Use Salt publisher ACL system to allow Salt usage without root access

[aneeshusa]

Salt allows somewhat pluggable authentication systems. One of these is their publisher ACL system (docs: https://docs.saltstack.com/en/2016.3/ref/publisheracl.html), which allows local users to execute Salt commands without having root access. I think implementing this would help us lock down our systems - I think we could likely give out Salt-only access instead of root access via SSH (should help with #628).

It seems to allow restricting which Salt functions are available, which is also nice.
I haven't used this myself yet, so likely would like to play around with it first.

cc @edunham @larsbergstrom

[larsbergstrom]

Oh, this is very interesting! I think that there are a few things that you could easily have people do (mainly pushing out updates, paving the "build" directory, and rebooting the machine) that would get us like 99% of the admin stuff that we need. Awesome!

Maybe restarting buildbot/homu, too :-)

[larsbergstrom]

cc @metajack

[aneeshusa]

Rebooting is system.reboot, and I can write a custom module function to blow away build dirs pretty quickly. What did you mean by "pushing out updates" - running state.highstate?

Restarting Homu should just be service.restart - I don't remember any other special steps needed.
Restarting Buildbot can be wrapped up into a custom module function.

[metajack]

+1 from me

[aneeshusa]

I tried this on my own infrastructure, and I don't think Salt's publisher_acl will be useful for us right now; restricting the commands users can run via the sudoers file is likely more fruitful for right now.

Details:
I thought the salt binary would simply make an RPC to a running salt-master daemon process, which would handle user authentication (e.g. publisher_acl via Unix socket permissions). However, it looks like the salt command actually does most of the work (logging, publishing a command to minions, etc.) itself, and only listens to the running daemon for responses as they come in from minions. This means that our user accounts still need access to various Salt bits like the config, the pillar, the log, etc. (confirmed in the docs), at which point they might as well have root access anyways via sudo.
I do want to extend Salt to make it do the kind of authentication I was expecting, but that might take a while, and we'll need to upgrade our Salt in order to use it anyways.