- SaltStack Tutorial
- SaltStack - Home
- SaltStack - Overview
- SaltStack - Architecture
- SaltStack - Competitors
- SaltStack - Installation
- Creating a Simple Environment
- SaltStack - Access Control System
- SaltStack - Job Management
- SaltStack - Salt File Server
- SaltStack - Git as a File Server
- Using MinionFS as the File Server
- SaltStack - Using Cron with Salt
- SaltStack - Remote Execution
- Configuration Management
- SaltStack - Logging
- SaltStack - Salt through SSH
- Salt for Cloud Infrastructure
- SaltStack - Salt Proxy Minions
- SaltStack - Event system
- SaltStack - Orchestration
- SaltStack - Salt Package Manager
- SaltStack - Python API
- SaltStack - Working Example
- SaltStack Useful Resources
- SaltStack - Quick Guide
- SaltStack - Useful Resources
- SaltStack - Discussion
SaltStack - Access Control System
An Access Control System provides options for a user for a group to execute a task with permissions. A Salt access control system is used to configure access to non-administrative control interfaces. You can apply this process to all the systems. This control helps the non-administrative users to execute the Salt commands.
Salt interfaces are of the following three types −
- Publisher ACL system
- External Auth system
- Peer system
Let us understand go through each of these interfaces in detail.
Publisher ACL System
A Publisher ACL system allows access to the users other than root to execute Salt commands on minions from the master. The publisher ACL system is configured in the master configuration file via the publisher_acl configuration option. It is defined as follows −
publisher_acl:
user1:
- .*
user2:
- web*:
- test.*
- pkg.*
Here,
user1 is allowed to execute anything.
user2 is allowed to use test and pkg, but only on “web*” minions.
External Auth System
The external auth system is used to provide access to execute salt commands on specific minions through external authorization system like PAM, LDAP, etc. This configuration file is defined in the master file as described below.
external_auth:
pam:
user1:
- 'web*':
- test.*
- network.*
user2:
- .*
Here,
user1 is allowed to execute functions in the test and network modules on the minions that match the web* target.
user2 is allowed to execute all the functions.
Enable the External Auth System in Command
Salt server provides an option ‘–a’ to enable external authentication.
salt -a pam web\* test.ping
Here, the -a pam option is used to enable PAM external authentication. Salt Server will ask for authentication details whenever we execute the command. To restrict Salt Server from asking the authentication details for the first time only, we can use the T option. This -T option caches the authentication details for the next 12 hours (default setting) and use it to authenticate the users.
salt -T -a pam web\* test.ping
Peer System
Salt minions can pass commands using the peer interface. The peer interface is configured through the master configuration file either to allow minions to send commands from the master using the peer configuration section or to allow minions to execute runners from the master using the peer_run configuration.
Let us understand both these configurations in detail.
Peer configuration
The simple configuration to be defined in master file is as below −
peer:
.*:
- .*
Here, It enables communication for all minions, but it is only recommended for very secure environments.
To assign minions to specific ID’s, the configuration needs to be defined as shown below: peer −
.*domain.com: - test.*
peer_run Configuration
This configuration is to allow minions to execute runners from the master using the peer_run option on the master file. The following example is to allow access to all minions and to all the runners.
peer_run:
.*:
- .*
To assign minions to a specific ID, the configuration needs to be defined as given below −
peer_run:
.*domain.com:
- test.*
How to Execute Commands
To execute test.ping on all the minions, use the salt-call command along with the publish.publish module.
salt-call publish.publish \* test.ping
To execute runner, use the salt-call command along with the publish.runner module.
salt-call publish.runner manage.up