_provider['*'])
+        return auth_list
+
     def wheel_check(self, auth_list, fun):
         '''
         Check special API permissions
         '''
+        if not auth_list:
+            return False
         comps = fun.split('.')
         if len(comps) != 2:
             return False
@@ -1020,6 +1047,8 @@ class CkMinions(object):
         '''
         Check special API permissions
         '''
+        if not auth_list:
+            return False
         comps = fun.split('.')
         if len(comps) != 2:
             return False
@@ -1051,6 +1080,8 @@ class CkMinions(object):
         '''
         Check special API permissions
         '''
+        if not auth_list:
+            return False
         if form != 'cloud':
             comps = fun.split('.')
             if len(comps) != 2: