Merge pull request #301 from vquiering/move_to_publisher_acl

Add new publisher_acl to salt master config

salt/files/master.d/f_defaults.conf

@@ -332,9 +332,26 @@ event_return_blacklist:
 # This setting should be treated with care since it opens up execution
 # capabilities to non root users. By default this capability is completely
 # disabled.
-{% if 'client_acl' in cfg_master -%}
+{% if 'publisher_acl' in cfg_master -%}
+{%- do default_keys.append('publisher_acl') %}
+publisher_acl:
+{%- for name, user in cfg_master['publisher_acl']|dictsort %}
+  {{ name}}:
+{%- for command in user %}
+    - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
+{%- endfor -%}
+{%- endfor -%}
+{% elif 'publisher_acl' in cfg_salt -%}
+publisher_acl:
+{%- for name, user in cfg_salt['publisher_acl']|dictsort %}
+  {{ name }}:
+{%- for command in user %}
+    - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
+{%- endfor -%}
+{%- endfor -%}
+{% elif 'client_acl' in cfg_master -%}
 {%- do default_keys.append('client_acl') %}
-client_acl:
+publisher_acl:
 {%- for name, user in cfg_master['client_acl']|dictsort %}
   {{ name}}:
 {%- for command in user %}
@@ -342,7 +359,7 @@ client_acl:
 {%- endfor -%}
 {%- endfor -%}
 {% elif 'client_acl' in cfg_salt -%}
-client_acl:
+publisher_acl:
 {%- for name, user in cfg_salt['client_acl']|dictsort %}
   {{ name }}:
 {%- for command in user %}
@@ -350,7 +367,7 @@ client_acl:
 {%- endfor -%}
 {%- endfor -%}
 {% else -%}
-#client_acl:
+#publisher_acl:
 #  larry:
 #    - test.ping
 #    - network.*
@@ -361,9 +378,30 @@ client_acl:
 # This example would blacklist all non sudo users, including root from
 # running any commands. It would also blacklist any use of the "cmd"
 # module. This is completely disabled by default.
-{% if 'client_acl_blacklist' in cfg_master %}
+{% if 'publisher_acl_blacklist' in cfg_master %}
+{%- do default_keys.append('publisher_acl_blacklist') %}
+publisher_acl_blacklist:
+  users:
+  {% for user in cfg_master['publisher_acl_blacklist'].get('users', []) %}
+    - {{ user }}
+  {% endfor %}
+  modules:
+  {% for mod in cfg_master['publisher_acl_blacklist'].get('modules', []) %}
+    - {{ mod }}
+  {% endfor %}
+{% elif 'publisher_acl_blacklist' in cfg_salt  %}
+publisher_acl_blacklist:
+  users:
+  {% for user in cfg_salt['publisher_acl_blacklist'].get('users', []) %}
+    - {{ user }}
+  {% endfor %}
+  modules:
+  {% for mod in cfg_salt['publisher_acl_blacklist'].get('modules', []) %}
+    - {{ mod }}
+  {% endfor %}
+{% elif 'client_acl_blacklist' in cfg_master %}
 {%- do default_keys.append('client_acl_blacklist') %}
-client_acl_blacklist:
+publisher_acl_blacklist:
   users:
   {% for user in cfg_master['client_acl_blacklist'].get('users', []) %}
     - {{ user }}
@@ -373,7 +411,7 @@ client_acl_blacklist:
     - {{ mod }}
   {% endfor %}
 {% elif 'client_acl_blacklist' in cfg_salt  %}
-client_acl_blacklist:
+publisher_acl_blacklist:
   users:
   {% for user in cfg_salt['client_acl_blacklist'].get('users', []) %}
     - {{ user }}
@@ -383,7 +421,7 @@ client_acl_blacklist:
     - {{ mod }}
   {% endfor %}
 {% else %}
-#client_acl_blacklist:
+#publisher_acl_blacklist:
 #  users:
 #    - root
 #    - '^(?!sudo_).*$'   #  all non sudo users
@@ -391,7 +429,7 @@ client_acl_blacklist:
 #    - cmd
 {% endif %}
 
-# Enforce client_acl & client_acl_blacklist when users have sudo
+# Enforce publisher_acl & publisher_acl_blacklist when users have sudo
 # access to the salt command.
 {{ get_config('sudo_acl', 'False') }}