Port #49617 to master

doc/ref/publisheracl.rst

@@ -7,6 +7,25 @@ Publisher ACL system
 The salt publisher ACL system is a means to allow system users other than root
 to have access to execute select salt commands on minions from the master.
 
+.. note::
+
+    ``publisher_acl`` is useful for allowing local system users to run Salt
+    commands without giving them root access. If you can log into the Salt
+    master directly, then ``publisher_acl`` allows you to use Salt without
+    root privileges. If the local system is configured to authenticate against
+    a remote system, like LDAP or Active Directory, then ``publisher_acl`` will
+    interact with the remote system transparently.
+
+    ``external_auth`` is useful for ``salt-api`` or for making your own scripts
+    that use Salt's Python API. It can be used at the CLI (with the ``-a``
+    flag) but it is more cumbersome as there are more steps involved.  The only
+    time it is useful at the CLI is when the local system is *not* configured
+    to authenticate against an external service *but* you still want Salt to
+    authenticate against an external service.
+
+    For more information and examples, see :ref:`this Access Control System
+    <acl_types>` section.
+
 The publisher ACL system is configured in the master configuration file via the
 ``publisher_acl`` configuration option. Under the ``publisher_acl``
 configuration option the users open to send commands are specified and then a

doc/topics/eauth/access_control.rst

@@ -28,6 +28,13 @@ case of the peer system.
     index
     ../../ref/peer
 
+.. The two paragraphs below (in the "When to use each authentication system"
+   heading) are copied in the doc/ref/publisheracl.rst and doc/topics/eauth/index.rst
+   topics as a note, at the top of the document. If you update the below
+   content, update it in the other two files as well.
+
+.. _acl_types:
+
 When to Use Each Authentication System
 ======================================
 ``publisher_acl`` is useful for allowing local system users to run Salt

doc/topics/eauth/index.rst

@@ -12,6 +12,25 @@ command authorization to any external authentication system, such as PAM or LDAP
     eAuth using the PAM external auth system requires salt-master to be run as
     root as this system needs root access to check authentication.
 
+.. note::
+
+    ``publisher_acl`` is useful for allowing local system users to run Salt
+    commands without giving them root access. If you can log into the Salt
+    master directly, then ``publisher_acl`` allows you to use Salt without
+    root privileges. If the local system is configured to authenticate against
+    a remote system, like LDAP or Active Directory, then ``publisher_acl`` will
+    interact with the remote system transparently.
+
+    ``external_auth`` is useful for ``salt-api`` or for making your own scripts
+    that use Salt's Python API. It can be used at the CLI (with the ``-a``
+    flag) but it is more cumbersome as there are more steps involved.  The only
+    time it is useful at the CLI is when the local system is *not* configured
+    to authenticate against an external service *but* you still want Salt to
+    authenticate against an external service.
+
+    For more information and examples, see :ref:`this Access Control System
+    <acl_types>` section.
+
 External Authentication System Configuration
 ============================================
 The external authentication system allows for specific users to be granted
@@ -275,7 +294,7 @@ Server configuration values and their defaults:
     auth.ldap.persontype: 'person'
 
     auth.ldap.minion_stripdomains: []
-    
+
     # Redhat Identity Policy Audit
     auth.ldap.freeipa: False
 
@@ -344,7 +363,7 @@ from LDAP or Active Directory have fully-qualified domain names attached, while
 instead are simple hostnames.  The parameter below allows the administrator to strip
 off a certain set of domain names so the hostnames looked up in the directory service
 can match the minion IDs.
-               
+
 .. code-block:: yaml
 
    auth.ldap.minion_stripdomains: ['.external.bigcorp.com', '.internal.bigcorp.com']