Open SDedik opened 4 years ago
@SDedik thanks for this report, we'll see if we can reproduce!
I should probably add that minion runs on Windows
PS C:\salt> .\salt-call.bat -V
Salt Version:
Salt: 3000
Dependency Versions:
cffi: 1.12.2
cherrypy: 17.4.1
dateutil: 2.8.0
docker-py: Not Installed
gitdb: 2.0.6
gitpython: 2.1.10
Jinja2: 2.10.1
libgit2: Not Installed
M2Crypto: Not Installed
Mako: 1.0.7
msgpack-pure: Not Installed
msgpack-python: 0.5.6
mysql-python: Not Installed
pycparser: 2.19
pycrypto: Not Installed
pycryptodome: 3.8.1
pygit2: Not Installed
Python: 3.5.4 (v3.5.4:3f56838, Aug 8 2017, 02:17:05) [MSC v.1900 64 bit (AMD64)]
python-gnupg: 0.4.4
PyYAML: 5.1.2
PyZMQ: 18.0.1
smmap: 2.0.5
timelib: 0.2.4
Tornado: 4.5.3
ZMQ: 4.3.1
System Versions:
dist:
locale: cp1252
machine: AMD64
release: 2019Server
system: Windows
version: 2019Server 10.0.17763 SP0 Multiprocessor Free
autosign_grains used in the process is windowsdomain
.
It looks like it may just be due to missing 'act': 'denied'
in this block https://github.com/saltstack/salt/blob/d2a5bd8adddb98ec1718d79384aa13b4f37e8028/salt/transport/mixins/auth.py#L384-L388
Description of Issue
Under certain conditions captured
salt/auth
events may not haveact
field in data section based on whether autosign_grains has or has not been sent by a minion and state of the key on salt-master.Steps to Reproduce Issue
Scenario 1, correct behavior:
Key on salt-master is in accepted state and auth request is sent by new minion with duplicate id and without autosign_grains data:
New key is moved to denied automatically because of duplicate id, act field is present:
Scenario 2, correct behavior:
Key on salt-master is in accepted state and auth request is sent by new minion with duplicate id and with autosign_grains data:
New key is moved to denied automatically because of duplicate id, act field is present:
Scenario 3, correct behavior:
Key on salt-master is in pending state and auth request is sent by new minion with duplicate id and without autosign_grains data:
New key is moved to denied automatically because of duplicate id, act field is present:
Scenario 4, incorrect behavior:
Key on salt-master is in pending state and auth request is sent by new minion with duplicate id and with autosign_grains data:
New key is moved to denied automatically because of duplicate id, act field is missing:
Versions Report
Minion version is also Salt 3000 if it might matter.