2.2 KiB
Publisher ACL system
The salt publisher ACL system is a means to allow system users other than root to have access to execute select salt commands on minions from the master.
The publisher ACL system is configured in the master configuration
file via the publisher_acl configuration option. Under the
publisher_acl configuration option the users open to send
commands are specified and then a list of regular expressions which
specify the minion functions which will be made available to specified
user. This configuration is much like the peer
configuration:
publisher_acl:
# Allow thatch to execute anything.
thatch:
- .*
# Allow fred to use test and pkg, but only on "web*" minions.
fred:
- web*:
- test.*
- pkg.*
# Allow managers to use saltutil module functions
manager_.*:
- saltutil.*Permission Issues
Directories required for publisher_acl must be modified
to be readable by the users specified:
chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/masterNote
In addition to the changes above you will also need to modify the permissions of /var/log/salt and the existing log file to be writable by the user(s) which will be running the commands. If you do not wish to do this then you must disable logging or Salt will generate errors as it cannot write to the logs as the system users.
If you are upgrading from earlier versions of salt you must also remove any existing user keys and re-start the Salt master:
rm /var/cache/salt/.*key
service salt-master restartWhitelist and Blacklist
Salt's authentication systems can be configured by specifying what is allowed using a whitelist, or by specifying what is disallowed using a blacklist. If you specify a whitelist, only specified operations are allowed. If you specify a blacklist, all operations are allowed except those that are blacklisted.
See publisher_acl and publisher_acl_blacklist.