Explicit and document ACL rules format

[Lothiraldan]

ACL rules format are not documented, by digging into the code, we saw that rules are either "glob" rule or compound rule but with only one matcher.

Here (https://github.com/saltstack/salt/blob/develop/salt/utils/minions.py#L550-L551) the matcher os forced to to "glob" if the rule doesn't start with ".@".

For compound rules (https://github.com/saltstack/salt/blob/develop/salt/utils/minions.py#L545-L548), parsing is quite rudimentary and so will fail with compound matcher with more than one matcher.
For exemple with this rule 'S@10.0.2.0/24 or web*', the parsed v_expr will be '10.0.2.0/24 or web*' and so will be invalid.

What format do we want to support in ACL rules ?

• Current format, simple compound and explicitly document the format in http://docs.saltstack.com/en/latest/topics/eauth/access_control.html#acl
• Full compound format (with and, or and not)

[jfindlay]

@Lothiraldan, thanks for the report.

[Lothiraldan]

According to #31598, external auth support for all target types has been added.

[Lothiraldan]

salt/salt/utils/minions.py

Lines 637 to 655 in 0a9e062

	def _expand_matching(self, auth_entry):
	ref = {'G': 'grain',
	'P': 'grain_pcre',
	'I': 'pillar',
	'J': 'pillar_pcre',
	'L': 'list',
	'S': 'ipcidr',
	'E': 'pcre',
	'N': 'node',
	None: 'glob'}
	target_info = parse_target(auth_entry)
	if not target_info:
	log.error('Failed to parse valid target "{0}"'.format(auth_entry))
	v_matcher = ref.get(target_info['engine'])
	v_expr = target_info['pattern']
	return set(self.check_minions(v_expr, v_matcher))

and

salt/salt/utils/minions.py

Lines 48 to 62 in 0a9e062

	def parse_target(target_expression):
	'''Parse `target_expressing` splitting it into `engine`, `delimiter`,
	`pattern` - returns a dict'''
	match = TARGET_REX.match(target_expression)
	if not match:
	log.warning('Unable to parse target "{0}"'.format(target_expression))
	ret = {
	'engine': None,
	'delimiter': None,
	'pattern': target_expression,
	}
	else:
	ret = match.groupdict()
	return ret

still fails to recognize compound matcher:

from salt.utils.minions import parse_target
parse_target('S@10.0.2.0/24 or web*')
>>> {'delimiter': None, 'engine': 'S', 'pattern': '10.0.2.0/24 or web*'}

I propose to make a PR which says explicitly that all matcher except compound are supported in eauth configuration.

[jfindlay]

@Lothiraldan, should we close this in favor of #32737?

[Lothiraldan]

@jfindlay Yes I forget but since I've create a PR for documentation and an issue for discussing the non-support of compound matcher, we can now close the issue.