Open NicolasT opened 5 years ago
Can you include the salt --versions-report
you are seeing this one and a use case to help replicate this issue?
$ salt --version-report
Salt Version:
Salt: 2018.3.3
Dependency Versions:
cffi: Not Installed
cherrypy: unknown
dateutil: Not Installed
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.7.2
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.6
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.5 (default, Oct 30 2018, 23:45:53)
python-gnupg: Not Installed
PyYAML: 3.11
PyZMQ: 15.3.0
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.1.4
System Versions:
dist: centos 7.6.1810 Core
locale: UTF-8
machine: x86_64
release: 3.10.0-957.1.3.el7.x86_64
system: Linux
version: CentOS Linux 7.6.1810 Core
Anyway: Salt 2018.3.3, Python 2.7, CentOS 7 host, Salt from 'official' SaltStack repository.
Shouldn't matter much, the issue lies here: https://github.com/saltstack/salt/blob/df1f9e9b23aa604c9df07388ecaae83c8b627b1f/salt/netapi/rest_cherrypy/app.py#L1897 (same or roughly same code in 2018.3.3)
Also discussed on #develop
in the Salt Slack workspace yesterday.
To pro-actively answer other questions:
salt.auth.__init__
) and what netapi
modules / route handlers doIf unclear, let me know.
thanks for the additional information, seems we need to fix this up for those additional modules.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.
Bump
On 9 Jan 2020, at 05:56, stale[bot] notifications@github.com wrote:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
Thank you for updating this issue. It is no longer marked as stale.
The SaltAPI/
netapi
modules as shipped with Salt 2018.3.3 (rest_cherrypy
andrest_tornado
) contain aperms
field in the response structure to a successfulPOST
request to/login
. Theseperms
are populated by retrieving the relevant ACLs from the (master) configuration file (there's a bit of code duplication here, by the way).However, while this works for
auth
modules who have ACLs specified in the configuration file, it doesn't work forauth
modules that expose anacl
procedure to dynamically construct ACL lists. When using suchauth
module, theperms
field in the/login
response remains empty (I believe a similar issue may occur when usingprocess_acl
like the LDAPeauth
module does).As a work-around, I created a custom
netapi
module (wrapping functionality ofrest_cherrypy
) which does fill in these fields based on theauth_list
field in thetoken
generated usingself.auth.mk_token
, and sets the value ofperms
to this list, similar to how the current code special-cases thedjango
auth
module. However, this is a hack: it requires thisauth_list
to be populated, which is only the case ifkeep_acl_in_token
istrue
in the configuration. There seems to be no way to retrieve the ACL list from a given token in the context of anetapi
module otherwise.