Feature request: Add finer grained authorization for @runner, @job and @wheel in external_auth

[UtahDave]

Consider the following config:

external_auth:
  pam:
    sarah:
      - 'test.version'
      - 'network.ip_addrs'
      - 'state.highstate'
      - '@runner'

I have pretty fine grained control over which functions Sarah can execute, but with @runner , @wheel and @job , it's a binary all or nothing.

I think it's pretty important to be able to have the same fine grained control as with execution modules.
I'm not sure exactly what that should look like, but maybe something like this?

external_auth:
  pam:
    sarah:
      - 'test.version'
      - 'network.ip_addrs'
      - 'state.highstate'
      - '@runner.myrunner.myfunction'
      - '@runner.my_other_runner.*'
      - '@wheel.key.accept'
      - '@jobs'

In the above scenario I'm allowing Sarah to execute only the myfunction function in the myrunner.py runner and any function in the my_other_runner.py runner. As well as only the accept function in the wheel's key module. (I didn't go verify that there is an accept function, but regardless, I'm sure you can see what I mean.)

[whiteinge]

This would be great. There was a recent @jobs addition but there really should be granular function-level control.

[arthurzenika]

+1

[jfroche]

That would be realy nice. (as explained in #26832: We have different teams and they would like to orchestrate deployements using salt. orchestrate runner seems like the perfect match for that but we need auth to limit/control which orchestrate sls can be run by users.)

[whiteinge]

/cc @cachedout - relevant issue to our discussion yesterday about pattern matching on args in addition to runner/wheel functions.

[DanyC97]

+1

[damon-atkins]

+1

[PierreR]

+1

[jagguli]

+1

[danlsgiga]

+1

[CptSupermrkt]

+1

I just spent a day getting salt-api working and understanding it, then realized if the account I'm using gets compromised, the account could use wheel to do things like alter the master config and probably a whole slew of other nasty things. This unfortunately isn't an acceptable security risk, especially when I only want the account to have access to wheel.key.gen_accept.

[danlsgiga]

Hello there... Bringing up this thread... I saw a similar feature was released in Boron (#29153) including the ability to limit args and kwargs but only to modules. Being able to do the same fine grained ACLs for runners and wheel would be totally awesome!!

[rickh563]

zd-913

[bemeyert]

Hi all, what's the status here? We could really use that "feature". No one here wants to implement that in the Nginx proxy before Cherrypy in Lua.

[rickh563]

@bemeyert, this Feature-Request is under active consideration for the Spring Feature-Release of Salt.

Final decisions regarding which Feature-Requests that will be included in the Spring Feature-Release of Salt will be made in January-2017.

Regards,
Rick

[hoitsang]

@rickh563 ... as long as it's not released under "commercial license only" do you have any news?

[rickh563]

@hoitsang, this Feature would be delivered as part of open source Salt.
As noted above, news will exist in Januray, no later than Jan-31-2017.
-- Rick

[hoitsang]

Thank you @rickh563! Really looking forward to it!

In the meantime I hope this hack will buy some time for everyone else, especially those of us who live at least 6 months behind the latest and greatest.

In salt/utils/minions.py:

    def wheel_check(self, auth_list, fun):
        '''
        Check special API permissions
        '''
        comps = fun.split('.')
        if len(comps) != 2:
            return False
        mod = comps[0]
        fun = comps[1]
        for ind in auth_list:
            if isinstance(ind, six.string_types):
                if ind.startswith('@') and ind[1:] == mod:
                    return True
                if ind == '@wheel':
                    return True
                if ind == '@wheels':
                    return True
                # ======================= #
                # ADD ONE MORE CHECK HERE #
                # ======================= #
                if ind == '@wheel.{0}.{1}'.format(mod, fun):
                    return True

So that at the barebone we could grant wheel module level function call

external_auth:
  ldap:
    Salt NOC Users%:
      - test.*
      - '@wheel.key.list_all'

Same story goes with runner_check() in the same module for @runner.

[rickh563]

ZD-1540

[PierreR]

Let's make a prediction for the years to come : Oxygen -> Fluor ?

[DmitryKuzmenko]

#42729 updates external_auth syntax to support @runner and @wheel as it's done for execution modules.

Example:

external_auth:
  pam:
    user_name:
      - @runner:  # or any of @runners, @wheel, @wheels
        - 'module.function.*regex'
        - 'module.another.*function':
          args: ['a', 'b[cde]f']
          kwargs:
            'kwa': 'kwvalue'
      # as well as
      - @module:
        - 'function.*regex':
          args: ['and', 'so', 'on']

[danlsgiga]

Thanks a bunch for this @DmitryKuzmenko!!
Tough question: Is this PR going to land in any 2017.7 point release? Any ideas?

[rallytime]

@danlsgiga This will be available in the next feature release, Oxygen.