-
Notifications
You must be signed in to change notification settings - Fork 181
Workaround to allow Salt "publisher_acl" rules on containerized environment
Some users are making use of publisher_acl configuration from Salt master, to allow local non-root users in the Uyuni server to call salt CLI and being able to target certain minions with only some allowed functions, as there is currently no way to do this from the Uyuni web UI / API (as all commands are triggered by user "admin" and we cannot restrict which commands are allowed for different users).
As mentioned, some users decided to use the publisher_acl configuration for Salt Master (see documentation) , which is meant to control the access to the salt CLI for local non-root users and define which commands are allowed. This worked fine for them in previous Uyuni environments, where customer can create local users in the host where salt-master is running, and define these rules.
In Uyuni containarized environment, this is not possible:
- The
saltCLI is not visible in the Uyuni server host, but inside the "uyuni-server" container. - The "uyuni-server" container, where "salt-master" is running, does not contain the users definition from the host, needed for ACL.
- The
uyuni-servercontainer is only visible for "root" in the Uyuni containerized server, so other non-root users cannot access to it to execute commands.
In Salt Master, such ACL rules can be defined via publisher_acl but also via external_auth configuration (used for Salt API). In this sense, a possible working workaround for these users could be based on setting the ACL rules via external_auth and use Salt API instead of CLI.
These are the instructions for this workaround:
- Redefine
rest_cherrypy(exposing the port to 0.0.0.0) at in a new configuration file:/etc/salt/master.d/zz-custom.conf - Create a copy of
/etc/salt/master.d/susemanager-users.txtto/etc/salt/master.d/zz-susemanager-users.txtand append the users/pass that we want to allow access. - Make sure
/etc/salt/master.d/zz-susemanager-users.txtis owned bysaltuser. - Redefine
external_authto include ACL (same way than forpublisher_acl) for the different extra users added to/etc/salt/master.d/zz-susemanager-users.txt - Add
-p 9080:9080to/etc/systemd/system/uyuni-server.servicefile to expose the Salt API port out of the container. - Restar your Uyuni server container.
- Use
pepperdirectly on the Uyuni server host, passing your user / passwd to execute commands via this particular users through the Salt API.
So, the /etc/salt/master.d/zz-custom.conf file would look like as something similar to this:
# Redefine cherrypy
rest_cherrypy:
port: 9080
host: 0.0.0.0
collect_stats: false
expire_responses: false
ssl_crt: /etc/salt/pki/api/salt-api.crt
ssl_key: /etc/salt/pki/api/salt-api.key
# Redefine Setup API authentication + ACL
external_auth:
file:
^filename: /etc/salt/master.d/zz-susemanager-users.txt
^hashtype: sha512
admin:
- .*
- '@wheel'
- '@runner'
- '@jobs'
pepe:
- 'web*':
- cmd.run
pablo:
- test.ping
And the /etc/salt/master.d/zz-susemanager-users.txt file with something like:
admin:SHA512HASH
pepe:ANOTHER_SHA512_HASH
pablo:ONE_MORE_SHA512_HASH
In order to use pepper, you can take it from this OBS repository: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt-pepper
Just install python3-salt-pepper and start using it. Example of use:
# pepper -a file -u https://localhost:9080/ \* test.ping
Username: pablo
Password:
uyuni-master-min-build.mgr.suse.de:
True
uyuni-master-min-kvm.mgr.suse.de:
True
uyuni-master-min-suse.mgr.suse.de:
True
uyuni-master-pxy.mgr.suse.de:
TrueYou can create ~/.pepperrc file to set your auth configuration. More info here:
[main]
SALTAPI_URL=https://localhost:9080/
SALTAPI_USER=pablo
SALTAPI_EAUTH=file
Then you can use it more easily without passing the auth parameters:
# pepper \* test.ping
Password:
uyuni-master-min-build.mgr.suse.de:
True
uyuni-master-min-kvm.mgr.suse.de:
True
uyuni-master-min-suse.mgr.suse.de:
True
uyuni-master-pxy.mgr.suse.de:
True