saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Doc note about user names regex matching in pub acl and eauth.

Browse source
This commit is contained in:
Dmitry Kuzmenko 2018-01-17 10:49:35 +03:00
parent e29c0ff19e
commit f33ebcada0
No known key found for this signature in database
GPG key ID: 4C7CAD30C95651DA
2 changed files with 13 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
doc/ref/publisheracl.rst
View file

@ -10,9 +10,10 @@ to have access to execute select salt commands on minions from the master.
The publisher ACL system is configured in the master configuration file via the
``publisher_acl`` configuration option. Under the ``publisher_acl``
configuration option the users open to send commands are specified and then a
list of regular expressions which specify the minion functions which will be
made available to specified user. This configuration is much like the
:ref:`external_auth <acl-eauth>` configuration:
list of the minion functions which will be made available to specified user.
Both users and functions could be specified by exact match, shell glob or
regular expression. This configuration is much like the :ref:`external_auth
<acl-eauth>` configuration:
.. code-block:: yaml
@ -25,8 +26,8 @@ made available to specified user. This configuration is much like the
- web*:
- test.*
- pkg.*
# Allow managers to use saltutil module functions
manager_.*:
# Allow admin and managers to use saltutil module functions
admin|manager_.*:
- saltutil.*
# Allow users to use only my_mod functions on "web*" minions with specific arguments.
user_.*:

13
doc/topics/eauth/index.rst
View file

@ -27,12 +27,13 @@ in the master configuration file and uses the :ref:`access control system
- 'web*':
- test.*
- network.*
steve:
steve|admin.*:
- .*
The above configuration allows the user ``thatch`` to execute functions
in the test and network modules on the minions that match the web* target.
User ``steve`` is given unrestricted access to minion commands.
The above configuration allows the user ``thatch`` to execute functions in the
test and network modules on the minions that match the web* target. User
``steve`` and the users whose logins start with ``admin``, are granted
unrestricted access to minion commands.
Salt respects the current PAM configuration in place, and uses the 'login'
service to authenticate.
@ -71,8 +72,8 @@ Matching syntax
---------------
The structure of the ``external_auth`` dictionary can take the following
shapes. Function matches are regular expressions; minion matches are compound
targets.
shapes. User and function matches are exact matches, shell glob patterns or
regular expressions; minion matches are compound targets.
By user: