Initial add of client_acl_blacklist (#3450)

This feature allows you to blacklist users (regex) and modules (regex)

conf/master

@@ -148,6 +148,16 @@
 #     - test.ping
 #     - network.*
 #
+
+# Blacklist any of the following users or modules
+client_acl_blacklist:
+  users:
+    - root
+    - '^(?!sudo_).*$'   #  all non sudo users
+  modules:
+    - cmd
+
+
 # The external auth system uses the Salt auth modules to authenticate and
 # validate users to access areas of the Salt system
 #
@@ -187,7 +197,7 @@
 #   ext_nodes: <Shell command which returns yaml>
 #
 #master_tops: {}
-# 
+#
 # The external_nodes option allows Salt to gather data that would normally be
 # placed in a top file. The external_nodes option is the executable that will
 # return the ENC data. Remember that Salt will look for external nodes AND top
@@ -206,7 +216,7 @@
 # The state_verbose setting can be set to True or False, when set to False
 # all data that has a result of True and no changes will be suppressed.
 #state_verbose: True
-# 
+#
 # The state_output setting changes if the output is the full multi line
 # output for each changed state if set to 'full', but if set to 'terse'
 # the output will be shortened to a single line.
@@ -278,7 +288,7 @@
 # fileserver_backend:
 #   - git
 #   - roots
-#fileserver_backend: 
+#fileserver_backend:
 #   - roots
 #
 # Git fileserver backend configuration
@@ -407,7 +417,7 @@
 #log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s'
 #
 # This can be used to control logging levels more specificically.  This
-# example sets the main salt library at the 'warning' level, but sets 
+# example sets the main salt library at the 'warning' level, but sets
 # 'salt.modules' to log at the 'debug' level:
 #   log_granular_levels:
 #     'salt': 'warning',
@@ -443,4 +453,4 @@
 #
 # List of git repositories to include with the local repo
 # win_gitrepos:
-#   - 'https://github.com/saltstack/salt-winrepo.git' 
+#   - 'https://github.com/saltstack/salt-winrepo.git'

salt/master.py

@@ -1559,6 +1559,31 @@ class ClearFuncs(object):
         by the LocalClient.
         '''
         extra = clear_load.get('kwargs', {})
+
+        # check blacklist/whitelist
+        good = True
+        # Check if the user is blacklisted
+        for user_re in self.opts['client_acl_blacklist'].get('users', []):
+            if re.match(user_re, clear_load['user']):
+                good = False
+                break
+
+        # check if the cmd is blacklisted
+        for module_re in self.opts['client_acl_blacklist'].get('modules', []):
+            if re.match(module_re, clear_load['fun']):
+                good = False
+                break
+
+        if good is False:
+            err = ('{user} does not have permissions to run {function}. '
+                     'Please contact your local administrator if you believe '
+                     'this is in error.\n'.format(user=clear_load['user'],
+                                                  function=clear_load['fun']))
+            log.error(err)
+            return ''
+        # to make sure we dont' step on anyone else's toes
+        del(good)
+
         # Check for external auth calls
         if extra.get('token', False):
             # A token was passwd, check it