Salt ACL - restrict to particular state file
175 views
Skip to first unread message
mike r
Aug 24, 2018, 11:30:38 AM8/24/18
to Salt-users
Hello, Im configuring our Masters ACL to give certain non root users ability to run certain states
from docs it doesnt seem to be a way to run a particular state, only a module,
for example
/etc/salt/master
publisher_acl:
joe:
- state.sls
works, and Joe user can run any 'salt \* state.sls somestate'
is there a way to configure it to be open not only to modules, but to invidiual states?
For example, I want Joe to be only to be able to run state file called "joe_state.sls"
I tried this,
For example, I want Joe to be only to be able to run state file called "joe_state.sls"
I tried this,
publisher_acl:
joe:
- state.sls joe_statethis doesnt work, getting authorization error
Christian McHugh
Sep 2, 2018, 1:47:31 PM9/2/18
to Salt-users
I don't know about you direct question of how to setup specific states in the salt ACL system, but we handle this use case by wrapping salt with Jenkins (https://wiki.jenkins.io/display/JENKINS/saltstack-plugin). A DevOps team sets up a Jenkins job to run the needed states, and delegates the ability to run that job to the teams needing access. We can then view job output from the Jenkins console as well as tracking who and when the job is run.
Christian McHugh
Sep 3, 2018, 12:24:27 PM9/3/18
to Salt-users
I was just looking over the ACL docs for another reason, and it looks like arguments are now supported (as of 2016.3). Take a look at
https://docs.saltstack.com/en/develop/topics/eauth/index.html#acl-eauth
https://docs.saltstack.com/en/develop/topics/eauth/index.html#acl-eauth
Looks like the syntax is
external_auth:
pam:
my_user:
- '*':
- 'my_mod.*':
args:
- 'a.*'
- 'b.*'
kwargs:
'kwa': 'kwa.*'
'kwb': 'kwb'
- '@runner':
- 'runner_mod.*':
args:
- 'a.*'
- 'b.*'
kwargs:
'kwa': 'kwa.*'
'kwb': 'kwb'
Reply all
Reply to author
Forward
0 new messages