salt.master: configure publisher_acl

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

pillar/role/salt/master.sls

@@ -60,3 +60,4 @@ salt:
     syndic_user: ${'secret_salt:master:syndic_user'}
     cache.redis.unix_socket_path: ${'secret_salt:master:cache.redis.unix_socket_path'}
     cache.redis.password: ${'secret_salt:master:cache.redis.password'}
+    publisher_acl: ${'secret_salt:master:publisher_acl'}

salt/profile/salt/master.sls

@@ -101,3 +101,15 @@ salt_redis_service_start:
       - pkg: redis
     - watch:
       - file: {{ redis_config }}
+
+{%- if pillar['secret_salt'] is defined %}
+admin_salt_membership:
+  group.present:
+    - name: salt
+    - addusers:
+      {%- for user in pillar['secret_salt']['master']['publisher_acl'] %}
+      - {{ user }}
+      {%- endfor %}
+    - require:
+      - pkg: salt-master
+{%- endif %}