Salt: Client ACL and external auth system should have support for limiting functions to certain arguments

Created on 30 Dec 2012  路  11Comments  路  Source: saltstack/salt

My use case is that I want to limit a certain PAM user to control his own virtual machine using the virt module. The virt module often takes the VM name as the argument.
Example:

salt-call virt.destroy VMName

But if I give a user access to the virt.destroy function, the user could then destroy all VMs on the host.

What would solve it is support for checking arguments to function, for example like this:

external_auth:
  pam:
    vmuser:
     - virt.destroy:
        arg0: VMName

I'm not sure how the arg-system should work, but should probably include support for regexes, or at the very least a static list of allowed arguments.

Core Feature ZD ZRELEASED - Boron
Source
picture torhve

Most helpful comment

Here is an example of usage:

external_auth:
  pam:
    my_user:
      - '*':
        - 'my_mod.*':
          args:
            - 'a.*'
            - 'b.*'
          kwargs:
            'kwa': 'kwa.*'
            'kwb': 'kwb'

The rules:

  1. The arguments values are matched as regexp.
  2. If arguments restrictions are specified the only matched are allowed.
  3. If an argument isn't specified any value is allowed.
  4. To skip an arg use "everything" regexp .*. I.e. if arg0 and arg2 should be limited but arg1 and other arguments could have any value use:
          args:
            - 'value0'
            - '.*'
            - 'value2'
picture DmitryKuzmenko on 15 Mar 2016
👍2 🎉1

All 11 comments

wow, this will be a bit of a challenge. But I am open to it, the hard part I think will be deciding exactly how these will look in the config, since this is already the most complicated config component

thatch45 picture thatch45 on 31 Dec 2012

Since my use case is mostly relevant to the API, it could be solved in salt API instead of here, but I guess the feature would be useful for all salt clients, not just the API. But maybe the API would/could have additional checks ?

My final resort would be to filter this in nginx proxy, using lua to check all the args. Would be very easy to implement.

torhve picture torhve on 1 Jan 2013

Yes, I am game for adding this, but I won't be able to get to it right away.

thatch45 picture thatch45 on 1 Jan 2013

Committed for Boron

meggiebot picture meggiebot on 18 Sep 2015

ZD 411

meggiebot picture meggiebot on 27 Oct 2015

Here is an example of usage:

external_auth:
  pam:
    my_user:
      - '*':
        - 'my_mod.*':
          args:
            - 'a.*'
            - 'b.*'
          kwargs:
            'kwa': 'kwa.*'
            'kwb': 'kwb'

The rules:

  1. The arguments values are matched as regexp.
  2. If arguments restrictions are specified the only matched are allowed.
  3. If an argument isn't specified any value is allowed.
  4. To skip an arg use "everything" regexp .*. I.e. if arg0 and arg2 should be limited but arg1 and other arguments could have any value use:
          args:
            - 'value0'
            - '.*'
            - 'value2'
DmitryKuzmenko picture DmitryKuzmenko on 15 Mar 2016
👍2 🎉1

@DmitryKuzmenko Does this work for client_acl as well, or just external_auth?

Edit: Actually just saw that this is for external_auth only and works in 2016.3.0+.

maschinetheist picture maschinetheist on 11 Aug 2016

can you just show one example by using any module
?

thatsk picture thatsk on 21 May 2018

publisher_acl:
user:
- nodename:
- test.ping
- pkg.clean_metadata
- pkg.upgrade:
args:
- 'httpd'
- 'nginx'
kwargs:

thatsk picture thatsk on 21 May 2018

how to use kwargs?

thatsk picture thatsk on 21 May 2018

@thatsk Can you file a new issue about your documentation questions?

rallytime picture rallytime on 21 May 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Oloremo picture Oloremo  路  3Comments
Inveracity picture Inveracity  路  3Comments
Arguros picture Arguros  路  3Comments
icycle77 picture icycle77  路  3Comments
zieba88 picture zieba88  路  3Comments