Running salt commands from non-root process
2,062 views
Skip to first unread message
ig...@xorops.com
Apr 10, 2013, 2:52:23 AM4/10/13
to salt-...@googlegroups.com
Hi,
I have salt-master daemon running as a root, and a I have minion daemon running as root.
I am running salt commands (salt targetserver cp.get_file ...) from different process (Jenkins) which is running as different user (non-root).
I am getting error: Failed to authenticate, is this user permitted to execute commands?
How can I enable this to work?
Thanks.
Kind regards,
Igor
Tor Hveem
Apr 10, 2013, 5:23:43 AM4/10/13
to salt-...@googlegroups.com
sudo ?
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
ig...@xorops.com
Apr 10, 2013, 6:49:16 AM4/10/13
to salt-...@googlegroups.com
Sudo is working, sure, but I don't like to use it with nopasswd option. I thought that there was maybe some internal salty way.
I will try to run salt-master with non-root and then sudo as that user.
Thanks.
Mike Chesnut
Apr 10, 2013, 11:06:34 AM4/10/13
to salt-...@googlegroups.com
This sounds like the exact scenario that the client_acl system is designed to help with.
http://docs.saltstack.com/ref/clientacl.html
http://docs.saltstack.com/ref/clientacl.html
--
Victor Museteanu
May 23, 2013, 12:45:33 PM5/23/13
to salt-...@googlegroups.com
Hi,
I'm running salt-master (version 0.15.1.) as the salt user (don't worry about open_mode, just testing):
]# cat master
user: salt
open_mode: true
log_level: all
file_roots:
base:
- /var/data/salt/srv/salt
file_ignore_regex:
- '/\.svn($|/)'
- '/\.git($|/)'
file_ignore_glob:
- '*.pyc'
pillar_roots:
base:
- /var/data/salt/srv/pillar
client_acl:
jenkins:
- .*
If I run:
salt '*' test.ping
from a Jenkins job, I get 'Failed to authenticate, is this user permitted to execute commands?' and these lines in the salt-master log:
2013-05-23 16:34:25,168 [salt.master ][INFO ] Clear payload received with command publish
2013-05-23 16:34:25,169 [salt.master ][WARNING ] Authentication failure of type "user" occurred.
If I 'su - jenkins -s /bin/bash' the same command runs fine, with these lines in the master log:
2013-05-23 16:35:59,713 [salt.master ][INFO ] Clear payload received with command publish
2013-05-23 16:35:59,716 [salt.master ][INFO ] User jenkins Published command test.ping with jid 20130523163559715409
2013-05-23 16:35:59,717 [salt.master ][DEBUG ] Published command details {'tgt_type': 'glob', 'jid': '20130523163559715409', 'tgt': '*', 'ret': '', 'user': 'jenkins', 'arg': [], 'fun': 'test.ping'}
2013-05-23 16:35:59,761 [salt.master ][INFO ] Clear payload received with command _auth
2013-05-23 16:35:59,762 [salt.utils.verify ][DEBUG ] This salt-master instance has accepted 2 minion keys.
2013-05-23 16:35:59,762 [salt.master ][INFO ] Authentication request from localhost.localdomain
2013-05-23 16:35:59,762 [salt.master ][INFO ] Authentication accepted from localhost.localdomain
2013-05-23 16:36:00,450 [salt.master ][INFO ] AES payload received with command _return
2013-05-23 16:36:00,450 [salt.master ][INFO ] Got return from localhost.localdomain for job 20130523163559715409
2013-05-23 16:36:05,469 [salt.master ][INFO ] Clear payload received with command publish
2013-05-23 16:36:05,472 [salt.master ][INFO ] User jenkins Published command saltutil.find_job with jid 20130523163605471088
2013-05-23 16:36:05,472 [salt.master ][DEBUG ] Published command details {'tgt_type': 'glob', 'jid': '20130523163605471088', 'tgt': '*', 'ret': '', 'user': 'jenkins', 'arg': ['20130523163559715409'], 'fun': 'saltutil.find_job'}
2013-05-23 16:36:05,783 [salt.master ][INFO ] AES payload received with command _return
2013-05-23 16:36:05,783 [salt.master ][INFO ] Got return from localhost.localdomain for job 20130523163605471088
As far I understand, the difference is that the Jenkins job does not have a tty, similar to google(jenkins sudo no tty present), but not sure if this is the real problem...
Any hints on how to make the client_acl work for this scenario are highly appreciated.
Thanks,
Victor
I'm running salt-master (version 0.15.1.) as the salt user (don't worry about open_mode, just testing):
]# cat master
user: salt
open_mode: true
log_level: all
file_roots:
base:
- /var/data/salt/srv/salt
file_ignore_regex:
- '/\.svn($|/)'
- '/\.git($|/)'
file_ignore_glob:
- '*.pyc'
pillar_roots:
base:
- /var/data/salt/srv/pillar
client_acl:
jenkins:
- .*
If I run:
salt '*' test.ping
from a Jenkins job, I get 'Failed to authenticate, is this user permitted to execute commands?' and these lines in the salt-master log:
2013-05-23 16:34:25,168 [salt.master ][INFO ] Clear payload received with command publish
2013-05-23 16:34:25,169 [salt.master ][WARNING ] Authentication failure of type "user" occurred.
If I 'su - jenkins -s /bin/bash' the same command runs fine, with these lines in the master log:
2013-05-23 16:35:59,713 [salt.master ][INFO ] Clear payload received with command publish
2013-05-23 16:35:59,716 [salt.master ][INFO ] User jenkins Published command test.ping with jid 20130523163559715409
2013-05-23 16:35:59,717 [salt.master ][DEBUG ] Published command details {'tgt_type': 'glob', 'jid': '20130523163559715409', 'tgt': '*', 'ret': '', 'user': 'jenkins', 'arg': [], 'fun': 'test.ping'}
2013-05-23 16:35:59,761 [salt.master ][INFO ] Clear payload received with command _auth
2013-05-23 16:35:59,762 [salt.utils.verify ][DEBUG ] This salt-master instance has accepted 2 minion keys.
2013-05-23 16:35:59,762 [salt.master ][INFO ] Authentication request from localhost.localdomain
2013-05-23 16:35:59,762 [salt.master ][INFO ] Authentication accepted from localhost.localdomain
2013-05-23 16:36:00,450 [salt.master ][INFO ] AES payload received with command _return
2013-05-23 16:36:00,450 [salt.master ][INFO ] Got return from localhost.localdomain for job 20130523163559715409
2013-05-23 16:36:05,469 [salt.master ][INFO ] Clear payload received with command publish
2013-05-23 16:36:05,472 [salt.master ][INFO ] User jenkins Published command saltutil.find_job with jid 20130523163605471088
2013-05-23 16:36:05,472 [salt.master ][DEBUG ] Published command details {'tgt_type': 'glob', 'jid': '20130523163605471088', 'tgt': '*', 'ret': '', 'user': 'jenkins', 'arg': ['20130523163559715409'], 'fun': 'saltutil.find_job'}
2013-05-23 16:36:05,783 [salt.master ][INFO ] AES payload received with command _return
2013-05-23 16:36:05,783 [salt.master ][INFO ] Got return from localhost.localdomain for job 20130523163605471088
As far I understand, the difference is that the Jenkins job does not have a tty, similar to google(jenkins sudo no tty present), but not sure if this is the real problem...
Any hints on how to make the client_acl work for this scenario are highly appreciated.
Thanks,
Victor
Victor Museteanu
May 24, 2013, 6:06:39 AM5/24/13
to salt-...@googlegroups.com
I found a solution, this is what I've appended to /etc/sysconfig/jenkins:
# Make the system environment variables available to Jenkins
source /etc/bashrc
# Avoid salt confusion
unset USERNAME
unset SUDO_USER
unset SUDO_COMMAND
unset SUDO_GID
unset SUDO_UID
Also see https://github.com/saltstack/salt/issues/5245
# Make the system environment variables available to Jenkins
source /etc/bashrc
# Avoid salt confusion
unset USERNAME
unset SUDO_USER
unset SUDO_COMMAND
unset SUDO_GID
unset SUDO_UID
Also see https://github.com/saltstack/salt/issues/5245
Reply all
Reply to author
Forward
0 new messages