Force keep_acl_in_token to True when rest external_auth is used

conf/master

@@ -424,6 +424,11 @@
 # Set to True to enable keeping the calculated user's auth list in the token
 # file. This is disabled by default and the auth list is calculated or requested
 # from the eauth driver each time.
+#
+# Note: `keep_acl_in_token` will be forced to True when using external authentication
+# for REST API (`rest` is present under `external_auth`). This is because the REST API
+# does not store the password, and can therefore not retroactively fetch the ACL, so
+# the ACL must be stored in the token.
 #keep_acl_in_token: False
 
 # Auth subsystem module to use to get authorized access list for a user. By default it's

conf/suse/master

@@ -376,6 +376,11 @@ syndic_user: salt
 # Set to True to enable keeping the calculated user's auth list in the token
 # file. This is disabled by default and the auth list is calculated or requested
 # from the eauth driver each time.
+#
+# Note: `keep_acl_in_token` will be forced to True when using external authentication
+# for REST API (`rest` is present under `external_auth`). This is because the REST API
+# does not store the password, and can therefore not retroactively fetch the ACL, so
+# the ACL must be stored in the token.
 #keep_acl_in_token: False
 
 # Auth subsystem module to use to get authorized access list for a user. By default it's

doc/ref/configuration/master.rst

@@ -1868,6 +1868,11 @@ Set to True to enable keeping the calculated user's auth list in the token
 file. This is disabled by default and the auth list is calculated or requested
 from the eauth driver each time.
 
+Note: `keep_acl_in_token` will be forced to True when using external authentication
+for REST API (`rest` is present under `external_auth`). This is because the REST API
+does not store the password, and can therefore not retroactively fetch the ACL, so
+the ACL must be stored in the token.
+
 .. code-block:: yaml
 
     keep_acl_in_token: False

salt/config/__init__.py

@@ -3917,6 +3917,18 @@ def apply_master_config(overrides=None, defaults=None):
     _adjust_log_file_override(overrides, defaults["log_file"])
     if overrides:
         opts.update(overrides)
+    # `keep_acl_in_token` will be forced to True when using external authentication
+    # for REST API (`rest` is present under `external_auth`). This is because the REST API
+    # does not store the password, and can therefore not retroactively fetch the ACL, so
+    # the ACL must be stored in the token.
+    if "rest" in opts.get("external_auth", {}):
+        # Check current value and print out warning
+        if opts["keep_acl_in_token"] is False:
+            log.warning(
+                "The 'rest' external_auth backend requires 'keep_acl_in_token' to be True. "
+                "Setting 'keep_acl_in_token' to True."
+            )
+        opts["keep_acl_in_token"] = True
 
     opts["__cli"] = salt.utils.stringutils.to_unicode(os.path.basename(sys.argv[0]))
 

tests/unit/test_config.py

@@ -1846,6 +1846,12 @@ class ConfigTestCase(TestCase, AdaptedConfigurationTestCaseMixin):
             self.assertNotIn("environment", ret)
             self.assertEqual(ret["saltenv"], "foo")
 
+            # Test config to verify that `keep_acl_in_token` is forced to True
+            # when `rest` is present as driver in the `external_auth` config.
+            overrides = {"external_auth": {"rest": {"^url": "http://test_url/rest"}}}
+            ret = salt.config.apply_master_config(overrides=overrides)
+            self.assertTrue(ret["keep_acl_in_token"])
+
             # MINION CONFIG
 
             # Ensure that environment overrides saltenv when saltenv not