Allow to use different auth module for ACL.

2025-04-17 10:10:20 +00:00 · 2017-03-17 18:05:02 +03:00 · 2017-03-17 18:05:02 +03:00 · b09d83b6d7
commit b09d83b6d7
parent 9309a83d21
4 changed files with 27 additions and 1 deletions
--- a/conf/master
+++ b/conf/master
@ -367,6 +367,10 @@
 # from the eauth driver each time.
 #keep_acl_in_token: False

+# Auth subsystem module to use to get authorized access list for a user. By default it's
+# the same module used for external authentication.
+#eauth_acl_module: django
+
 # Allow minions to push files to the master. This is disabled by default, for
 # security purposes.
 #file_recv: False
--- a/doc/ref/configuration/master.rst
+++ b/doc/ref/configuration/master.rst
@ -1046,6 +1046,20 @@ from the eauth driver each time.

    keep_acl_in_token: False

+.. conf_master:: eauth_acl_module
+
+``eauth_acl_module``
+---------------------
+
+Default: ``''``
+
+Auth subsystem module to use to get authorized access list for a user. By default it's
+the same module used for external authentication.
+
+.. code-block:: yaml
+
+    eauth_acl_module: django
+
 .. conf_master:: file_recv

 ``file_recv``
--- a/salt/auth/init.py
+++ b/salt/auth/init.py
@ -127,7 +127,10 @@ class LoadAuth(object):
        '''
        if 'eauth' not in load:
            return None
-        fstr = '{0}.acl'.format(load['eauth'])
+        mod = self.opts['eauth_acl_module']
+        if not mod:
+            mod = load['eauth']
+        fstr = '{0}.acl'.format(mod)
        if fstr not in self.auth:
            return None
        fcall = salt.utils.format_call(self.auth[fstr],
--- a/salt/config/init.py
+++ b/salt/config/init.py
@ -691,6 +691,10 @@ VALID_OPTS = {
    # Optionally enables keeping the calculated user's auth list in the token file.
    'keep_acl_in_token': bool,

+    # Auth subsystem module to use to get authorized access list for a user. By default it's the
+    # same module used for external authentication.
+    'eauth_acl_module': str,
+
    # The number of open files a daemon is allowed to have open. Frequently needs to be increased
    # higher than the system default in order to account for the way zeromq consumes file handles.
    'max_open_files': int,
@ -1390,6 +1394,7 @@ DEFAULT_MASTER_OPTS = {
    'token_expire': 43200,
    'token_expire_user_override': False,
    'keep_acl_in_token': False,
+    'eauth_acl_module': '',
    'extension_modules': os.path.join(salt.syspaths.CACHE_DIR, 'master', 'extmods'),
    'file_recv': False,
    'file_recv_max_size': 100,