saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Optionally keep auth list in token.

Browse source
This commit is contained in:
Dmitry Kuzmenko 2017-03-16 20:32:10 +03:00
parent 0c38b5d9fb
commit 9309a83d21
6 changed files with 54 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
conf/master
View file

@ -362,6 +362,11 @@
#
#token_expire_user_override: False
# Set to True to enable keeping the calculated user's auth list in the token
# file. This is disabled by default and the auth list is calculated or requested
# from the eauth driver each time.
#keep_acl_in_token: False
# Allow minions to push files to the master. This is disabled by default, for
# security purposes.
#file_recv: False

15
doc/ref/configuration/master.rst
View file

@ -1031,6 +1031,21 @@ and usernames may be given:
ldap:
- gary
.. conf_master:: keep_acl_in_token
``keep_acl_in_token``
---------------------
Default: ``False``
Set to True to enable keeping the calculated user's auth list in the token
file. This is disabled by default and the auth list is calculated or requested
from the eauth driver each time.
.. code-block:: yaml
keep_acl_in_token: False
.. conf_master:: file_recv
``file_recv``

4
salt/auth/__init__.py
View file

@ -218,8 +218,8 @@ class LoadAuth(object):
'eauth': load['eauth'],
'token': tok}
acl_ret = self.__get_acl(load)
if acl_ret is not None:
if self.opts['keep_acl_in_token']:
acl_ret = self.__get_acl(load)
tdata['auth_list'] = acl_ret
if 'groups' in load:

4
salt/config/__init__.py
View file

@ -688,6 +688,9 @@ VALID_OPTS = {
'fileserver_limit_traversal': bool,
'fileserver_verify_config': bool,
# Optionally enables keeping the calculated user's auth list in the token file.
'keep_acl_in_token': bool,
# The number of open files a daemon is allowed to have open. Frequently needs to be increased
# higher than the system default in order to account for the way zeromq consumes file handles.
'max_open_files': int,
@ -1386,6 +1389,7 @@ DEFAULT_MASTER_OPTS = {
'external_auth': {},
'token_expire': 43200,
'token_expire_user_override': False,
'keep_acl_in_token': False,
'extension_modules': os.path.join(salt.syspaths.CACHE_DIR, 'master', 'extmods'),
'file_recv': False,
'file_recv_max_size': 100,

19
salt/daemons/masterapi.py
View file

@ -1062,6 +1062,10 @@ class LocalFuncs(object):
return dict(error=dict(name=err_name,
message='Authentication failure of type "token" occurred.'))
username = token['name']
if self.opts['keep_acl_in_token'] and 'auth_list' in token:
auth_list = token['auth_list']
else:
auth_list = self.loadauth.get_auth_list(load)
else:
auth_type = 'eauth'
err_name = 'EauthAuthenticationError'
@ -1070,8 +1074,8 @@ class LocalFuncs(object):
return dict(error=dict(name=err_name,
message=('Authentication failure of type "eauth" occurred '
'for user {0}.').format(username)))
auth_list = self.loadauth.get_auth_list(load)
auth_list = self.loadauth.get_auth_list(load)
if not self.ckminions.runner_check(auth_list, load['fun']):
return dict(error=dict(name=err_name,
message=('Authentication failure of type "{0}" occurred '
@ -1103,6 +1107,10 @@ class LocalFuncs(object):
return dict(error=dict(name=err_name,
message='Authentication failure of type "token" occurred.'))
username = token['name']
if self.opts['keep_acl_in_token'] and 'auth_list' in token:
auth_list = token['auth_list']
else:
auth_list = self.loadauth.get_auth_list(load)
elif 'eauth' in load:
auth_type = 'eauth'
err_name = 'EauthAuthenticationError'
@ -1111,6 +1119,7 @@ class LocalFuncs(object):
return dict(error=dict(name=err_name,
message=('Authentication failure of type "eauth" occurred for '
'user {0}.').format(username)))
auth_list = self.loadauth.get_auth_list(load)
else:
auth_type = 'user'
err_name = 'UserAuthenticationError'
@ -1120,8 +1129,7 @@ class LocalFuncs(object):
message=('Authentication failure of type "user" occurred for '
'user {0}.').format(username)))
if not auth_type == 'user':
auth_list = self.loadauth.get_auth_list(load)
if auth_type != 'user':
if not self.ckminions.wheel_check(auth_list, load['fun']):
return dict(error=dict(name=err_name,
message=('Authentication failure of type "{0}" occurred for '
@ -1212,7 +1220,10 @@ class LocalFuncs(object):
return ''
# Get acl from eauth module.
auth_list = self.loadauth.get_auth_list(extra)
if self.opts['keep_acl_in_token'] and 'auth_list' in token:
auth_list = token['auth_list']
else:
auth_list = self.loadauth.get_auth_list(extra)
# Authorize the request
if not self.ckminions.auth_check(

17
salt/master.py
View file

@ -1671,7 +1671,10 @@ class ClearFuncs(object):
message='Authentication failure of type "token" occurred.'))
# Authorize
auth_list = self.loadauth.get_auth_list(clear_load)
if self.opts['keep_acl_in_token'] and 'auth_list' in token:
auth_list = token['auth_list']
else:
auth_list = self.loadauth.get_auth_list(clear_load)
if not self.ckminions.runner_check(auth_list, clear_load['fun']):
return dict(error=dict(name='TokenAuthenticationError',
@ -1735,7 +1738,10 @@ class ClearFuncs(object):
message='Authentication failure of type "token" occurred.'))
# Authorize
auth_list = self.loadauth.get_auth_list(clear_load)
if self.opts['keep_acl_in_token'] and 'auth_list' in token:
auth_list = token['auth_list']
else:
auth_list = self.loadauth.get_auth_list(clear_load)
if not self.ckminions.wheel_check(auth_list, clear_load['fun']):
return dict(error=dict(name='TokenAuthenticationError',
message=('Authentication failure of type "token" occurred for '
@ -1855,8 +1861,11 @@ class ClearFuncs(object):
if not token:
return ''
# Get acl from eauth module.
auth_list = self.loadauth.get_auth_list(extra)
# Get acl
if self.opts['keep_acl_in_token'] and 'auth_list' in token:
auth_list = token['auth_list']
else:
auth_list = self.loadauth.get_auth_list(extra)
# Authorize the request
if not self.ckminions.auth_check(