Master remote ACLs

salt/files/_acl.conf

@@ -1,4 +1,15 @@
+{%- from "salt/map.jinja" import master with context %}
 
-peer:
-  .*:
-    - x509.sign_remote_certificate
+{%- if master.user is defined %}
+
+external_auth:
+  pam:
+    {%- for user_name, user in master.user.iteritems() %}
+    {{ user_name }}: {{ user.permissions|yaml }}
+    {%- endfor %}
+
+{%- endif %}
+
+{#-
+  vim: syntax=jinja
+-#}

salt/files/master.conf

@@ -64,15 +64,6 @@ master_tops:
 
 {%- endif %}
 
-{%- if master.user is defined %}
-
-client_acl:
-  {%- for user_name, user in master.user.iteritems() %}
-  {{ user_name }}: {{ user.permissions|yaml }}
-  {%- endfor %}
-
-{%- endif %}
-
 {%- for handler in pillar.salt.minion.get("handlers", []) %}
 
 {%- if handler.engine == "udp"%}

salt/master/service.sls

@@ -30,6 +30,16 @@ salt_master_packages:
 
 {%- if master.peer is defined %}
 
+/etc/salt/master.d/_acl.conf:
+  file.managed:
+  - source: salt://salt/files/_acl.conf
+  - user: root
+  - template: jinja
+  - require:
+    - {{ master.install_state }}
+  - watch_in:
+    - service: salt_master_service
+
 /etc/salt/master.d/_peer.conf:
   file.managed:
   - source: salt://salt/files/_peer.conf
@@ -40,6 +50,7 @@ salt_master_packages:
   - watch_in:
     - service: salt_master_service
 
+
 {%- endif %}
 
 salt_master_service: