Ch3LL
commented
5 years ago Can you include the salt --versions-report you are seeing this one and a use case to help replicate this issue?
Open NicolasT opened 5 years ago
Ch3LL
commented
5 years ago Can you include the salt --versions-report you are seeing this one and a use case to help replicate this issue?
NicolasT
commented
5 years ago $ salt --version-report
Salt Version:
Salt: 2018.3.3
Dependency Versions:
cffi: Not Installed
cherrypy: unknown
dateutil: Not Installed
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.7.2
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.6
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.5 (default, Oct 30 2018, 23:45:53)
python-gnupg: Not Installed
PyYAML: 3.11
PyZMQ: 15.3.0
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.1.4
System Versions:
dist: centos 7.6.1810 Core
locale: UTF-8
machine: x86_64
release: 3.10.0-957.1.3.el7.x86_64
system: Linux
version: CentOS Linux 7.6.1810 CoreAnyway: Salt 2018.3.3, Python 2.7, CentOS 7 host, Salt from 'official' SaltStack repository.
Shouldn't matter much, the issue lies here: https://github.com/saltstack/salt/blob/df1f9e9b23aa604c9df07388ecaae83c8b627b1f/salt/netapi/rest_cherrypy/app.py#L1897 (same or roughly same code in 2018.3.3)
Also discussed on #develop in the Salt Slack workspace yesterday.
To pro-actively answer other questions:
salt.auth.__init__) and what netapi modules / route handlers doIf unclear, let me know.
Ch3LL
commented
5 years ago thanks for the additional information, seems we need to fix this up for those additional modules.
stale[bot]
commented
4 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.
simmel
commented
4 years ago Bump
On 9 Jan 2020, at 05:56, stale[bot] notifications@github.com wrote:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
stale[bot]
commented
4 years ago Thank you for updating this issue. It is no longer marked as stale.
The SaltAPI/
netapimodules as shipped with Salt 2018.3.3 (rest_cherrypyandrest_tornado) contain apermsfield in the response structure to a successfulPOSTrequest to/login. Thesepermsare populated by retrieving the relevant ACLs from the (master) configuration file (there's a bit of code duplication here, by the way).However, while this works for
authmodules who have ACLs specified in the configuration file, it doesn't work forauthmodules that expose anaclprocedure to dynamically construct ACL lists. When using suchauthmodule, thepermsfield in the/loginresponse remains empty (I believe a similar issue may occur when usingprocess_acllike the LDAPeauthmodule does).As a work-around, I created a custom
netapimodule (wrapping functionality ofrest_cherrypy) which does fill in these fields based on theauth_listfield in thetokengenerated usingself.auth.mk_token, and sets the value ofpermsto this list, similar to how the current code special-cases thedjangoauthmodule. However, this is a hack: it requires thisauth_listto be populated, which is only the case ifkeep_acl_in_tokenistruein the configuration. There seems to be no way to retrieve the ACL list from a given token in the context of anetapimodule otherwise.