Add option to disable clients in netapi #59622
Conversation
barneysowood
changed the title
barneysowood
force-pushed
the
config-disable-salt-api-clients
branch
from
717853b to
7e1d683
Compare
barneysowood
changed the title
barneysowood
force-pushed
the
config-disable-salt-api-clients
branch
2 times, most recently
from
130e491 to
0996333
Compare
|
re-run ci/py3/macosxmojave/pytest |
|
re-run pr-macosxmojave-py3-pytest |
|
@barneysowood I updated the branch with |
Thanks @sagetherage. Looks like the failing tests are fixed now - thanks! Unfortunately seems to have times out on ci/py3/centos7/pycryptodome/pytest - I'll try that again now. |
|
re-run pr-centos7-py3-pycryptodome-pytest |
|
OK, tests now all green. @garethgreenaway - if you get a chance to review that would be great, thanks! |
|
I approved but look like there is a merge conflict. Would also like to get @dwoz review here as well. |
|
Hmm, have totally messed up the rebase trying to sort the conflict. Will fix that and re-push |
barneysowood
force-pushed
the
config-disable-salt-api-clients
branch
2 times, most recently
from
3b15891 to
6e21408
Compare
|
re-run pr-freebsd-122-amd64-py3-pytest |
|
re-run pr-ubuntu-2004-arm64-py3-pytest |
|
re-run pr-macosx-mojave-x86_64-py3-pytest |
barneysowood
force-pushed
the
config-disable-salt-api-clients
branch
from
6e21408 to
e03b3b1
Compare
|
re-run pr-fedora-34-x86_64-py3-pytest |
1 similar comment
|
re-run pr-fedora-34-x86_64-py3-pytest |
|
re-run pr-macosx-catalina-x86_64-py3-pytest |
|
re-run pr-macosx-mojave-x86_64-py3-pytest |
@dwoz - I would tend to agree, but I was trying to avoid a breaking change. If everyone is OK with that I'm happy rework this to be The other option would be to set the default (either using the |
barneysowood
dismissed stale reviews from garethgreenaway and Ch3LL
via
dcdeed4
barneysowood
force-pushed
the
config-disable-salt-api-clients
branch
from
9a19bf2 to
dcdeed4
Compare
|
re-run pr-amazon-2-x86_64-py3-pytest |
|
@dwoz I really like the idea of the opt in as well, but that seems like a big change for users of salt-api. Shouldn't we add a deprecation notice somehow or give users notice before we make this change? |
barneysowood
force-pushed
the
config-disable-salt-api-clients
branch
3 times, most recently
from
080df77 to
5df0cd4
Compare
Adds an option to allow you to disable clients (eg ssh, wheel) in the netapi. Does the check before any attempts to authenticate.
Adds pytest based integration tests as the old non-pytest netapi/test_client.py tests have been removed.
barneysowood
force-pushed
the
config-disable-salt-api-clients
branch
from
5df0cd4 to
eb6b085
Compare
|
Closing in favour of #63050 |
What does this PR do?
Adds a new config option "netapi_disable_clients" that takes a list of clients to disable in the netapi.
Checks the list early in handling the the request before authentication occurs. Should be useful where certain clients (eg ssh or wheel) aren't required and should be disabled to reduce attack surface in the salt-api.
replaces #58872
What issues does this PR fix or reference?
New Behavior
Adds "netapi_disable_clients" list option to the config which is checked when a request is passed to NetApiClient.run() and an exception raised if the requested client is in the list.
Merge requirements satisfied?
[NOTICE] Bug fixes or features added to Salt require tests.
Commits signed with GPG?
No