saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Only change mine data if using new allow_tgt feature

Browse source
This commit is contained in:
ch3ll 2020-02-14 10:24:32 -05:00
parent 9adc2214c3
commit f6348127dc
No known key found for this signature in database
GPG key ID: 1124C6796EBDBD8D
9 changed files with 180 additions and 120 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
doc/topics/releases/3000.rst
View file

@ -592,6 +592,19 @@ Enhancements to chroot
:py:func:`highstate<salt.modules.chroot.highstate>` that allow executing
states in sls files or running apply/highstate inside of a chroot.
Minion-side ACL
---------------
Salt has had master-side ACL for the salt mine for some time, where the master
configuration contained `mine_get` that specified which minions could request
which functions. However, now you can specify which minions can access a function
in the salt mine function definition itself (or when calling :py:func:`mine.send <salt.modules.mine.send>`).
This targeting works the same as the generic minion targeting as specified
:ref:`here <targeting>`. The parameters used are ``allow_tgt`` and ``allow_tgt_type``.
See also :ref:`the documentation of the Salt Mine <mine_minion-side-acl>`. Please
note that if you want to use this new feature both your minion and masters will need
to be on atleast version 3000.
Deprecations
============

11
doc/topics/releases/sodium.rst
View file

@ -16,14 +16,3 @@ also support the syntax used in :py:mod:`module.run <salt.states.module.run>`.
The old syntax for the mine_function - as a dict, or as a list with dicts that
contain more than exactly one key - is still supported but discouraged in favor
of the more uniform syntax of module.run.
Minion-side ACL
---------------
Salt has had master-side ACL for the salt mine for some time, where the master
configuration contained `mine_get` that specified which minions could request
which functions. However, now you can specify which minions can access a function
in the salt mine function definition itself (or when calling :py:func:`mine.send <salt.modules.mine.send>`).
This targeting works the same as the generic minion targeting as specified
:ref:`here <targeting>`. The parameters used are ``allow_tgt`` and ``allow_tgt_type``.
See also :ref:`the documentation of the Salt Mine <mine_minion-side-acl>`.

13
salt/daemons/masterapi.py
View file

@ -617,14 +617,17 @@ class RemoteFuncs(object):
if 'allow_tgt' in mine_entry:
# Only determine allowed targets if any have been specified.
# This prevents having to add a list of all minions as allowed targets.
get_minion = checker.check_minions(
mine_entry['allow_tgt'],
mine_entry.get('allow_tgt_type', 'glob'))['minions']
# the minion in allow_tgt does not exist
if not get_minion:
continue
salt.utils.dictupdate.set_dict_key_value(
minion_side_acl,
'{}:{}'.format(minion, function),
checker.check_minions(
mine_entry['allow_tgt'],
mine_entry.get('allow_tgt_type', 'glob')
)['minions']
)
get_minion
)
if salt.utils.mine.minion_side_acl_denied(minion_side_acl, minion, function, load['id']):
continue
if _ret_dict:

33
salt/modules/mine.py
View file

@ -194,10 +194,13 @@ def update(clear=False, mine_functions=None):
log.error('Function %s in mine.update failed to execute', function_name or function_alias)
log.debug('Error: %s', trace)
continue
mine_data[function_alias] = salt.utils.mine.wrap_acl_structure(
res,
**minion_acl
)
if minion_acl.get('allow_tgt'):
mine_data[function_alias] = salt.utils.mine.wrap_acl_structure(
res,
**minion_acl
)
else:
mine_data[function_alias] = res
return _mine_store(mine_data, clear)
@ -213,9 +216,13 @@ def send(name, *args, **kwargs):
:param str mine_function: The name of the execution_module.function to run
and whose value will be stored in the salt mine. Defaults to ``name``.
:param str allow_tgt: Targeting specification for ACL. Specifies which minions
are allowed to access this function.
are allowed to access this function. Please note both your master and
minion need to be on atleast version 3000 for this to work properly.
:param str allow_tgt_type: Type of the targeting specification. This value will
be ignored if ``allow_tgt`` is not specified.
be ignored if ``allow_tgt`` is not specified. Please note both your
master and minion need to be on atleast version 3000 for this to work
properly.
Remaining args and kwargs will be passed on to the function to run.
@ -252,11 +259,15 @@ def send(name, *args, **kwargs):
log.error('Function %s in mine.send failed to execute', mine_function or name)
log.debug('Error: %s', trace)
return False
mine_data[name] = salt.utils.mine.wrap_acl_structure(
res,
allow_tgt=allow_tgt,
allow_tgt_type=allow_tgt_type
)
if allow_tgt:
mine_data[name] = salt.utils.mine.wrap_acl_structure(
res,
allow_tgt=allow_tgt,
allow_tgt_type=allow_tgt_type
)
else:
mine_data[name] = res
return _mine_store(mine_data)

3
tests/integration/files/conf/minion
View file

@ -95,6 +95,9 @@ config_test:
mine_functions:
test.ping: []
test.arg:
- isn't
- allow_tgt: 'sub_minion'
# sdb env module
osenv:

5
tests/integration/files/conf/sub_minion
View file

@ -62,3 +62,8 @@ grains:
keystone.password: demopass
keystone.tenant: demo
keystone.auth_url: http://127.0.0.1:5000/v3/
mine_functions:
test.arg:
- isn't
- allow_tgt: 'sub_minion'

88
tests/integration/modules/test_mine.py
View file

@ -8,10 +8,11 @@ import time
import pprint
# Import Salt Testing libs
from tests.support.case import ModuleCase
from tests.support.case import ModuleCase, ShellCase
from tests.support.runtests import RUNTIME_VARS
class MineTest(ModuleCase):
class MineTest(ModuleCase, ShellCase):
'''
Test the mine system
'''
@ -22,15 +23,8 @@ class MineTest(ModuleCase):
'''
test mine.get and mine.update
'''
self.assertTrue(self.run_function('mine.update', minion_tgt='minion'))
# The sub_minion does not have mine_functions defined in its configuration
# In this case, mine.update returns None
self.assertIsNone(
self.run_function(
'mine.update',
minion_tgt='sub_minion'
)
)
assert self.run_function('mine.update', minion_tgt='minion')
assert self.run_function('mine.update', minion_tgt='sub_minion')
# Since the minion has mine_functions defined in its configuration,
# mine.update will return True
self.assertTrue(
@ -40,6 +34,78 @@ class MineTest(ModuleCase):
)
)
def test_get_allow_tgt(self):
'''
test mine.get and mine.update using allow_tgt
'''
assert self.run_function('mine.update', minion_tgt='minion')
assert self.run_function('mine.update', minion_tgt='sub_minion')
# sub_minion should be able to view test.arg data
sub_min_ret = self.run_call(r'mine.get \* test.arg', config_dir=RUNTIME_VARS.TMP_SUB_MINION_CONF_DIR)
assert " - isn't" in sub_min_ret
# minion should not be able to view test.arg data
min_ret = self.run_call(r'mine.get \* test.arg')
assert " - isn't" not in min_ret
def test_send_allow_tgt(self):
'''
test mine.send with allow_tgt set
'''
mine_name = 'test_this'
for minion in ['sub_minion', 'minion']:
assert self.run_function('mine.send', [mine_name,
'mine_function=test.arg_clean', 'one'], allow_tgt='sub_minion',
minion_tgt=minion)
min_ret = self.run_call(r'mine.get \* ' + mine_name)
sub_ret = self.run_call(r'mine.get \* ' + mine_name,
config_dir=RUNTIME_VARS.TMP_SUB_MINION_CONF_DIR)
# ensure we did get the mine_name mine function for sub_minion
assert ' - one' in sub_ret
# ensure we did not get the mine_name mine function for minion
assert ' - one' not in min_ret
def test_send_allow_tgt_compound(self):
'''
test mine.send with allow_tgt set
and using compound targeting
'''
mine_name = 'test_this_comp'
for minion in ['sub_minion', 'minion']:
assert self.run_function('mine.send', [mine_name,
'mine_function=test.arg_clean', 'one'],
allow_tgt='L@minion,sub_minion',
allow_tgt_type='compound',
minion_tgt=minion)
min_ret = self.run_call(r'mine.get \* ' + mine_name)
sub_ret = self.run_call(r'mine.get \* ' + mine_name,
config_dir=RUNTIME_VARS.TMP_SUB_MINION_CONF_DIR)
# ensure we get the mine_name mine function for both minions
for ret in [min_ret, sub_ret]:
assert ' - one' in ret
def test_send_allow_tgt_doesnotexist(self):
'''
test mine.send with allow_tgt set when
the minion defined in allow_tgt does
not exist
'''
mine_name = 'mine_doesnotexist'
for minion in ['sub_minion', 'minion']:
assert self.run_function('mine.send', [mine_name,
'mine_function=test.arg_clean', 'one'], allow_tgt='doesnotexist',
minion_tgt=minion)
min_ret = self.run_call(r'mine.get \* ' + mine_name)
sub_ret = self.run_call(r'mine.get \* ' + mine_name,
config_dir=RUNTIME_VARS.TMP_SUB_MINION_CONF_DIR)
# ensure we did not get the mine_name mine function for both minions
for ret in [sub_ret, min_ret]:
assert ' - one' not in ret
def test_send(self):
'''
test mine.send

15
tests/support/case.py
View file

@ -175,9 +175,12 @@ class ShellTestCase(TestCase, AdaptedConfigurationTestCaseMixin, ScriptPathMixin
arg_str = '--config-dir {0} {1}'.format(self.config_dir, arg_str)
return self.run_script('salt-cp', arg_str, with_retcode=with_retcode, catch_stderr=catch_stderr)
def run_call(self, arg_str, with_retcode=False, catch_stderr=False, local=False, timeout=15):
def run_call(self, arg_str, with_retcode=False, catch_stderr=False,
local=False, timeout=15, config_dir=None):
if not config_dir:
config_dir = self.config_dir
arg_str = '{0} --config-dir {1} {2}'.format('--local' if local else '',
self.config_dir, arg_str)
config_dir, arg_str)
return self.run_script('salt-call',
arg_str,
@ -582,12 +585,14 @@ class ShellCase(ShellTestCase, AdaptedConfigurationTestCaseMixin, ScriptPathMixi
timeout=timeout)
def run_call(self, arg_str, with_retcode=False, catch_stderr=False, # pylint: disable=W0221
local=False, timeout=RUN_TIMEOUT):
local=False, timeout=RUN_TIMEOUT, config_dir=None):
'''
Execute salt-call.
'''
if not config_dir:
config_dir = self.config_dir
arg_str = '{0} --config-dir {1} {2}'.format('--local' if local else '',
self.config_dir, arg_str)
config_dir, arg_str)
ret = self.run_script('salt-call',
arg_str,
with_retcode=with_retcode,
@ -772,8 +777,6 @@ class ModuleCase(TestCase, SaltClientTestCaseMixin):
'ssh.recv_known_host_entries',
'time.sleep'
)
if minion_tgt == 'sub_minion':
known_to_return_none += ('mine.update',)
if 'f_arg' in kwargs:
kwargs['arg'] = kwargs.pop('f_arg')
if 'f_timeout' in kwargs:

119
tests/unit/modules/test_mine.py
View file

@ -43,6 +43,9 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
Test cases for salt.modules.mine
'''
def setUp(self):
self.kernel_ret = 'Linux!'
self.foo_ret = 'baz'
self.ip_ret = '2001:db8::1:3'
self.cache = FakeCache()
def setup_loader_modules(self):
@ -94,15 +97,16 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
'''
Tests sending an item to the mine in the minion's local cache,
and then immediately fetching it again (since tests are executed unordered).
Also verify that the stored mine cache has the correct structure (with ACL).
Also verify that the stored mine cache does not use ACL data structure
without allow_tgt passed.
'''
with patch.dict(mine.__opts__, {
'file_client': 'local',
'id': 'webserver',
}), \
patch.dict(mine.__salt__, {
'network.ip_addrs': MagicMock(return_value='2001:db8::1:3'),
'foo.bar': MagicMock(return_value='baz'),
'network.ip_addrs': MagicMock(return_value=self.ip_ret),
'foo.bar': MagicMock(return_value=self.foo_ret),
}):
ret = mine.send('ip_addr', mine_function='network.ip_addrs')
mine.send('foo.bar')
@ -110,14 +114,8 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
self.assertEqual(
self.cache.fetch('minions/webserver', 'mine_cache'),
{
'ip_addr': {
salt.utils.mine.MINE_ITEM_ACL_DATA: '2001:db8::1:3',
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
},
'foo.bar': {
salt.utils.mine.MINE_ITEM_ACL_DATA: 'baz',
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
},
'ip_addr': self.ip_ret,
'foo.bar': self.foo_ret,
}
)
with patch.dict(mine.__opts__, {
@ -128,9 +126,9 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
ret_single_dict = mine.get('*', ['ip_addr'])
ret_multi = mine.get('*', 'ip_addr,foo.bar')
ret_multi2 = mine.get('*', ['ip_addr', 'foo.bar'])
self.assertEqual(ret_single, {'webserver': '2001:db8::1:3'})
self.assertEqual(ret_single_dict, {'ip_addr': {'webserver': '2001:db8::1:3'}})
self.assertEqual(ret_multi, {'ip_addr': {'webserver': '2001:db8::1:3'}, 'foo.bar': {'webserver': 'baz'}})
self.assertEqual(ret_single, {'webserver': self.ip_ret})
self.assertEqual(ret_single_dict, {'ip_addr': {'webserver': self.ip_ret}})
self.assertEqual(ret_multi, {'ip_addr': {'webserver': self.ip_ret}, 'foo.bar': {'webserver': self.foo_ret}})
self.assertEqual(ret_multi, ret_multi2)
def test_send_get_acl_local(self):
@ -138,15 +136,16 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
Tests sending an item to the mine in the minion's local cache,
including ACL information (useless when only working locally, but hey),
and then immediately fetching it again (since tests are executed unordered).
Also verify that the stored mine cache has the correct structure (with ACL).
Also verify that the stored mine cache has the correct structure (with ACL)
when using allow_tgt and no ACL without allow_tgt.
'''
with patch.dict(mine.__opts__, {
'file_client': 'local',
'id': 'webserver',
}), \
patch.dict(mine.__salt__, {
'network.ip_addrs': MagicMock(return_value='2001:db8::1:3'),
'foo.bar': MagicMock(return_value='baz'),
'network.ip_addrs': MagicMock(return_value=self.ip_ret),
'foo.bar': MagicMock(return_value=self.foo_ret),
}):
ret = mine.send('ip_addr', mine_function='network.ip_addrs', allow_tgt='web*', allow_tgt_type='glob')
mine.send('foo.bar')
@ -155,15 +154,12 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
self.cache.fetch('minions/webserver', 'mine_cache'),
{
'ip_addr': {
salt.utils.mine.MINE_ITEM_ACL_DATA: '2001:db8::1:3',
salt.utils.mine.MINE_ITEM_ACL_DATA: self.ip_ret,
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
'allow_tgt': 'web*',
'allow_tgt_type': 'glob',
},
'foo.bar': {
salt.utils.mine.MINE_ITEM_ACL_DATA: 'baz',
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
},
'foo.bar': self.foo_ret,
}
)
with patch.dict(mine.__opts__, {
@ -171,7 +167,7 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
'id': 'webserver',
}):
ret_single = mine.get('*', 'ip_addr')
self.assertEqual(ret_single, {'webserver': '2001:db8::1:3'})
self.assertEqual(ret_single, {'webserver': self.ip_ret})
def test_send_master(self):
'''
@ -180,7 +176,7 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
'''
with patch.object(mine, '_mine_send', MagicMock(side_effect=lambda x, y: x)),\
patch.dict(mine.__salt__, {
'foo.bar': MagicMock(return_value='baz'),
'foo.bar': MagicMock(return_value=self.foo_ret),
}), \
patch.dict(mine.__opts__, {
'file_client': 'remote',
@ -192,12 +188,7 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
{
'id': 'foo',
'cmd': '_mine',
'data': {
'foo.bar': {
salt.utils.mine.MINE_ITEM_ACL_DATA: 'baz',
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
},
},
'data': {'foo.bar': self.foo_ret},
'clear': False,
}
)
@ -209,7 +200,7 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
'''
with patch.object(mine, '_mine_send', MagicMock(side_effect=lambda x, y: x)),\
patch.dict(mine.__salt__, {
'foo.bar': MagicMock(return_value='baz'),
'foo.bar': MagicMock(return_value=self.foo_ret),
}), \
patch.dict(mine.__opts__, {
'file_client': 'remote',
@ -223,7 +214,7 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
'cmd': '_mine',
'data': {
'foo.bar': {
salt.utils.mine.MINE_ITEM_ACL_DATA: 'baz',
salt.utils.mine.MINE_ITEM_ACL_DATA: self.foo_ret,
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
'allow_tgt': 'roles:web',
'allow_tgt_type': 'grains',
@ -239,7 +230,7 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
'''
mock_load = {
'tgt_type': 'qux',
'tgt': 'baz',
'tgt': self.foo_ret,
'cmd': '_mine_get',
'fun': 'foo.bar',
'id': 'foo'
@ -292,9 +283,9 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
}), \
patch.dict(mine.__salt__, {
'config.merge': MagicMock(return_value=config_mine_functions),
'grains.get': lambda x: 'Linux!',
'network.ip_addrs': MagicMock(return_value='2001:db8::1:3'),
'foo.bar': MagicMock(return_value='baz'),
'grains.get': lambda x: self.kernel_ret,
'network.ip_addrs': MagicMock(return_value=self.ip_ret),
'foo.bar': MagicMock(return_value=self.foo_ret),
}):
ret = mine.update()
self.assertEqual(ret, 'FakeCache:StoreSuccess!')
@ -302,22 +293,16 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
self.assertEqual(
self.cache.fetch('minions/webserver', 'mine_cache'),
{
'ip_addr': {
salt.utils.mine.MINE_ITEM_ACL_DATA: '2001:db8::1:3',
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
},
'network.ip_addrs': {
salt.utils.mine.MINE_ITEM_ACL_DATA: '2001:db8::1:3',
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
},
'ip_addr': self.ip_ret,
'network.ip_addrs': self.ip_ret,
'foo.bar': {
salt.utils.mine.MINE_ITEM_ACL_DATA: 'baz',
salt.utils.mine.MINE_ITEM_ACL_DATA: self.foo_ret,
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
'allow_tgt': 'G@roles:webserver',
'allow_tgt_type': 'compound',
},
'kernel': {
salt.utils.mine.MINE_ITEM_ACL_DATA: 'Linux!',
salt.utils.mine.MINE_ITEM_ACL_DATA: self.kernel_ret,
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
'allow_tgt': 'web*',
},
@ -343,8 +328,8 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
patch.dict(mine.__salt__, {
'config.merge': MagicMock(return_value={}),
'grains.get': lambda x: 'Linux!!',
'network.ip_addrs': MagicMock(return_value='2001:db8::1:4'),
'foo.bar': MagicMock(return_value='baz'),
'network.ip_addrs': MagicMock(return_value=self.ip_ret),
'foo.bar': MagicMock(return_value=self.foo_ret),
}):
ret = mine.update(mine_functions=manual_mine_functions)
self.assertEqual(ret, 'FakeCache:StoreSuccess!')
@ -352,16 +337,10 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
self.assertEqual(
self.cache.fetch('minions/webserver', 'mine_cache'),
{
'ip_addr': {
salt.utils.mine.MINE_ITEM_ACL_DATA: '2001:db8::1:4',
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
},
'network.ip_addrs': {
salt.utils.mine.MINE_ITEM_ACL_DATA: '2001:db8::1:4',
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
},
'ip_addr': self.ip_ret,
'network.ip_addrs': self.ip_ret,
'foo.bar': {
salt.utils.mine.MINE_ITEM_ACL_DATA: 'baz',
salt.utils.mine.MINE_ITEM_ACL_DATA: self.foo_ret,
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
'allow_tgt': 'G@roles:webserver',
'allow_tgt_type': 'compound',
@ -388,22 +367,10 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
'id': 'webserver',
'cmd': '_mine',
'data': {
'ip_addr': {
salt.utils.mine.MINE_ITEM_ACL_DATA: '2001:db8::1:3',
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
},
'network.ip_addrs': {
salt.utils.mine.MINE_ITEM_ACL_DATA: '2001:db8::1:3',
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
},
'foo.bar': {
salt.utils.mine.MINE_ITEM_ACL_DATA: 'baz',
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
},
'kernel': {
salt.utils.mine.MINE_ITEM_ACL_DATA: 'Linux!',
salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
},
'ip_addr': self.ip_ret,
'network.ip_addrs': self.ip_ret,
'foo.bar': self.foo_ret,
'kernel': self.kernel_ret,
},
'clear': False,
}
@ -415,9 +382,9 @@ class MineTestCase(TestCase, LoaderModuleMockMixin):
}), \
patch.dict(mine.__salt__, {
'config.merge': MagicMock(return_value=config_mine_functions),
'grains.get': lambda x: 'Linux!',
'network.ip_addrs': MagicMock(return_value='2001:db8::1:3'),
'foo.bar': MagicMock(return_value='baz'),
'grains.get': lambda x: self.kernel_ret,
'network.ip_addrs': MagicMock(return_value=self.ip_ret),
'foo.bar': MagicMock(return_value=self.foo_ret),
}):
# Verify the correct load
self.assertEqual(