external_auth to limit arguments sent to salt modules

[arthurzenika]

This is a feature request for a finer ACL mechanism in external_auth.

I would like to limit the scope of certain modules, for example, allowing cmd.run but only for certain commands :

external_auth:
  pam:
    saltdev:
         - cmd.run:
             - echo.*

or so that some users can apply only certain states :

external_auth:
  pam:
    saltdev:
         - state.sls:
             - deploy

Right now, the only way to do this in salt (that I can think of) is to add a module that only does that sub part and allow it in external_auth. If anyone can think of another way with the existing code, please suggest it here!

[arthurzenika]

Of course with the cmd.run example, one should be careful about the following scenario cmd.run "echo hello; cat /etc/password" scenario.

[rallytime]

@arthurlogilab That's a great idea! Approved as a feature request.

[danlsgiga]

+1

[whiteinge]

This was implemented in #29153. Docs in #33847.

[rallytime]

The feature added in #29153 is available in the 2016.3.0 release.