You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Investigating further made me understand that the one enforcing the policy was salt-master and since I had not restarted the salt-master (but only salt-api) between changing from '.*' to 'test.ping' in the external_auth, it would return results for a cmd.run query.
Could I argue that every intermediary (pepper or any webapp and salt-api) should look at the permissions before trying to run them ? Is this what was meant for when returning the "perms" information when on logs in ?
Am heading to salt issue tracker to add an issue for this one as well.
The text was updated successfully, but these errors were encountered:
The perms return after logging in is intended for consumption by clients of the REST API so they can provide a more user-friendly experience. It is decidedly not intended for any kind of security.
As a real-world example, a web UI could use the perms output to only display or auto-complete function names the current user has permission to run. It makes sense to add something similar to Pepper (probably requiring #4). That would allow Pepper to quickly perform a pre-flight check before sending any comparatively slow HTTP requests only to arrive at the same 'denied' answer.
I am marking this as a feature addition and will edit the issue title to coincide.
whiteinge
changed the title
[security] pepper or salt-api could filter commands based on permissions
Add pre-check for user permissions before sending command to salt-api
Jan 30, 2015
At some point in testing, I was quite surprised to find :
Investigating further made me understand that the one enforcing the policy was salt-master and since I had not restarted the salt-master (but only salt-api) between changing from '.*' to 'test.ping' in the external_auth, it would return results for a cmd.run query.
Could I argue that every intermediary (pepper or any webapp and salt-api) should look at the permissions before trying to run them ? Is this what was meant for when returning the "perms" information when on logs in ?
Am heading to salt issue tracker to add an issue for this one as well.
The text was updated successfully, but these errors were encountered: