Salt Access Control

  • An Access Control System provides options for a user for a group to execute a task with permissions. A Salt access control system is used to configure access to non-administrative control interfaces. You can apply this process to all the systems. This control helps the non-administrative users to execute the Salt commands.

• Salt interfaces are of the following three types −

• Publisher ACL system

• External Auth system

• Peer system

Publisher ACL System

• A Publisher ACL system allows access to the users other than root to execute Salt commands on minions from the master

• The publisher ACL system is configured in the master configuration file via the publisher_acl configuration option. It is defined as follows 

publisher_acl: 

user1: 

     - .* 

user2: 

     - web*: 

             - test.* 

             - pkg.*

• Here, 

user1 is allowed to execute anything. 

user2 is allowed to use test and pkg, but only on “web*” minions.

External Auth System

• The external auth system is used to provide access to execute salt commands on specific minions through external authorization system like PAM, LDAP, etc

• This configuration file is defined in the master file as described below 

external_auth: 

               pam: user1: - 'web*': - test.* - network.* user2: - .*

• Here,

user1 is allowed to execute functions in the test and network modules on the minions that match the web* target

user2 is allowed to execute all the functions.

Enable External Auth System in Command

• Salt server provides an option ‘–a’ to enable external authentication 

salt -a pam web\* test.ping

• Here, the -a pam option is used to enable PAM external authentication

• Salt Server will ask for authentication details whenever we execute the command

• To restrict Salt Server from asking the authentication details for the first time only, we can use the T option

• This -T option caches the authentication details for the next 12 hours (default setting) and use it to authenticate the users 

salt -T -a pam web\* test.ping

Peer System :

• Salt minions can pass commands using the peer interface

• The peer interface is configured through the master configuration file either to allow minions to send commands from the master using the peer configuration section or to allow minions to execute runners from the master using the peer_run configuration

Peer Configuration

• The simple configuration to be defined in master file is as follows 

peer: .*: - .*

• Here, It enables communication for all minions, but it is only recommended for very secure environments

• To assign minions to specific ID’s, the configuration needs to be defined as shown below: 

peer − .*domain.com: - test.*

Peer_run Configuration

• This configuration is to allow minions to execute runners from the master using the peer_run option on the master file

• The following command is to allow access to all minions and to all the runners 

peer_run: .*: - .*

• To assign minions to a specific ID, the configuration needs to be defined as given follows

peer_run: .*domain.com: - test.*

How to Execute Commands

• To execute test.ping on all the minions, use the salt-call command along with the publish.publish module 

salt-call publish.publish \* test.ping

• To execute runner, use the salt-call command along with the publish.runner module 

salt-call publish.runner manage.up