Salt: No support for compound matcher in external auth configuration

Created on 21 Apr 2016 · 5Comments · Source: saltstack/salt

Description of Issue/Question

Following of https://github.com/saltstack/salt/issues/21303, the external auth configuration parser doesn't support compound matcher and provide no explicit error message "No permission -- see authorization schemes".

Setup

Eauth configuration:

external_auth:
  pam:
    vagrant:
      - '* and G@os:Ubuntu':
        - .*

Steps to Reproduce Issue

Try to run a job through salt-api, for example test.ping on '*'.

curl -sS localhost:8000/run \
    -H 'Accept: application/x-yaml' \
    -d client='local' \
    -d tgt='*' \
    -d fun='test.ping' \
    -d username='vagrant' \
    -d password='vagrant' \
    -d eauth='pam'

The output is:

<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
    <title>401 Unauthorized</title>
    <style type="text/css">
    #powered_by {
        margin-top: 20px;
        border-top: 2px solid black;
        font-style: italic;
    }

    #traceback {
        color: red;
    }
    </style>
</head>
    <body>
        <h2>401 Unauthorized</h2>
        <p>No permission -- see authorization schemes</p>
        <pre id="traceback"></pre>
    <div id="powered_by">
      <span>
        Powered by <a href="http://www.cherrypy.org">CherryPy 5.1.0</a>
      </span>
    </div>
    </body>
</html>

Even if the minion match the specification:

salt -v '*' grains.get 'os'
Executing job with jid 20160421011351491625
-------------------------------------------

c468b94aa1b8:
    Ubuntu

Versions Report

Salt Version:
           Salt: 2016.3.0

Dependency Versions:
           cffi: Not Installed
       cherrypy: 5.1.0
       dateutil: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.8
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.7
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
         pygit2: Not Installed
         Python: 2.7.6 (default, Jun 22 2015, 17:58:13)
   python-gnupg: Not Installed
         PyYAML: 3.11
          PyZMQ: 15.2.0
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.3
            ZMQ: 4.1.2

System Versions:
           dist: Ubuntu 14.04 trusty
        machine: x86_64
        release: 4.3.3-dhyve
         system: Linux
        version: Ubuntu 14.04 trusty

Expected behavior

Either have support for compound matcher in eauth configuration or send an error that says that eauth configuration for this user is invalid.

Bug Core P3 ZRELEASED - 2018.3.3 fixed-pending-your-verification severity-medium

Source

Lothiraldan

Most helpful comment

This ergonomics/feature request is still desirable and important.

nickgarber on 24 Apr 2018

👍2

All 5 comments

Thanks, @Lothiraldan.

jfindlay on 21 Apr 2016

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.