Client ACL and external auth system should have support for limiting functions to certain arguments #3077
Comments
|
wow, this will be a bit of a challenge. But I am open to it, the hard part I think will be deciding exactly how these will look in the config, since this is already the most complicated config component |
|
Since my use case is mostly relevant to the API, it could be solved in salt API instead of here, but I guess the feature would be useful for all salt clients, not just the API. But maybe the API would/could have additional checks ? My final resort would be to filter this in nginx proxy, using lua to check all the args. Would be very easy to implement. |
|
Yes, I am game for adding this, but I won't be able to get to it right away. |
rallytime
added
the
Feature
basepi
added
ZRELEASED - Boron
Core
|
Committed for Boron |
|
ZD 411 |
meggiebot
added
the
ZD
|
Here is an example of usage: external_auth:
pam:
my_user:
- '*':
- 'my_mod.*':
args:
- 'a.*'
- 'b.*'
kwargs:
'kwa': 'kwa.*'
'kwb': 'kwb'The rules:
args:
- 'value0'
- '.*'
- 'value2' |
|
@DmitryKuzmenko Does this work for client_acl as well, or just external_auth? Edit: Actually just saw that this is for external_auth only and works in 2016.3.0+. |
|
can you just show one example by using any module |
|
publisher_acl: |
|
how to use kwargs? |
|
@thatsk Can you file a new issue about your documentation questions? |
My use case is that I want to limit a certain PAM user to control his own virtual machine using the virt module. The virt module often takes the VM name as the argument.
Example:
salt-call virt.destroy VMNameBut if I give a user access to the virt.destroy function, the user could then destroy all VMs on the host.
What would solve it is support for checking arguments to function, for example like this:
I'm not sure how the arg-system should work, but should probably include support for regexes, or at the very least a static list of allowed arguments.
The text was updated successfully, but these errors were encountered: