netapi modules incompatible with eauth acl

[NicolasT]

The SaltAPI/netapi modules as shipped with Salt 2018.3.3 (rest_cherrypy and rest_tornado) contain a perms field in the response structure to a successful POST request to /login. These perms are populated by retrieving the relevant ACLs from the (master) configuration file (there's a bit of code duplication here, by the way).

However, while this works for auth modules who have ACLs specified in the configuration file, it doesn't work for auth modules that expose an acl procedure to dynamically construct ACL lists. When using such auth module, the perms field in the /login response remains empty (I believe a similar issue may occur when using process_acl like the LDAP eauth module does).

As a work-around, I created a custom netapi module (wrapping functionality of rest_cherrypy) which does fill in these fields based on the auth_list field in the token generated using self.auth.mk_token, and sets the value of perms to this list, similar to how the current code special-cases the django auth module. However, this is a hack: it requires this auth_list to be populated, which is only the case if keep_acl_in_token is true in the configuration. There seems to be no way to retrieve the ACL list from a given token in the context of a netapi module otherwise.

[Ch3LL]

Can you include the salt --versions-report you are seeing this one and a use case to help replicate this issue?

[NicolasT]

$ salt --version-report
Salt Version:
           Salt: 2018.3.3

Dependency Versions:
           cffi: Not Installed
       cherrypy: unknown
       dateutil: Not Installed
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.7.2
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.6
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.5 (default, Oct 30 2018, 23:45:53)
   python-gnupg: Not Installed
         PyYAML: 3.11
          PyZMQ: 15.3.0
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.1.4

System Versions:
           dist: centos 7.6.1810 Core
         locale: UTF-8
        machine: x86_64
        release: 3.10.0-957.1.3.el7.x86_64
         system: Linux
        version: CentOS Linux 7.6.1810 Core

Anyway: Salt 2018.3.3, Python 2.7, CentOS 7 host, Salt from 'official' SaltStack repository.

Shouldn't matter much, the issue lies here:

salt/salt/netapi/rest_cherrypy/app.py

Line 1897 in df1f9e9

# Grab eauth config for the current backend for the current user

(same or roughly same code in 2018.3.3)
Also discussed on #develop in the Salt Slack workspace yesterday.

To pro-actively answer other questions:

• This is unrelated to any of my Salt states or whatever
• This is not related to any specific action modules
• This is related to a discrepancy between how the (e)auth framework works (salt.auth.__init__) and what netapi modules / route handlers do

If unclear, let me know.

[Ch3LL]

thanks for the additional information, seems we need to fix this up for those additional modules.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

[simmel]

Bump

…

On 9 Jan 2020, at 05:56, stale[bot] ***@***.***> wrote:  This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[stale]

Thank you for updating this issue. It is no longer marked as stale.