Page MenuHomeDevCentral

Allow salt group's users to run salt commands
ClosedPublic

Authored by Sandlayth on Mar 28 2016, 23:23.
Referenced Files
Unknown Object (File)
Wed, Nov 13, 03:50
Unknown Object (File)
Fri, Nov 8, 01:09
Unknown Object (File)
Thu, Nov 7, 12:53
Unknown Object (File)
Thu, Nov 7, 12:40
Unknown Object (File)
Thu, Nov 7, 10:24
Unknown Object (File)
Tue, Oct 22, 02:29
Unknown Object (File)
Sun, Oct 20, 05:11
Unknown Object (File)
Sat, Oct 19, 10:07

Details

Summary

Resolves T795.

Allowing salt's users to run salt binaries.

Test Plan
alias salt sudo -u salt salt
salt '*' state.apply

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
No Lint Coverage
Unit
No Test Coverage
Branch
T795
Build Status
Buildable 467
Build 582: arc lint + arc unit

Event Timeline

Sandlayth retitled this revision from to Allow wheel group's users to use docker commands.
Sandlayth updated this object.
Sandlayth edited the test plan for this revision. (Show Details)
Sandlayth added a reviewer: dereckson.
Sandlayth added subscribers: dereckson, Sandlayth.

Commit weren't from a clean master, it removed the arc file.

To avoid such issues, here a custom Git command I wrote, allowing to get an updated master before to create the branch, so you can use git newbug T795 from everywhere and get a clean ready for Gerrit or Phabricator branch.

/usr/local/bin/git-newbug
#!/bin/sh
if [ $# -eq 0 ]
then
        echo "Usage: `basename $0` <name of the branch to create>"
        exit 1
fi

BRANCH=$1

REPO=`git rev-parse --show-toplevel`
if [ $? -ne 0 ]
then
    exit $?
fi;
REPO=`basename $REPO`

git checkout master
git fetch --all
git pull
git pull origin master
git checkout -b $BRANCH
roles/saltmaster/sudo/files/sudoers
2

Sorry, I gave this line from Dwellers suoders file as an example of syntax for aliases.

What we want to do here is to allow users to run salt-* commands:

18:19:05 < Dereckson> http://devcentral.nasqueron.org/T795
18:19:05 < Sandlayth> k
18:19:33 < Dereckson> faudrait que si on est dans le groupe wheel, on puisse exécuter les commandes suivantes sous l'user "salt" :
18:19:38 < Dereckson> salt-api salt-call salt-cloud salt-cp salt-key salt-master salt-minion salt-proxy salt-run salt-ssh salt-syndic

salt-unity

(+salt)

4

How do we distinguish between a group, and an user for the first field?

We want to run as salt, not as root.

dereckson requested changes to this revision.Mar 28 2016, 23:44
dereckson edited edge metadata.
This revision now requires changes to proceed.Mar 28 2016, 23:44
Sandlayth edited edge metadata.
  • Allow wheel group's member to use salt function
  • Allow wheel group's users to use the salt function as the salt user and not as root
  • Allow this to the wheel group and not the wheel user
dereckson requested changes to this revision.Mar 29 2016, 13:35
dereckson edited edge metadata.

Squash the commits too.

roles/saltmaster/sudo/files/sudoers
2

/usr/local/bin/salt too

4

With a %, simply, okay.

This revision now requires changes to proceed.Mar 29 2016, 13:35
Sandlayth edited edge metadata.
  • Allow wheel group's member to use salt function
  • Allow wheel group's users to use the salt function as the salt user and not as root
  • Allow this to the wheel group and not the wheel user
  • Salt is also an available command
dereckson requested changes to this revision.EditedApr 10 2016, 20:40
dereckson retitled this revision from Allow wheel group's users to use docker commands to Allow salt group's users to run salt commands.
dereckson updated this object.
dereckson edited the test plan for this revision. (Show Details)
dereckson edited edge metadata.
dereckson added projects: Salt, Servers.
dereckson edited edge metadata.

A specific group for salt will be better.

This revision now requires changes to proceed.Apr 10 2016, 20:41
dereckson edited edge metadata.
dereckson edited the test plan for this revision. (Show Details)
  • %wheel → %salt
  • added rc script
dereckson edited edge metadata.
This revision is now accepted and ready to land.Apr 10 2016, 20:50
This revision was automatically updated to reflect the committed changes.