Merge pull request #301 from vquiering/move_to_publisher_acl

Add new publisher_acl to salt master config
This commit is contained in:
Niels Abspoel 2017-04-08 12:05:15 +02:00 committed by GitHub
commit 03ec0dce2d
1 changed files with 47 additions and 9 deletions

View File

@ -332,9 +332,26 @@ event_return_blacklist:
# This setting should be treated with care since it opens up execution
# capabilities to non root users. By default this capability is completely
# disabled.
{% if 'client_acl' in cfg_master -%}
{% if 'publisher_acl' in cfg_master -%}
{%- do default_keys.append('publisher_acl') %}
publisher_acl:
{%- for name, user in cfg_master['publisher_acl']|dictsort %}
{{ name}}:
{%- for command in user %}
- {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
{%- endfor -%}
{%- endfor -%}
{% elif 'publisher_acl' in cfg_salt -%}
publisher_acl:
{%- for name, user in cfg_salt['publisher_acl']|dictsort %}
{{ name }}:
{%- for command in user %}
- {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
{%- endfor -%}
{%- endfor -%}
{% elif 'client_acl' in cfg_master -%}
{%- do default_keys.append('client_acl') %}
client_acl:
publisher_acl:
{%- for name, user in cfg_master['client_acl']|dictsort %}
{{ name}}:
{%- for command in user %}
@ -342,7 +359,7 @@ client_acl:
{%- endfor -%}
{%- endfor -%}
{% elif 'client_acl' in cfg_salt -%}
client_acl:
publisher_acl:
{%- for name, user in cfg_salt['client_acl']|dictsort %}
{{ name }}:
{%- for command in user %}
@ -350,7 +367,7 @@ client_acl:
{%- endfor -%}
{%- endfor -%}
{% else -%}
#client_acl:
#publisher_acl:
# larry:
# - test.ping
# - network.*
@ -361,9 +378,30 @@ client_acl:
# This example would blacklist all non sudo users, including root from
# running any commands. It would also blacklist any use of the "cmd"
# module. This is completely disabled by default.
{% if 'client_acl_blacklist' in cfg_master %}
{% if 'publisher_acl_blacklist' in cfg_master %}
{%- do default_keys.append('publisher_acl_blacklist') %}
publisher_acl_blacklist:
users:
{% for user in cfg_master['publisher_acl_blacklist'].get('users', []) %}
- {{ user }}
{% endfor %}
modules:
{% for mod in cfg_master['publisher_acl_blacklist'].get('modules', []) %}
- {{ mod }}
{% endfor %}
{% elif 'publisher_acl_blacklist' in cfg_salt %}
publisher_acl_blacklist:
users:
{% for user in cfg_salt['publisher_acl_blacklist'].get('users', []) %}
- {{ user }}
{% endfor %}
modules:
{% for mod in cfg_salt['publisher_acl_blacklist'].get('modules', []) %}
- {{ mod }}
{% endfor %}
{% elif 'client_acl_blacklist' in cfg_master %}
{%- do default_keys.append('client_acl_blacklist') %}
client_acl_blacklist:
publisher_acl_blacklist:
users:
{% for user in cfg_master['client_acl_blacklist'].get('users', []) %}
- {{ user }}
@ -373,7 +411,7 @@ client_acl_blacklist:
- {{ mod }}
{% endfor %}
{% elif 'client_acl_blacklist' in cfg_salt %}
client_acl_blacklist:
publisher_acl_blacklist:
users:
{% for user in cfg_salt['client_acl_blacklist'].get('users', []) %}
- {{ user }}
@ -383,7 +421,7 @@ client_acl_blacklist:
- {{ mod }}
{% endfor %}
{% else %}
#client_acl_blacklist:
#publisher_acl_blacklist:
# users:
# - root
# - '^(?!sudo_).*$' # all non sudo users
@ -391,7 +429,7 @@ client_acl_blacklist:
# - cmd
{% endif %}
# Enforce client_acl & client_acl_blacklist when users have sudo
# Enforce publisher_acl & publisher_acl_blacklist when users have sudo
# access to the salt command.
{{ get_config('sudo_acl', 'False') }}