Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

client_acl users no longer able to run commands after upgrading to v0.17 #7706

Closed
corywright opened this issue Oct 9, 2013 · 8 comments · Fixed by #7875
Closed

client_acl users no longer able to run commands after upgrading to v0.17 #7706

corywright opened this issue Oct 9, 2013 · 8 comments · Fixed by #7875
Labels
Bug broken, incorrect, or confusing behavior Regression The issue is a bug that breaks functionality known to work in previous releases. severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around
Milestone
Outstanding Bugs

Comments

@corywright
Copy link
Contributor

I use client_acl on the salt-master to give my normal user account access to run all salt commands:

client_acl:
  cwright:
    - .*

However, after upgrading from 0.16.4 to 0.17.0 (via Ubuntu packages) I am now unable to run commands as the cwright user, and I receive this error:

$ salt '*' test.ping
Failed to open log file, do you have permission to write to /var/log/salt/master

Users listed in client_acl should be able to run salt commands without requiring filesystem level permission to write to /var/log/salt/master.
@basepi
Copy link
Contributor

basepi commented Oct 9, 2013

Thanks for the report. We will look into this asap and get it fixed.

@basepi
Copy link
Contributor

basepi commented Oct 9, 2013

@thatch45 ping

@dangarthwaite
Copy link
Contributor

This issue hosed my overnight deployments.

@perdurabo93
Copy link
Contributor

Yeah, serious issue for my Jenkins deployments. I'm using an insecure workaround for now but this needs resolved ASAP.

@victormuse victormuse mentioned this issue Oct 11, 2013
Closed
@s0undt3ch
Copy link
Member

Users listed in client_acl should be able to run salt commands without requiring filesystem level permission to write to /var/log/salt/master.

And what do you suggest happens to logging?

  • No logging at all besides console
  • Continue even if unable to write to log file
  • No logging at all besides console

@corywright
Copy link
Contributor Author

@s0undt3ch How did it work before 0.17?

@basepi
Copy link
Contributor

basepi commented Oct 11, 2013

Yes, we're on this. One of our top priorities right now.

@thatch45
Copy link
Member

@s0undt3ch, logging is your domain, please lake a look and see if you can make this any better

s0undt3ch added a commit to s0undt3ch/salt that referenced this issue Oct 16, 2013
@s0undt3ch
Log to user home directory if user is in ACL and is unable to write t…
3788060 
…o logs directory. Fixes saltstack#7706.
@s0undt3ch s0undt3ch mentioned this issue Oct 16, 2013
Merged
s0undt3ch pushed a commit to s0undt3ch/salt that referenced this issue Oct 16, 2013
@thatch45 @s0undt3ch
If logfile cannot be opened fall back to the NULL logger
8974ad4 
This fixes saltstack#7706

@s0undt3ch, please take a look for a more elegant solution here, but
we should be safe turning off logging for the salt command in this case
s0undt3ch added a commit to s0undt3ch/salt that referenced this issue Oct 16, 2013
@s0undt3ch
Log to user home directory if user is in ACL and is unable to write t…
328486e 
…o logs directory. Fixes saltstack#7706.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug broken, incorrect, or confusing behavior Regression The issue is a bug that breaks functionality known to work in previous releases. severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around
Projects
None yet
Milestone
Outstanding Bugs
Development

Successfully merging a pull request may close this issue.

Log to user home directory if user is in ACL s0undt3ch/salt
6 participants
@dangarthwaite @corywright @s0undt3ch @thatch45 @basepi @perdurabo93