How to access a pillar from a Python script running on a minion as a non-root user
237 views
Skip to first unread message
Tiago Meireles
unread,
Jun 21, 2017, 11:05:49 AM6/21/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to salt-...@googlegroups.com
I'm facing the following hurdle: I need to access pillar data from a
Python script running on a minion as a non-root user (reason: it's a
Nagios check which runs as 'nagios' user)
The relevant piece of code I'm using is:
local = salt.client.Caller()
local.cmd('pillar.get', 'sdr')
When I manually run:
sudo -u nagios myscript.py
I get the error:
salt.exceptions.SaltClientError: Could not access /etc/salt/pki/minion.
Please give nagios read permissions.
After I give read permission (using setfacl) on /etc/salt/pki/minion to
the user 'nagios', I get a new error:
IOError: Write access denied to "/etc/salt/pki/minion" for user "nagios"
Why the heck does Python Client API need write permission on a
certificate directory in order to run ?!
And does anyone know a workaround for accessing pillar data from a
minion from a Python script?
Thanks,
Tiago
Seth House
unread,
Jun 21, 2017, 11:38:15 AM6/21/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to salt users list
It reads the key to authenticate with the Salt Master, but off the top
of my head I'm unsure why it wants to write back to that dir. Since
Pillar data is potentially sensitive data referencing it is best done
using the same user the Salt Minion is running as.
One option is to use sudo to whitelist the nagios user to run
`salt-call` CLI commands as the user the Minion is running under.
There's a partial example of this at the bottom of the `event.send`
docs [1].
Another option is to run a second Minion daemon on that machine with a
different Minion ID and configure it to run as the same user Nagios is
running under. Then you can send specific Pillar data to just that one
Minion instance.