Salt: Publisher ACL System for Groups
Feature request
Currently the Publisher ACL System allow users other than root to execute salt commands, but only users. I it would be really helpful if groups could be given permissions rather than a per user basis.
xsc27
All 13 comments
You should be able to use groups.
https://docs.saltstack.com/en/latest/topics/eauth/index.html#groups
gtmanfred
on 30 Jun 2017
trying groups with publisher_acl:
publisher_acl:
admin%:
- test.ping
2016.11.5:
[ERROR ] ACL user admin% is not available
2016.11.6:
[ERROR ] An un-handled exception was caught by salt's global exception handler:
KeyError: 'getpwnam(): name not found: admin%'
Traceback (most recent call last):
File "/usr/bin/salt-master", line 11, in <module>
load_entry_point('salt==2016.11.6', 'console_scripts', 'salt-master')()
File "/usr/lib/python2.7/site-packages/salt/scripts.py", line 90, in salt_master
master.start()
File "/usr/lib/python2.7/site-packages/salt/cli/daemons.py", line 204, in start
super(Master, self).start()
File "/usr/lib/python2.7/site-packages/salt/utils/parsers.py", line 948, in start
self.prepare()
File "/usr/lib/python2.7/site-packages/salt/cli/daemons.py", line 185, in prepare
self.master = salt.master.Master(self.config)
File "/usr/lib/python2.7/site-packages/salt/master.py", line 400, in __init__
SMaster.__init__(self, opts)
File "/usr/lib/python2.7/site-packages/salt/master.py", line 121, in __init__
self.key = self.__prep_key()
File "/usr/lib/python2.7/site-packages/salt/master.py", line 145, in __prep_key
return salt.daemons.masterapi.access_keys(self.opts)
File "/usr/lib/python2.7/site-packages/salt/daemons/masterapi.py", line 262, in access_keys
keys[user] = mk_key(opts, user)
File "/usr/lib/python2.7/site-packages/salt/daemons/masterapi.py", line 226, in mk_key
os.chown(keyfile, pwd.getpwnam(user).pw_uid, -1)
KeyError: 'getpwnam(): name not found: admin%'
Oh, sorry, that is for external auth, not publisher acls.
Yes, it would be nice to have publisheracls accept groups. I am going to mark this as a feature request.
Thanks,
Daniel
gtmanfred
on 3 Jul 2017
Seriously need this feature right now as well. Please expedite!
ooboyle
on 26 Jan 2018
I'd really like to +1 this...I recently started looking into a way to allow other users to run certain salt commands and it would be awesome if I could add and remove users from a group that I grant access to.
ev0rtex
on 14 May 2018
Pull requests welcome!
This is not on the top of any ones list right now unfortunately.
On Mon, May 14, 2018 at 8:12 PM, David Warkentin notifications@github.com
wrote:
I'd really like to +1 this...I recently started looking into a way to
allow other users to run certain salt commands and it would be awesome if I
could add and remove users from a group that I grant access to.—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/saltstack/salt/issues/42060#issuecomment-388947005,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAssoZRXEKxwLwWUyf_sn1RnbMm8eRrXks5tyeU_gaJpZM4OLAYG
.
gtmanfred
on 15 May 2018
@gtmanfred... I may dig in if I get some time and see if I can figure out what it would take to implement. If it's not too bad I wouldn't mind doing a PR
ev0rtex
on 15 May 2018
I'm happy to beta test something. I have an excellent record for breaking things...
Oliver
From: David Warkentin [[email protected]]
Sent: Monday, May 14, 2018 8:57 PM
To: saltstack/salt
Cc: Oliver O'Boyle; Comment
Subject: Re: [saltstack/salt] Publisher ACL System for Groups (#42060)
@gtmanfredhttps://github.com/gtmanfred... I may dig in if I get some time and see if I can figure out what it would take to implement. If it's not too bad I wouldn't mind doing a PR
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://github.com/saltstack/salt/issues/42060#issuecomment-389008423, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ALKLSZrhgi4L_w4bpzCmvtQO45U4t_gGks5tyifxgaJpZM4OLAYG.
ooboyle
on 15 May 2018
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.
![stale[bot] picture](https://avatars.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 28 Aug 2019
This is still a desired feature request that I wouldn't like to see automatically closed...
oogali
on 6 Dec 2019
Agreed
-------- Original message --------
From: Omachonu Ogali notifications@github.com
Date: 2019-12-06 02:52 (GMT-08:00)
To: saltstack/salt salt@noreply.github.com
Cc: Oliver O'Boyle ooboyle@atlific.com, Comment comment@noreply.github.com
Subject: Re: [saltstack/salt] Publisher ACL System for Groups (#42060)
This is still a desired feature request that I wouldn't like to see automatically closed...
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://github.com/saltstack/salt/issues/42060?email_source=notifications&email_token=ACZIWSKLMY7X4WUTPC67JZ3QXIVGLA5CNFSM4DRMAYDKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGDXVKQ#issuecomment-562526890, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACZIWSJSPFRFZ3YF634NBNLQXIVGLANCNFSM4DRMAYDA.
ooboyle
on 6 Dec 2019
Can we reopen this request or need to file a new one? I have been waiting for this feature for some time now.
AmbicaY
on 21 Jan 2020
yes please reopen
Heiko-san
on 11 Mar 2020
Related issues
golmaal
·
3Comments
seanacais
·
3Comments
udf2457
·
3Comments
Oloremo
·
3Comments
qiushics
·
3Comments
Most helpful comment
Oh, sorry, that is for external auth, not publisher acls.
Yes, it would be nice to have publisheracls accept groups. I am going to mark this as a feature request.
Thanks,
Daniel