How to access a pillar from a Python script running on a minion as a non-root user
237 views
Skip to first unread message
Tiago Meireles
Jun 21, 2017, 11:05:49 AM6/21/17
to salt-...@googlegroups.com
I'm facing the following hurdle: I need to access pillar data from a
Python script running on a minion as a non-root user (reason: it's a
Nagios check which runs as 'nagios' user)
The relevant piece of code I'm using is:
local = salt.client.Caller()
local.cmd('pillar.get', 'sdr')
When I manually run:
sudo -u nagios myscript.py
I get the error:
salt.exceptions.SaltClientError: Could not access /etc/salt/pki/minion.
Please give nagios read permissions.
After I give read permission (using setfacl) on /etc/salt/pki/minion to
the user 'nagios', I get a new error:
IOError: Write access denied to "/etc/salt/pki/minion" for user "nagios"
Why the heck does Python Client API need write permission on a
certificate directory in order to run ?!
And does anyone know a workaround for accessing pillar data from a
minion from a Python script?
Thanks,
Tiago
Python script running on a minion as a non-root user (reason: it's a
Nagios check which runs as 'nagios' user)
The relevant piece of code I'm using is:
local = salt.client.Caller()
local.cmd('pillar.get', 'sdr')
When I manually run:
sudo -u nagios myscript.py
I get the error:
salt.exceptions.SaltClientError: Could not access /etc/salt/pki/minion.
Please give nagios read permissions.
After I give read permission (using setfacl) on /etc/salt/pki/minion to
the user 'nagios', I get a new error:
IOError: Write access denied to "/etc/salt/pki/minion" for user "nagios"
Why the heck does Python Client API need write permission on a
certificate directory in order to run ?!
And does anyone know a workaround for accessing pillar data from a
minion from a Python script?
Thanks,
Tiago
Seth House
Jun 21, 2017, 11:38:15 AM6/21/17
to salt users list
It reads the key to authenticate with the Salt Master, but off the top
of my head I'm unsure why it wants to write back to that dir. Since
Pillar data is potentially sensitive data referencing it is best done
using the same user the Salt Minion is running as.
One option is to use sudo to whitelist the nagios user to run
`salt-call` CLI commands as the user the Minion is running under.
There's a partial example of this at the bottom of the `event.send`
docs [1].
Another option is to run a second Minion daemon on that machine with a
different Minion ID and configure it to run as the same user Nagios is
running under. Then you can send specific Pillar data to just that one
Minion instance.
[1] https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.event.html#salt.modules.event.send
> --
> You received this message because you are subscribed to the Google Groups "Salt-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/oibcdh%248gp%241%40blaine.gmane.org.
> For more options, visit https://groups.google.com/d/optout.
of my head I'm unsure why it wants to write back to that dir. Since
Pillar data is potentially sensitive data referencing it is best done
using the same user the Salt Minion is running as.
One option is to use sudo to whitelist the nagios user to run
`salt-call` CLI commands as the user the Minion is running under.
There's a partial example of this at the bottom of the `event.send`
docs [1].
Another option is to run a second Minion daemon on that machine with a
different Minion ID and configure it to run as the same user Nagios is
running under. Then you can send specific Pillar data to just that one
Minion instance.
[1] https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.event.html#salt.modules.event.send
> You received this message because you are subscribed to the Google Groups "Salt-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/oibcdh%248gp%241%40blaine.gmane.org.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages