-
Notifications
You must be signed in to change notification settings - Fork 192
Workaround to allow Salt "publisher_acl" rules on containerized environment
Some users are making use of publisher_acl
configuration from Salt master, to allow local non-root users in the Uyuni server to call salt
CLI and being able to target certain minions with only some allowed functions, as there is currently no way to do this from the Uyuni web UI / API (as all commands are triggered by user "admin" and we cannot restrict which commands are allowed for different users).
As mentioned, some users decided to use the publisher_acl
configuration for Salt Master (see documentation) , which is meant to control the access to the salt
CLI for local non-root users and define which commands are allowed. This worked fine for them in previous Uyuni environments, where customer can create local users in the host where salt-master
is running, and define these rules.
In Uyuni containarized environment, this is not possible:
- The
salt
CLI is not visible in the Uyuni server host, but inside the "uyuni-server" container. - The "uyuni-server" container, where "salt-master" is running, does not contain the users definition from the host, needed for ACL.
- The
uyuni-server
container is only visible for "root" in the Uyuni containerized server, so other non-root users cannot access to it to execute commands.
In Salt Master, such ACL rules can be defined via publisher_acl
but also via external_auth
configuration (used for Salt API). In this sense, a possible working workaround for these users could be based on setting the ACL rules via external_auth
and use Salt API instead of CLI.
These are the instructions for this workaround:
- Redefine
rest_cherrypy
(exposing the port to 0.0.0.0) at in a new configuration file:/etc/salt/master.d/zz-custom.conf
- Create a copy of
/etc/salt/master.d/susemanager-users.txt
to/etc/salt/master.d/zz-susemanager-users.txt
and append the users/pass that we want to allow access. - Make sure
/etc/salt/master.d/zz-susemanager-users.txt
is owned bysalt
user. - Redefine
external_auth
to include ACL (same way than forpublisher_acl
) for the different extra users added to/etc/salt/master.d/zz-susemanager-users.txt
- Add
-p 9080:9080
to/etc/systemd/system/uyuni-server.service
file to expose the Salt API port out of the container. - Restar your Uyuni server container.
- Use
pepper
directly on the Uyuni server host, passing your user / passwd to execute commands via this particular users through the Salt API.
So, the /etc/salt/master.d/zz-custom.conf
file would look like as something similar to this:
# Redefine cherrypy
rest_cherrypy:
port: 9080
host: 0.0.0.0
collect_stats: false
expire_responses: false
ssl_crt: /etc/salt/pki/api/salt-api.crt
ssl_key: /etc/salt/pki/api/salt-api.key
# Redefine Setup API authentication + ACL
external_auth:
file:
^filename: /etc/salt/master.d/zz-susemanager-users.txt
^hashtype: sha512
admin:
- .*
- '@wheel'
- '@runner'
- '@jobs'
pepe:
- 'web*':
- cmd.run
pablo:
- test.ping
And the /etc/salt/master.d/zz-susemanager-users.txt
file with something like:
admin:SHA512HASH
pepe:ANOTHER_SHA512_HASH
pablo:ONE_MORE_SHA512_HASH
In order to use pepper
, you can take it from this OBS repository: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt-pepper
Just install python3-salt-pepper
and start using it. Example of use:
# pepper -a file -u https://localhost:9080/ \* test.ping
Username: pablo
Password:
uyuni-master-min-build.mgr.suse.de:
True
uyuni-master-min-kvm.mgr.suse.de:
True
uyuni-master-min-suse.mgr.suse.de:
True
uyuni-master-pxy.mgr.suse.de:
True
You can create ~/.pepperrc
file to set your auth configuration. More info here:
[main]
SALTAPI_URL=https://localhost:9080/
SALTAPI_USER=pablo
SALTAPI_EAUTH=file
Then you can use it more easily without passing the auth parameters:
# pepper \* test.ping
Password:
uyuni-master-min-build.mgr.suse.de:
True
uyuni-master-min-kvm.mgr.suse.de:
True
uyuni-master-min-suse.mgr.suse.de:
True
uyuni-master-pxy.mgr.suse.de:
True