New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
netapi modules incompatible with eauth acl #51515
Comments
Can you include the |
Anyway: Salt 2018.3.3, Python 2.7, CentOS 7 host, Salt from 'official' SaltStack repository. Shouldn't matter much, the issue lies here: salt/salt/netapi/rest_cherrypy/app.py Line 1897 in df1f9e9
Also discussed on #develop in the Salt Slack workspace yesterday.
To pro-actively answer other questions:
If unclear, let me know. |
thanks for the additional information, seems we need to fix this up for those additional modules. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. |
Bump
… On 9 Jan 2020, at 05:56, stale[bot] ***@***.***> wrote:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Thank you for updating this issue. It is no longer marked as stale. |
The SaltAPI/
netapi
modules as shipped with Salt 2018.3.3 (rest_cherrypy
andrest_tornado
) contain aperms
field in the response structure to a successfulPOST
request to/login
. Theseperms
are populated by retrieving the relevant ACLs from the (master) configuration file (there's a bit of code duplication here, by the way).However, while this works for
auth
modules who have ACLs specified in the configuration file, it doesn't work forauth
modules that expose anacl
procedure to dynamically construct ACL lists. When using suchauth
module, theperms
field in the/login
response remains empty (I believe a similar issue may occur when usingprocess_acl
like the LDAPeauth
module does).As a work-around, I created a custom
netapi
module (wrapping functionality ofrest_cherrypy
) which does fill in these fields based on theauth_list
field in thetoken
generated usingself.auth.mk_token
, and sets the value ofperms
to this list, similar to how the current code special-cases thedjango
auth
module. However, this is a hack: it requires thisauth_list
to be populated, which is only the case ifkeep_acl_in_token
istrue
in the configuration. There seems to be no way to retrieve the ACL list from a given token in the context of anetapi
module otherwise.The text was updated successfully, but these errors were encountered: