Merge pull request #25122 from arthurlogilab/sharedsecretauth

[auth] add sharedsecret auth (closes #25121)
2025-04-17 10:10:20 +00:00 · 2015-07-08 19:13:05 -06:00 · 2015-07-08 19:13:05 -06:00 · a2f1a56393
commit a2f1a56393
parent 0654ef5a08 82ef59dbd0
1 changed files with 44 additions and 0 deletions
--- a/salt/auth/sharedsecret.py
+++ b/salt/auth/sharedsecret.py
@ -0,0 +1,44 @@
+# -*- coding: utf-8 -*-
+'''Provide authentication using configured shared secret
+
+.. code-block:: yaml
+
+    external_auth:
+      sharedsecret:
+        fred:
+          - .*
+          - '@jobs'
+
+
+The shared secret should be added to the master configuration, for
+example in /etc/salt/master.d/sharedsecret.conf (make sure that file
+is only readable by the user running the master):
+
+.. code-block:: yaml
+
+   sharedsecret: OIUHF_CHANGE_THIS_12h88
+
+This auth module should be used with caution. It was initially
+designed to work with a frontal that takes care of authentication (for
+example kerberos) and places the shared secret in the HTTP headers to
+the salt-api call. This salt-api call should really be done on
+localhost to avoid someone eavesdropping on the shared secret.
+
+See the documentation for cherrypy to setup the headers in your
+frontal.
+
+.. versionadded:: Beryllium
+'''
+
+# Import python libs
+from __future__ import absolute_import
+import logging
+
+log = logging.getLogger(__name__)
+
+
+def auth(username, sharedsecret, **kwargs):
+    '''
+    Shared secret authentication
+    '''
+    return sharedsecret == __opts__.get('sharedsecret')