Fixed explanations, and improved logic code to client_acl

10 years ago · 5029504212
--- a/salt/files/master.d/_defaults.conf
+++ b/salt/files/master.d/_defaults.conf
 # Per default, the master will automatically include all config files
 # from master.d/*.conf (master.d is a directory in the same directory
 # as the main master config file)
 # as the main master config file).
 {{ get_config('default_include', 'master.d/*.conf') }}
 # The address of the interface to bind to
 # The address of the interface to bind to:
 {{ get_config('interface', '0.0.0.0') }}
 # Whether the master should listen for IPv6 connections. If this is set to True,
 # the interface option must be adjusted too (for example: "interface: '::'")
 # the interface option must be adjusted, too. (For example: "interface: '::'")
 {{ get_config('ipv6', 'False') }}
 # The tcp port used by the publisher
 # The tcp port used by the publisher:
 {{ get_config('publish_port', '4505') }}
 # The user to run the salt-master as. Salt will update all permissions to
 # allow the specified user to run the master. If the modified files cause
 # conflicts set verify_env to False.
 # The user under which the salt master will run. Salt will update all
 # permissions to allow the specified user to run the master. The exception is
 # the job cache, which must be deleted if this user is changed. If the
 # modified files cause conflicts, set verify_env to False.
 {{ get_config('user', 'root') }}
 # Max open files
 #
 # Each minion connecting to the master uses AT LEAST one file descriptor, the
 # master subscription connection. If enough minions connect you might start
 # seeing on the console(and then salt-master crashes):
 # seeing on the console (and then salt-master crashes):
 #   Too many open files (tcp_listener.cpp:335)
 #   Aborted (core dumped)
 #
 # If you wish to set a different value than the default one, uncomment and
 # configure this setting. Remember that this value CANNOT be higher than the
 # hard limit. Raising the hard limit depends on your OS and/or distribution,
 # a good way to find the limit is to search the internet for(for example):
 # a good way to find the limit is to search the internet. For example:
 #   raise max open files hard limit debian
 #
 {{ get_config('max_open_files', '100000') }}
 # The number of worker threads to start, these threads are used to manage
 # return calls made from minions to the master, if the master seems to be
 # running slowly, increase the number of threads
 # The number of worker threads to start. These threads are used to manage
 # return calls made from minions to the master. If the master seems to be
 # running slowly, increase the number of threads.
 {{ get_config('worker_threads', '5') }}
 # The port used by the communication interface. The ret (return) port is the
 # interface used for the file server, authentication, job returnes, etc.
 # interface used for the file server, authentication, job returns, etc.
 {{ get_config('ret_port', '4506') }}
 # Specify the location of the daemon process ID file
 # Specify the location of the daemon process ID file:
 {{ get_config('pidfile', '/var/run/salt-master.pid') }}
 # The root directory prepended to these options: pki_dir, cachedir,
 # sock_dir, log_file, autosign_file, autoreject_file, extension_modules,
 # key_logfile, pidfile.
 # key_logfile, pidfile:
 {{ get_config('root_dir', '/') }}
 # Directory used to store public key data
 # Directory used to store public key data:
 {{ get_config('pki_dir', '/etc/salt/pki/master') }}
 # Directory to store job and cache data
 # Directory to store job and cache data:
 {{ get_config('cachedir', '/var/cache/salt/master') }}
 # Verify and set permissions on configuration directories at startup
 # Directory for custom modules. This directory can contain subdirectories for
 # each of Salt's module types such as "runners", "output", "wheel", "modules",
 # "states", "returners", etc.
 {{ get_config('extension_modules', '<no default>') }}
 # Verify and set permissions on configuration directories at startup:
 {{ get_config('verify_env', 'True') }}
 # Set the number of hours to keep old job information in the job cache
 # Set the number of hours to keep old job information in the job cache:
 {{ get_config('keep_jobs', '24') }}
 # Set the default timeout for the salt command and api, the default is 5
 # seconds
 # Set the default timeout for the salt command and api. The default is 5
 # seconds.
 {{ get_config('timeout', '5') }}
 # The loop_interval option controls the seconds for the master's maintenance
 # job cache and executes the scheduler.
 {{ get_config('loop_interval', '60') }}
 # Set the default outputter used by the salt command. The default is "nested"
 # Set the default outputter used by the salt command. The default is "nested".
 {{ get_config('output', 'nested') }}
 # By default output is colored, to disable colored output set the color value
 # to False
 # Return minions that timeout when running commands like test.ping
 {{ get_config('show_timeout', 'True') }}
 # By default, output is colored. To disable colored output, set the color value
 # to False.
 {{ get_config('color', 'True') }}
 # Set the directory used to hold unix sockets
 # Do not strip off the colored output from nested results and state outputs
 # (true by default).
 {{ get_config('strip_colors', 'False') }}
 # Set the directory used to hold unix sockets:
 {{ get_config('sock_dir', '/var/run/salt/master') }}
 # The master can take a while to start up when lspci and/or dmidecode is used
 # to populate the grains for the master. Enable if you want to see GPU hardware
 # data for your master.
 #
 {{ get_config('enable_gpu_grains', 'False') }}
 # The master maintains a job cache, while this is a great addition it can be
 # The master maintains a job cache. While this is a great addition, it can be
 # a burden on the master for larger deployments (over 5000 minions).
 # Disabling the job cache will make previously executed jobs unavailable to
 # the jobs system and is not generally recommended.
 #
 {{ get_config('job_cache', 'True') }}
 # Cache minion grains and pillar data in the cachedir.
 {{ get_config('minion_data_cache', 'True') }}
 # Store all returns in the given returner.
 # Setting this option requires that any returner-specific configuration also 
 # be set. See various returners in salt/returners for details on required
 # configuration values. (See also, event_return_queue below.)
 #
 {{ get_config('event_return', 'mysql') }}
 # On busy systems, enabling event_returns can cause a considerable load on
 # the storage system for returners. Events can be queued on the master and
 # stored in a batched fashion using a single transaction for multiple events.
 # By default, events are not queued.
 {{ get_config('event_return_queue', '0') }}
 # Only events returns matching tags in a whitelist
 {% if 'event_return_whitelist' in master -%}
 event_return_whitelist:
  {%- for event_return in event_return_whitelist %}
  - {{ event_return }}
  {%- endfor -%}
 {% elif 'event_return_whitelist' in salt -%}
 event_return_whitelist:
  {%- for event_return in event_return_whitelist %}
  - {{ event_return }}
  {%- endfor -%}
 {% else -%}
 # event_return_whitelist:
 #   - salt/master/a_tag
 #   - salt/master/another_tag
 {% endif %}
 # Store all event returns _except_ the tags in a blacklist
 {% if 'event_return_blacklist' in master -%}
 event_return_blacklist:
  {%- for event_return in event_return_blacklist %}
  - {{ event_return }}
  {%- endfor -%}
 {% elif 'event_return_blacklist' in salt -%}
 event_return_blacklist:
  {%- for event_return in event_return_blacklist %}
  - {{ event_return }}
  {%- endfor -%}
 {% else -%}
 # event_return_blacklist:
 #   - salt/master/not_this_tag
 #   - salt/master/or_this_one
 {% endif %}
 # Passing very large events can cause the minion to consume large amounts of
 # memory. This value tunes the maximum size of a message allowed onto the
 # master event bus. The value is expressed in bytes.
 {{ get_config('max_event_size', '1048576') }}
 # By default, the master AES key rotates every 24 hours. The next command
 # following a key rotation will trigger a key refresh from the minion which may
 # result in minions which do not respond to the first command after a key refresh.
 #
 # To tell the master to ping all minions immediately after an AES key refresh, set
 # ping_on_rotate to True. This should mitigate the issue where a minion does not
 # appear to initially respond after a key is rotated.
 #
 # Note that ping_on_rotate may cause high load on the master immediately after
 # the key rotation event as minions reconnect. Consider this carefully if this
 # salt master is managing a large number of minions.
 #
 # If disabled, it is recommended to handle this event by listening for the 
 # 'aes_key_rotate' event with the 'key' tag and acting appropriately.
 {{ get_config('ping_on_rotate', 'False') }}
 # By default, the master deletes its cache of minion data when the key for that
 # minion is removed. To preserve the cache after key deletion, set 
 # 'preserve_minion_cache' to True.
 #
 # WARNING: This may have security implications if compromised minions auth with
 # a previous deleted minion ID.
 {{ get_config('preserve_minion_cache', 'False') }}
 # If max_minions is used in large installations, the master might experience
 # high-load situations because of having to check the number of connected
 # minions for every authentication. This cache provides the minion-ids of
 # all connected minions to all MWorker-processes and greatly improves the
 # performance of max_minions.
 {{ get_config('con_cache', 'False') }}
 # The master can include configuration from other files. To enable this,
 # pass a list of paths to this option. The paths can be either relative or
 # absolute; if relative, they are considered to be relative to the directory
 # the main master configuration file lives in (this file). Paths can make use
 # of shell-style globbing. If no files are matched by a path passed to this
 # option then the master will log a warning message.
 #
 # option, then the master will log a warning message.
 #
 # Include a config file from some other path:
 #include: /etc/salt/extra_config
 # include: /etc/salt/extra_config
 #
 # Include config from several files and directories:
 #include:
 #  - /etc/salt/extra_config
 # include:
 #   - /etc/salt/extra_config
 {{ get_config('include', '[]') }}
 #####        Security settings       #####
 ##########################################
 # Enable "open mode", this mode still maintains encryption, but turns off
 # public keys from the minions. Note that this is insecure.
 {{ get_config('auto_accept', 'False') }}
 # Time in minutes that a incoming public key with a matching name found in
 # pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys
 # are removed when the master checks the minion_autosign directory.
 # 0 equals no timeout
 {{ get_config('autosign_timeout', '120') }}
 # If the autosign_file is specified, incoming keys specified in the
 # autosign_file will be automatically accepted. This is insecure.  Regular
 # expressions as well as globing lines are supported.
 # Works like autosign_file, but instead allows you to specify minion IDs for
 # which keys will automatically be rejected. Will override both membership in
 # the autosign_file and the auto_accept setting.
 {{ get_config('autoreject_file', '/etc/salt/autosign.conf') }}
 {{ get_config('autoreject_file', '/etc/salt/autoreject.conf') }}
 # Enable permissive access to the salt keys.  This allows you to run the
 # Enable permissive access to the salt keys. This allows you to run the
 # master or minion as root, but have a non-root group be given access to
 # your pki_dir.  To make the access explicit, root must belong to the group
 # you've given access to.  This is potentially quite insecure.
 # If an autosign_file is specified, enabling permissive_pki_access will allow group access
 # to that specific file.
 # your pki_dir. To make the access explicit, root must belong to the group
 # you've given access to. This is potentially quite insecure. If an autosign_file
 # is specified, enabling permissive_pki_access will allow group access to that
 # specific file.
 {{ get_config('permissive_pki_access', 'False') }}
 # Allow users on the master access to execute specific commands on minions.
 # This setting should be treated with care since it opens up execution
 # capabilities to non root users. By default this capability is completely
 # disabled.
 #
 #client_acl:
 #  larry:
 #    - test.ping
 #    - network.*
 #
 {{ get_config('client_acl', '{}') }}
 {% if 'client_acl' in master -%}
 client_acl:
 {%- for name, user in master['client_acl']|dictsort %}
  {{ name}}:
 {%- for command in user %}
    - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
 {%- endfor -%}
 {%- endfor -%}
 {% elif 'client_acl' in salt -%}
 client_acl:
 {%- for name, user in salt['client_acl']|dictsort %}
  {{ name }}:
 {%- for command in user %}
    - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
 {%- endfor -%}
 {%- endfor -%}
 {% else -%}
 #client_acl:
 #  larry:
 #    - test.ping
 #    - network.*
 {%- endif %}
 # Blacklist any of the following users or modules
 #
 # This example would blacklist all non sudo users, including root from
 # running any commands. It would also blacklist any use of the "cmd"
 # module.
 # This is completely disabled by default.
 # module. This is completely disabled by default.
 #
 {% if 'client_acl_blacklist' in master %}
 client_acl_blacklist:
 #    - cmd
 {% endif %}
 # Enforce client_acl & client_acl_blacklist when users have sudo
 # access to the salt command. 
 #
 {{ get_config('sudo_acl', 'False') }}
 # The external auth system uses the Salt auth modules to authenticate and
 # validate users to access areas of the Salt system.
 #
 #external_auth:
 #  pam:
 #    fred:
 #      - test.*
 #
 {{ get_config('external_auth', '{}') }}
 # Time (in seconds) for a newly generated token to live. Default: 12 hours
 {{ get_config('file_recv', 'False') }}
 # Set a hard-limit on the size of the files that can be pushed to the master.
 # It will be interpreted as megabytes.
 # Default: 100
 # It will be interpreted as megabytes. Default: 100
 {{ get_config('file_recv_max_size', '100') }}
 # Signature verification on messages published from the master.
 # no signature, it will still be accepted, and a warning message will be logged.
 # Conversely, if sign_pub_messages is False, but a minion receives a signed
 # message it will be accepted, the signature will not be checked, and a warning message
 # will be logged.  This behavior will go away in Salt 0.17.6 (or Hydrogen RC1, whichever
 # comes first) and these two situations will cause minion to throw an exception and
 # drop the message.
 #
 # will be logged. This behavior went away in Salt 2014.1.0 and these two situations
 # will cause minion to throw an exception and drop the message.
 {{ get_config('sign_pub_message', 'False') }}
 #####    Master Module Management    #####
 ##########################################
 # Manage how master side modules are loaded
 # Manage how master side modules are loaded.
 # Add any additional locations to look for master runners
 # Add any additional locations to look for master runners:
 {{ get_config('runner_dirs', '[]') }}
 # Enable Cython for master side modules
 # Enable Cython for master side modules:
 {{ get_config('cython_enable', 'False') }}
 # The master_tops option replaces the external_nodes option by creating
 # a plugable system for the generation of external top data. The external_nodes
 # option is deprecated by the master_tops option.
 #
 # To gain the capabilities of the classic external_nodes system, use the
 # following configuration:
 # master_tops:
 # output for each changed state if set to 'full', but if set to 'terse'
 # the output will be shortened to a single line.  If set to 'mixed', the output
 # will be terse unless a state failed, in which case that output will be full.
 # If set to 'changes', the output will be full unless the state didn't change.
 {{ get_config('state_output', 'full') }}
 {{ get_config('yaml_utf8', 'False')  }}
 # Automatically aggregate all states that have support for mod_aggregate by
 # setting to True. Or pass a list of state module names to automatically
 # aggregate just those types.
 #
 # state_aggregate:
 #   - pkg
 #
 #state_aggregate: False
 #####      File Server settings      #####
 ##########################################
 #   prod:
 #     - /srv/salt/prod/services
 #     - /srv/salt/prod/states
 {% if 'file_roots' in master -%}
 file_roots:
 {%- for name, roots in master['file_roots']|dictsort %}
 #    - /srv/salt
 {%- endif %}
 # The hash_type is the hash to use when discovering the hash of a file on
 # the master server. The default is md5, but sha1, sha224, sha256, sha384
 # and sha512 are also supported.
 #
 # Prior to changing this value, the master should be stopped and all Salt 
 # caches should be cleared.
 {{ get_config('hash_type', 'md5') }}
 # The buffer size in the file server can be adjusted here:
 {% endif %}
 # File Server Backend
 #
 # Salt supports a modular fileserver backend system, this system allows
 # the salt master to link directly to third party systems to gather and
 # manage the files available to minions. Multiple backends can be
 # configured and will be searched for the requested file in the order in which
 # they are defined here. The default setting only enables the standard backend
 # "roots" which uses the "file_roots" option.
 #
 #fileserver_backend:
 #  - roots
 #
 # To use multiple backends list them in the order they are searched:
 #
 #fileserver_backend:
 #  - git
 #  - roots
 # symlinks when walking the filesystem tree. This is set to True
 # by default. Currently this only applies to the default roots
 # fileserver_backend.
 #
 {{ get_config('fileserver_followsymlinks', 'False') }}
 #
 # Uncomment the line below if you do not want symlinks to be
 # treated as the files they are pointing to. By default this is set to
 # False. By uncommenting the line below, any detected symlink while listing
 # files on the Master will not be returned to the Minion.
 #
 {{ get_config('fileserver_ignoresymlinks', 'True') }}
 #
 # By default, the Salt fileserver recurses fully into all defined environments
 # to attempt to find files. To limit this behavior so that the fileserver only
 # traverses directories with SLS files and special Salt directories like _modules,
 # enable the option below. This might be useful for installations where a file root
 # has a very large number of files and performance is impacted. Default is False.
 #
 {{ get_config('fileserver_limit_traversal', 'False') }}
 #
 # The fileserver can fire events off every time the fileserver is updated,
 # these are disabled by default, but can be easily turned on by setting this
 # flag to True
 {{ get_config('fileserver_events', 'False') }}
 #
 # Git fileserver backend configuration
 # Git File Server Backend Configuration
 #
 # Gitfs can be provided by one of two python modules: GitPython or pygit2. If
 # using pygit2, both libgit2 and git must also be installed.
 {%- endif -%}
 {%- endfor -%}
 {%- endif %}
 #
 #gitfs_remotes:
 #  - git://github.com/saltstack/salt-states.git
 #  - file:///var/git/saltmaster
 # is a security concern, you may want to try using the ssh transport.
 {{ get_config('gitfs_ssl_verify', 'True') }}
 #
 #
 # The gitfs_root option gives the ability to serve files from a subdirectory
 # within the repository. The path is defined relative to the root of the
 # repository and defaults to the repository root.
 #  base:
 #    - /srv/pillar
 {% endif %}
 #
 {% if 'ext_pillar' in master %}
 ext_pillar:
 {% for pillar in master['ext_pillar'] %}
 #  - cmd_yaml: cat /etc/salt/yaml
 {% endif %}
 # The ext_pillar_first option allows for external pillar sources to populate
 # before file system pillar. This allows for targeting file system pillar from
 # ext_pillar.
 {{ get_config('ext_pillar_first', 'False') }}
 # The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate
 # errors when contacting the pillar gitfs backend. You might want to set this to
 # false if you're using a git backend that uses a self-signed certificate but
 # this master where to receive commands from.
 {{ get_config('syndic_master', 'masterofmaster') }}
 # This is the 'ret_port' of the MasterOfMaster
 # This is the 'ret_port' of the MasterOfMaster:
 {{ get_config('syndic_master_port', '4506') }}
 # PID file of the syndic daemon
 # PID file of the syndic daemon:
 {{ get_config('syndic_pidfile', '/var/run/salt-syndic.pid') }}
 # LOG file of the syndic daemon
 # LOG file of the syndic daemon:
 {{ get_config('syndic_log_file', 'syndic.log') }}
 #####      Peer Publish settings     #####
 # of regular expressions to match functions. The following will allow the
 # minion authenticated as foo.example.com to execute functions from the test
 # and pkg modules.
 #
 #peer:
 #  foo.example.com:
 #    - test.*
 #    - pkg.*
 #
 # This will allow all minions to execute all commands:
 #
 #peer:
 #  .*:
 #    - .*
 #
 # All peer runner support is turned off by default and must be enabled before
 # using. This will enable all peer runners for all minions:
 #
 #peer_run:
 #  .*:
 #    - .*
 #
 # To enable just the manage.up runner for the minion foo.example.com:
 #
 #peer_run:
 #  foo.example.com:
 #    - manage.up
  {% endfor %}
 {% endif %}
 #####         Mine settings     #####
 ##########################################
 # Restrict mine.get access from minions. By default any minion has a full access
 # to get all mine data from master cache. In acl definion below, only pcre matches
 # are allowed.
 #
 # mine_get:
 #   .*:
 #     - .*
 #
 # Example below enables minion foo.example.com to get  'network.interfaces' mine data only
 # , minions web* to get all network.* and disk.* mine data and all other minions won't get
 # any mine data.
 #
 # The example below enables minion foo.example.com to get 'network.interfaces' mine
 # data only, minions web* to get all network.* and disk.* mine data and all other
 # minions won't get any mine data.
 # mine_get:
 #   foo.example.com:
 #     - network.inetrfaces
 #     - network.interfaces
 #   web.*:
 #     - network.*
 #     - disk.*
 #####         Logging settings       #####
 ##########################################
 # The location of the master log file
 # example sets the main salt library at the 'warning' level, but sets
 # 'salt.modules' to log at the 'debug' level:
 #   log_granular_levels:
 #     'salt': 'warning',
 #     'salt': 'warning'
 #     'salt.modules': 'debug'
 #
 {% if 'log_granular_levels' in master %}
 #####         Node Groups           #####
 ##########################################
 # Node groups allow for logical groupings of minion nodes.
 # A group consists of a group name and a compound target.
 #
 # Node groups allow for logical groupings of minion nodes. A group consists of a group
 # name and a compound target.
 #nodegroups:
 #  group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com'
 #  group2: 'G@os:Debian and foo.domain.com'
 #####     Range Cluster settings     #####
 ##########################################
 # The range server (and optional port) that serves your cluster information
 # https://github.com/grierj/range/wiki/Introduction-to-Range-with-YAML-files
 # https://github.com/ytoolshed/range/wiki/%22yamlfile%22-module-file-spec
 #
 {{ get_config('range_server', 'range:80') }}
 #####     Windows Software Repo settings #####
 ##############################################
 # Location of the repo on the master
 # Location of the repo on the master:
 {{ get_config('win_repo', '/srv/salt/win/repo') }}
 # Location of the master's repo cache file
 # Location of the master's repo cache file:
 {{ get_config('win_repo_mastercachefile', '/srv/salt/win/repo/winrepo.p') }}
 # List of git repositories to include with the local repo
 # List of git repositories to include with the local repo:
 {% if 'win_gitrepos' in master %}
 win_gitrepos:
  {% for repo in master['win_gitrepos'] %}
 #  - 'https://github.com/saltstack/salt-winrepo.git'
 {% endif %}
 #####      Returner settings          ######
 ############################################
 # Which returner(s) will be used for minion's result:
 #return: mysql
 {% if 'halite' in master %}
 #####             Halite             #####
 ##########################################