saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

auto accept keys in minions_autosign

Browse source 
Accept keyids if a file with the same name is found in minions_autosign.
Also option to check the datestamp of the file and only accept if within timeout.
This commit is contained in:
steverweber 2014-05-10 13:46:03 -04:00
parent 532bc7fc2f
commit 84bfe9ce18
5 changed files with 54 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
conf/master
View file

@ -146,6 +146,12 @@
# public keys from the minions. Note that this is insecure.
#auto_accept: False
# Time in minutes that a incomming public key with a matching name found in
# pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys
# are removed when the master checks the minion_autosign directory.
# 0 equals no timeout
# autosign_timeout: 120
# If the autosign_file is specified, incoming keys specified in the
# autosign_file will be automatically accepted. This is insecure. Regular
# expressions as well as globing lines are supported.

15
doc/ref/configuration/master.rst
View file

@ -395,6 +395,21 @@ public keys from minions.
auto_accept: False
.. conf_master:: autosign_timeout
``autosign_timeout``
-----------------
.. versionadded:: 2014.1.0 (Hydrogen)??????????????????
Default: ``120``
Time in minutes that a incomming public key with a matching name found in
pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys
are removed when the master checks the minion_autosign directory. This method
to auto accept minions can be safer than a autosign_file because the
keyid record can expire and is limited to being an exact name match.
.. conf_master:: autosign_file
``autosign_file``

2
salt/__init__.py
View file

@ -72,6 +72,8 @@ class Master(parsers.MasterOptionParser):
os.path.join(self.config['pki_dir'], 'minions'),
os.path.join(self.config['pki_dir'], 'minions_pre'),
os.path.join(self.config['pki_dir'], 'minions_denied'),
os.path.join(self.config['pki_dir'],
'minions_autosign'),
os.path.join(self.config['pki_dir'],
'minions_rejected'),
self.config['cachedir'],

2
salt/config.py
View file

@ -184,6 +184,7 @@ VALID_OPTS = {
'fileserver_limit_traversal': bool,
'max_open_files': int,
'auto_accept': bool,
'autosign_timeout': int,
'master_tops': bool,
'order_masters': bool,
'job_cache': bool,
@ -281,6 +282,7 @@ DEFAULT_MINION_OPTS = {
'clean_dynamic_modules': True,
'open_mode': False,
'auto_accept': True,
'autosign_timeout': 120,
'multiprocessing': True,
'mine_interval': 60,
'ipc_mode': 'ipc',

33
salt/master.py
View file

@ -1676,6 +1676,30 @@ class ClearFuncs(object):
return True
return False
def __check_autosign_dir(self, keyid):
'''
Check a keyid for membership in a autosign directory.
'''
autosign_dir = os.path.join(self.opts['pki_dir'], 'minions_autosign')
# cleanup expired files
expire_minutes = self.opts.get('autosign_expire_minutes', 10)
if expire_minutes > 0:
min_time = time.time() - (60 * int(expire_minutes))
for root, dirs, filenames in os.walk(autosign_dir):
for f in filenames:
stub_file = os.path.join(autosign_dir, f)
mtime = os.path.getmtime(stub_file)
if mtime < min_time:
log.warn('Autosign keyid expired {0}'.format(stub_file))
os.remove(stub_file)
stub_file = os.path.join(autosign_dir, keyid)
if not os.path.exists(stub_file):
return False
os.remove(stub_file)
return True
def __check_autoreject(self, keyid):
'''
Checks if the specified keyid should automatically be rejected.
@ -1691,10 +1715,11 @@ class ClearFuncs(object):
'''
if self.opts['auto_accept']:
return True
return self.__check_signing_file(
keyid,
self.opts.get('autosign_file', None)
)
if self.__check_signing_file(keyid, self.opts.get('autosign_file', None)):
return True
if self.__check_autosign_dir(keyid):
return True
return False
def _auth(self, load):
'''