Publisher ACL System
The salt publisher ACL system allows non-root system users to execute selected salt commands on minions from the master. Minions in Salt means the server on which you host your applications. This system allows local system users to run commands in Salt without getting access to the root.
We configure this system in the master configuration file using the publisher_acl configuration option.
Let us understand how this system works. We start by specifying the users who are allowed to send commands. After listing the users, we determine the server functions which the particular user will have access. We can use three criteria to specify users and functions.
-
Exact match.
-
Shell glob.
- Regular expressions.
Example code:
publisher_acl:
ninja1:
- .*
ninja2:
- web*:
- test.*
- pkg.*
We must also modify the directories required for this system so that the specified user can access them. We also need to change the log file of the system accordingly.
chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master
External Authentication System
The external authentication system, also known as eAuth, provides access to execute salt commands on particular servers(minions) through external authorization systems like LDAP, PAM, etc. This system needs root access to check authentication. The eAuth comes into the role when using Salt-APIs. We configure the access in the master file.
external_auth:
pam:
ninja1:
- 'web*':
- test.*
- network.*
ninja2:
- .*
Here, we allow user ninja1 to access the network and test files on the minions that match the target web. While user ninja2 can execute any function.
If you want to access wheel or runner modules, you can use the @ keyword. For example, @runner will allow access to each runner module.
Matching Syntax
As mentioned, user and function matches are shell glob, exact matches, or regex. We provide you with a general syntax of the eAuth file. You can refer to this format and add or change things accordingly.
external_auth:
<eauth backend>:
<user or group%>:#specify user or group
<@runner or @wheel>:#specifying wheel or runner module
- <regex to match function>
Sometimes, giving permissions as a group is easier than providing them individually to each user. So, if you want to apply permissions to a group of users, you just append a ‘%’ at the end of the ID.
external_auth:
pam:
group1%:
- '*':
- 'network.*'
Enabling eAuth in Command
To allow external authentication, we can use the -a option. The -a pam option enables eAuth.
salt -a pam web\* test.ping
By default, Salt asks for authentication every time we run the command. This frequent security check may become inconvenient. We use tokens to solve this problem. We can use the -T option to create tokens. These tokens cache the authentication details for the next 12 hours and use them to authenticate the users.
salt -T -a pam web\* test.ping
LDAP Authentication
Salt stack provides support to the user and group authentication for LDAP. LDAP stands for Lightweight directory access protocol. We configure LDAP in the master file.
Authentication is provided using simple LDAP binds.
For a single user:
salt.auth.ldap.auth(username, password).
For a group of users:
salt.auth.ldap.groups(username, **kwargs).
Note that this authentication system is dependent on ldap python module.
Peer System
The peer communication system allows the salt minions to pass messages to each other using commands. This system also allows them to execute runners from the master. The master returns a response to the minions. We configure these two abilities in the peer section and peer_run section, respectively.
Let us look at both these configurations in detail
Peer Configuration
The most straightforward configuration allows the communication of all minions. But we recommend you use it only for very secure environments.
peer:
.*:
- .*
We can also allow access to minions having only specific IDs. Follow the code written below.
peer:
.*domain.com:
- test.*
- pkg.*
This config will allow all the minions having IDs ending with domain.com to access the test and pkg module functions.
Peer_run Configuration
The minions execute the runners from the master in this config. Its syntax is much similar to peer configuration.
peer_run:
.*:
- .*
The above code allows access to every minion to every runner.
The following syntax is followed to allow specific minions to access specific IDs.
peer_run:
.*domain.com:
- test.*
- pkg.*
Using Peer Communication
We use the publish module to manage peer communication. Currently, our publish module has three main functions.
- To execute a particular file on all minions, say test.ping, we use the publish.publish command.
# salt-call publish.publish \* test.ping
2. We use the publisher.up keyword to run the manage.up runner.
# salt-call publish.runner manage.up
3. We can also match minions using other matchers using the tgt_type keyword.
# salt-call publish.publish 'webserv* and not G@os:Ubuntu' test.ping tgt_type='compound'
Frequently Asked Questions
What do you understand by Whitelist and Blacklist in Salt?
Whitelisting and Blacklisting help in configuring the authentication of Salt. If we whitelist operations, then only that operations will be allowed. However, if we blacklist some functions, all the processes other than those blacklisted are permitted.
Which language should I learn to use Saltstack?
Saltstack is a simple and easy-to-use software written in Python. So Python becomes a prerequisite for Saltstack. Python takes around three to four weeks to learn at the beginner level.
Is Saltstack an open-source software?
Yes, Salt is an open-source configuration management tool. It is freely available to users. It is developed with the contributions of various communities.
Conclusion
In this article, we discussed the Access control system in Salt. We explored:
- publisher_acl systems: Can be used for local Systems.
- eAuth systems: Useful for Salt APIs.
-
peer systems: Can be used for remote Sytems.
We sincerely hope the above discussion helped you understand Salt's access control system. You can refer to our blogs on job cache and job management if you wish to learn more about Salt.
Visit our website to read more such blogs. Make sure you enroll in our other courses as well. You can take mock tests, solve problems, and interview puzzles. Also, you can check out some exciting interview stuff- interview experiences and an interview bundle for placement preparations. Do upvote our blog to help fellow ninjas grow.
Keep Grinding! 🦾
Happy Coding! 💻
34+ registered 
