SaltStack - Access Control System

An Access Control System provides options for a user for a group to execute a task with permissions. A Salt access control system is used to configure access to non-administrative control interfaces. You can apply this process to all the systems. This control helps the non-administrative users to execute the Salt commands.

Salt interfaces are of the following three types −

Pubpsher ACL system

External Auth system

Peer system

Let us understand go through each of these interfaces in detail.

Pubpsher ACL System

A Pubpsher ACL system allows access to the users other than root to execute Salt commands on minions from the master. The pubpsher ACL system is configured in the master configuration file via the pubpsher_acl configuration option. It is defined as follows −

pubpsher_acl:
   user1:
      - .*

   user2:
      - web*:
         - test.*
         - pkg.*

Here,

user1 is allowed to execute anything.

user2 is allowed to use test and pkg, but only on “web*” minions.

External Auth System

The external auth system is used to provide access to execute salt commands on specific minions through external authorization system pke PAM, LDAP, etc. This configuration file is defined in the master file as described below.

external_auth:
   pam:
      user1:
         -  web* :
            - test.*
            - network.*
      user2:
         - .*

Here,

user1 is allowed to execute functions in the test and network modules on the minions that match the web* target.

user2 is allowed to execute all the functions.

Enable the External Auth System in Command

Salt server provides an option ‘–a’ to enable external authentication.

salt -a pam web* test.ping

Here, the -a pam option is used to enable PAM external authentication. Salt Server will ask for authentication details whenever we execute the command. To restrict Salt Server from asking the authentication details for the first time only, we can use the T option. This -T option caches the authentication details for the next 12 hours (default setting) and use it to authenticate the users.

salt -T -a pam web* test.ping

Peer System

Salt minions can pass commands using the peer interface. The peer interface is configured through the master configuration file either to allow minions to send commands from the master using the peer configuration section or to allow minions to execute runners from the master using the peer_run configuration.

Let us understand both these configurations in detail.

Peer configuration

The simple configuration to be defined in master file is as below −

peer:
   .*:
      - .*

Here, It enables communication for all minions, but it is only recommended for very secure environments.

To assign minions to specific ID’s, the configuration needs to be defined as shown below: peer −

.*domain.com:
   - test.*

peer_run Configuration

This configuration is to allow minions to execute runners from the master using the peer_run option on the master file. The following example is to allow access to all minions and to all the runners.

peer_run:
   .*:
      - .*

To assign minions to a specific ID, the configuration needs to be defined as given below −

peer_run:
   .*domain.com:
      - test.*

How to Execute Commands

To execute test.ping on all the minions, use the salt-call command along with the pubpsh.pubpsh module.

salt-call pubpsh.pubpsh * test.ping

To execute runner, use the salt-call command along with the pubpsh.runner module.

salt-call pubpsh.runner manage.up