This would be great. There was a recent @jobs addition but there really should be granular function-level control.

+1

That would be realy nice. (as explained in #26832: We have different teams and they would like to orchestrate deployements using salt. orchestrate runner seems like the perfect match for that but we need auth to limit/control which orchestrate sls can be run by users.)

/cc @cachedout - relevant issue to our discussion yesterday about pattern matching on args in addition to runner/wheel functions.

+1

+1

+1

+1

+1

+1

I just spent a day getting salt-api working and understanding it, then realized if the account I'm using gets compromised, the account could use wheel to do things like alter the master config and probably a whole slew of other nasty things. This unfortunately isn't an acceptable security risk, especially when I only want the account to have access to wheel.key.gen_accept.

Hello there... Bringing up this thread... I saw a similar feature was released in Boron (https://github.com/saltstack/salt/pull/29153) including the ability to limit args and kwargs but only to modules. Being able to do the same fine grained ACLs for runners and wheel would be totally awesome!!

zd-913

Hi all, what's the status here? We could really use that "feature". No one here wants to implement that in the Nginx proxy before Cherrypy in Lua.

@bemeyert, this Feature-Request is under active consideration for the Spring Feature-Release of Salt.

Final decisions regarding which Feature-Requests that will be included in the Spring Feature-Release of Salt will be made in January-2017.

Regards,
Rick

@rickh563 ... as long as it's not released under "commercial license only" do you have any news?

@hoitsang, this Feature would be delivered as part of open source Salt.
As noted above, news will exist in Januray, no later than Jan-31-2017.
-- Rick

Thank you @rickh563! Really looking forward to it!

In the meantime I hope this hack will buy some time for everyone else, especially those of us who live at least 6 months behind the latest and greatest.

In salt/utils/minions.py:

    def wheel_check(self, auth_list, fun):
        '''
        Check special API permissions
        '''
        comps = fun.split('.')
        if len(comps) != 2:
            return False
        mod = comps[0]
        fun = comps[1]
        for ind in auth_list:
            if isinstance(ind, six.string_types):
                if ind.startswith('@') and ind[1:] == mod:
                    return True
                if ind == '@wheel':
                    return True
                if ind == '@wheels':
                    return True
                # ======================= #
                # ADD ONE MORE CHECK HERE #
                # ======================= #
                if ind == '@wheel.{0}.{1}'.format(mod, fun):
                    return True

So that at the barebone we could grant wheel module level function call

external_auth:
  ldap:
    Salt NOC Users%:
      - test.*
      - '@wheel.key.list_all'

Same story goes with runner_check() in the same module for @runner.

ZD-1540

Let's make a prediction for the years to come : Oxygen -> Fluor ?

42729 updates external_auth syntax to support @runner and @wheel as it's done for execution modules.

Example:

external_auth:
  pam:
    user_name:
      - @runner:  # or any of @runners, @wheel, @wheels
        - 'module.function.*regex'
        - 'module.another.*function':
          args: ['a', 'b[cde]f']
          kwargs:
            'kwa': 'kwvalue'
      # as well as
      - @module:
        - 'function.*regex':
          args: ['and', 'so', 'on']

Thanks a bunch for this @DmitryKuzmenko!!
Tough question: Is this PR going to land in any 2017.7 point release? Any ideas?

@danlsgiga This will be available in the next feature release, Oxygen.