Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

external_auth permissions aren't respected #4281

Closed
bclermont opened this Issue Mar 26, 2013 · 2 comments

Comments

Projects
None yet
2 participants
Contributor

bclermont commented Mar 26, 2013

Master configuration:

file_roots:
  base:
    - /srv/salt/states

pillar_roots:
  base:
    - /srv/salt/pillar

# custom external pillar I have
ext_pillar:
  - inventory: {username: xxx, password: xxx, base_url: "http://xxx/api/v3/"}

peer:
  .*:
    - grains.*

log_file: file:///dev/log
log_level: debug
log_fmt_logfile: '%(asctime)-15s salt-master[%(process)d] %(name)s: %(message)s'
log_datefmt_logfile: '%b %d %H:%M:%S'

external_auth:
  pam:
    test:
      - 'hostid1':
        - 'test.*'
        - 'grains.items'
        - 'state.highstate'
      - 'hostid2':
        - 'test.*'
        - 'grains.items'
      - '*':
        - 'test.*'

Salt master is started, then:

# salt -a pam '*' pillar.data
username: test
password:
Failed to authenticate, is this user permitted to execute commands?

perfect!

# salt -a pam '*' test.ping
username: test
password:
hostid1:
    True
hostid2:
    True
hostid3:
    True
hostid4:
    True

good.
next try a wrong password:

# salt -a pam '*' grains.items
username: test
password:
Failed to authenticate, is this user permitted to execute commands?

what I expect.

# salt -a pam '*' grains.items
username: test
password:
hostid4:
  architecture: x86_64
  cpu_flags: fpu de tsc msr pae cx8 sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc up rep_good nopl pni ssse3 cx16 sse4_1 hypervisor lahf_lm
[SNIP]
hostid3:
  architecture: x86_64
  cpu_flags: fpu de tsc msr pae cx8 sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc up rep_good nopl pni ssse3 cx16 sse4_1 hypervisor lahf_lm
[SNIP]
hostid1:
  architecture: x86_64
  cpu_flags: fpu de tsc msr pae cx8 sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc up rep_good nopl pni ssse3 cx16 sse4_1 hypervisor lahf_lm
[SNIP]
hostid2:
  architecture: x86_64
  cpu_flags: fpu de tsc msr pae cx8 sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc up rep_good nopl pni ssse3 cx16 sse4_1 hypervisor lahf_lm
[SNIP]

wait a minute? only hostid1 and 2 should match, no?

# salt -a pam hostid4 grains.items
username: test
password:
hostid4:
  architecture: x86_64
  cpu_flags: fpu de tsc msr pae cx8 sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc up rep_good nopl pni ssse3 cx16 sse4_1 hypervisor lahf_lm
[SNIP]

what is going on?

# salt -a pam hostid3 state.highstate
username: test
password:

a while later I get the highstate result.

scary!!!

I tested it on 0.13.1 and 0.14.0

Owner

thatch45 commented Mar 26, 2013

Thanks @bclermont, I will get right on this one

@thatch45 thatch45 added a commit that referenced this issue Apr 1, 2013

@thatch45 thatch45 Invert boolen logic for a check in auth backend
This should repair the issue @ #4281
f218dc1
Owner

thatch45 commented Apr 1, 2013

Ok, I tracked this down.
Looks like there was a bug in validating the targeted minions. @bclermont, this all looks good now on my end, can you double check this so we can cut 0.14.1?

@thatch45 thatch45 added a commit that referenced this issue Apr 3, 2013

@thatch45 @basepi thatch45 + basepi Invert boolen logic for a check in auth backend
This should repair the issue @ #4281
356dcf8

@thatch45 thatch45 closed this Apr 8, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment