Merge pull request #301 from vquiering/move_to_publisher_acl
Add new publisher_acl to salt master config
This commit is contained in:
commit
03ec0dce2d
@ -332,9 +332,26 @@ event_return_blacklist:
|
||||
# This setting should be treated with care since it opens up execution
|
||||
# capabilities to non root users. By default this capability is completely
|
||||
# disabled.
|
||||
{% if 'client_acl' in cfg_master -%}
|
||||
{% if 'publisher_acl' in cfg_master -%}
|
||||
{%- do default_keys.append('publisher_acl') %}
|
||||
publisher_acl:
|
||||
{%- for name, user in cfg_master['publisher_acl']|dictsort %}
|
||||
{{ name}}:
|
||||
{%- for command in user %}
|
||||
- {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
|
||||
{%- endfor -%}
|
||||
{%- endfor -%}
|
||||
{% elif 'publisher_acl' in cfg_salt -%}
|
||||
publisher_acl:
|
||||
{%- for name, user in cfg_salt['publisher_acl']|dictsort %}
|
||||
{{ name }}:
|
||||
{%- for command in user %}
|
||||
- {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
|
||||
{%- endfor -%}
|
||||
{%- endfor -%}
|
||||
{% elif 'client_acl' in cfg_master -%}
|
||||
{%- do default_keys.append('client_acl') %}
|
||||
client_acl:
|
||||
publisher_acl:
|
||||
{%- for name, user in cfg_master['client_acl']|dictsort %}
|
||||
{{ name}}:
|
||||
{%- for command in user %}
|
||||
@ -342,7 +359,7 @@ client_acl:
|
||||
{%- endfor -%}
|
||||
{%- endfor -%}
|
||||
{% elif 'client_acl' in cfg_salt -%}
|
||||
client_acl:
|
||||
publisher_acl:
|
||||
{%- for name, user in cfg_salt['client_acl']|dictsort %}
|
||||
{{ name }}:
|
||||
{%- for command in user %}
|
||||
@ -350,7 +367,7 @@ client_acl:
|
||||
{%- endfor -%}
|
||||
{%- endfor -%}
|
||||
{% else -%}
|
||||
#client_acl:
|
||||
#publisher_acl:
|
||||
# larry:
|
||||
# - test.ping
|
||||
# - network.*
|
||||
@ -361,9 +378,30 @@ client_acl:
|
||||
# This example would blacklist all non sudo users, including root from
|
||||
# running any commands. It would also blacklist any use of the "cmd"
|
||||
# module. This is completely disabled by default.
|
||||
{% if 'client_acl_blacklist' in cfg_master %}
|
||||
{% if 'publisher_acl_blacklist' in cfg_master %}
|
||||
{%- do default_keys.append('publisher_acl_blacklist') %}
|
||||
publisher_acl_blacklist:
|
||||
users:
|
||||
{% for user in cfg_master['publisher_acl_blacklist'].get('users', []) %}
|
||||
- {{ user }}
|
||||
{% endfor %}
|
||||
modules:
|
||||
{% for mod in cfg_master['publisher_acl_blacklist'].get('modules', []) %}
|
||||
- {{ mod }}
|
||||
{% endfor %}
|
||||
{% elif 'publisher_acl_blacklist' in cfg_salt %}
|
||||
publisher_acl_blacklist:
|
||||
users:
|
||||
{% for user in cfg_salt['publisher_acl_blacklist'].get('users', []) %}
|
||||
- {{ user }}
|
||||
{% endfor %}
|
||||
modules:
|
||||
{% for mod in cfg_salt['publisher_acl_blacklist'].get('modules', []) %}
|
||||
- {{ mod }}
|
||||
{% endfor %}
|
||||
{% elif 'client_acl_blacklist' in cfg_master %}
|
||||
{%- do default_keys.append('client_acl_blacklist') %}
|
||||
client_acl_blacklist:
|
||||
publisher_acl_blacklist:
|
||||
users:
|
||||
{% for user in cfg_master['client_acl_blacklist'].get('users', []) %}
|
||||
- {{ user }}
|
||||
@ -373,7 +411,7 @@ client_acl_blacklist:
|
||||
- {{ mod }}
|
||||
{% endfor %}
|
||||
{% elif 'client_acl_blacklist' in cfg_salt %}
|
||||
client_acl_blacklist:
|
||||
publisher_acl_blacklist:
|
||||
users:
|
||||
{% for user in cfg_salt['client_acl_blacklist'].get('users', []) %}
|
||||
- {{ user }}
|
||||
@ -383,7 +421,7 @@ client_acl_blacklist:
|
||||
- {{ mod }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
#client_acl_blacklist:
|
||||
#publisher_acl_blacklist:
|
||||
# users:
|
||||
# - root
|
||||
# - '^(?!sudo_).*$' # all non sudo users
|
||||
@ -391,7 +429,7 @@ client_acl_blacklist:
|
||||
# - cmd
|
||||
{% endif %}
|
||||
|
||||
# Enforce client_acl & client_acl_blacklist when users have sudo
|
||||
# Enforce publisher_acl & publisher_acl_blacklist when users have sudo
|
||||
# access to the salt command.
|
||||
{{ get_config('sudo_acl', 'False') }}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user