Saltstack access control system

SaltStack - Access Control System

SaltStack Access Control System allows the users to execute the task within the authorization. This system is used for configuring access to Non-Administrative Control Interfaces. A user can apply the process to different systems.

Access Control System helps the Non-Administrative users in the Salt commands’ execution.

Salt interfaces are of the following three types

*Publisher ACL system

*External Auth system

*Peer system

Publisher ACL system

This system provides access to the users other than root for Salt command execution on Salt Minions from the SaltMaster. The configuration of the Publisher ACL system is done in the Master Configuration file through the ‘publisher_acl’ configuration option.

For example-

publisher_acl:

user1:

- .*


user2:

- web*:

- test.*

- pkg.

Here, user 1 can execute anything whereas, user 2 can execute the only pkg and test only on the ‘web*’ minions’.

External Auth system

This system is used for providing access for executing the Salt commands on a particular minion via External Authorization Systems such as LDAP, PAM, and many more. This file is defined in the Master file as mentioned below

external_auth:

pam:

user1:

- 'web*':

- test.*

- network.*

user2:

- .*

User 1 can execute functions in the network or test modules on the Salt Minions which match the ‘web*’ target.

User 2 can execute anything.

Option ‘-a’ is provided by the salt server for enabling external authentication.

For example - salt -a pam web* test.ping

Peer system

Salt Minions are allowed to pass their commands through the Peer Interface. The configuration of the Peer Interface can be done via the Master Configuration file. It allows SaltMinions to send the commands by using the peer configuration from the master and also allows the minions to execute the runner using the peer-run configuration from the master.

Peer Configuration

This configuration is defined in the SaltMaster File as mentioned below:

peer:

.*:

- .*

The command is enabling the configuration for all the minions. It is advised to execute this command only in a secure environment.

Peer Run Configuration

This configuration lets the minion execute the runner from the master through the peer r-run option.

For example -

peer_run:

.*:

- .*

This command will allow access to all minions to all runners.


Relevant Blogs:

Salt stack package deploying 

Salt stack using corn 

Migrating a Windows Azure Virtual Machine (VM) to AWS

Chef data bags

Recent Comments

No comments

Leave a Comment
We use cookies to personalise content , provide live chat and to analyse our web traffic.
Accept all cookies
Manage your cookies
Essential site cookies