search

saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:
https://repo.saltproject.io/
Apache License 2.0
14.16k stars 5.48k forks source link

salt/auth 'act' field is missing #56200

Open SDedik opened 4 years ago

SDedik commented 4 years ago

Description of Issue

Under certain conditions captured salt/auth events may not have act field in data section based on whether autosign_grains has or has not been sent by a minion and state of the key on salt-master.

Steps to Reproduce Issue

Scenario 1, correct behavior:

Key on salt-master is in accepted state and auth request is sent by new minion with duplicate id and without autosign_grains data:

salt-key -L
Accepted Keys:
myid
Denied Keys:
Unaccepted Keys:
Rejected Keys:

New key is moved to denied automatically because of duplicate id, act field is present:

salt-run state.event pretty=True
salt/auth       {
    "_stamp": "2020-02-19T08:46:02.762610",
    "act": "denied",
    "id": "myid",
    "pub": "-----BEGIN PUBLIC KEY-----...-----END PUBLIC KEY-----",
    "result": false
}

Scenario 2, correct behavior:

Key on salt-master is in accepted state and auth request is sent by new minion with duplicate id and with autosign_grains data:

salt-key -L
Accepted Keys:
myid
Denied Keys:
Unaccepted Keys:
Rejected Keys:

New key is moved to denied automatically because of duplicate id, act field is present:

salt-run state.event pretty=True
salt/auth       {
    "_stamp": "2020-02-19T08:55:22.628125",
    "act": "denied",
    "id": "myid",
    "pub": "-----BEGIN PUBLIC KEY-----...-----END PUBLIC KEY-----",
    "result": false
}

Scenario 3, correct behavior:

Key on salt-master is in pending state and auth request is sent by new minion with duplicate id and without autosign_grains data:

salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
myid
Rejected Keys:

New key is moved to denied automatically because of duplicate id, act field is present:

salt-run state.event pretty=True
salt/auth       {
    "_stamp": "2020-02-19T09:01:19.920532",
    "act": "denied",
    "id": "myid",
    "pub": "-----BEGIN PUBLIC KEY-----...-----END PUBLIC KEY-----",
    "result": false
}

Scenario 4, incorrect behavior:

Key on salt-master is in pending state and auth request is sent by new minion with duplicate id and with autosign_grains data:

salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
myid
Rejected Keys:

New key is moved to denied automatically because of duplicate id, act field is missing:

salt-run state.event pretty=True
salt/auth       {
    "_stamp": "2020-02-19T09:05:23.364384",
    "id": "myid",
    "pub": "-----BEGIN PUBLIC KEY-----...-----END PUBLIC KEY-----",
    "result": false
}

Versions Report

Salt Version:
           Salt: 3000

Dependency Versions:
           cffi: 1.14.0
       cherrypy: unknown
       dateutil: Not Installed
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
         Jinja2: 2.8.1
        libgit2: 0.28.4
       M2Crypto: 0.35.2
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.6.2
   mysql-python: Not Installed
      pycparser: 2.19
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: 1.0.3
         Python: 3.6.8 (default, Aug  7 2019, 17:28:10)
   python-gnupg: Not Installed
         PyYAML: 3.12
          PyZMQ: 15.3.0
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.1.4

System Versions:
           dist: centos 7.7.1908 Core
         locale: UTF-8
        machine: x86_64
        release: 3.10.0-1062.12.1.el7.x86_64
         system: Linux
        version: CentOS Linux 7.7.1908 Core

Minion version is also Salt 3000 if it might matter.

waynew commented 4 years ago

@SDedik thanks for this report, we'll see if we can reproduce!

SDedik commented 4 years ago

I should probably add that minion runs on Windows

PS C:\salt> .\salt-call.bat -V
Salt Version:
           Salt: 3000

Dependency Versions:
           cffi: 1.12.2
       cherrypy: 17.4.1
       dateutil: 2.8.0
      docker-py: Not Installed
          gitdb: 2.0.6
      gitpython: 2.1.10
         Jinja2: 2.10.1
        libgit2: Not Installed
       M2Crypto: Not Installed
           Mako: 1.0.7
   msgpack-pure: Not Installed
 msgpack-python: 0.5.6
   mysql-python: Not Installed
      pycparser: 2.19
       pycrypto: Not Installed
   pycryptodome: 3.8.1
         pygit2: Not Installed
         Python: 3.5.4 (v3.5.4:3f56838, Aug  8 2017, 02:17:05) [MSC v.1900 64 bit (AMD64)]
   python-gnupg: 0.4.4
         PyYAML: 5.1.2
          PyZMQ: 18.0.1
          smmap: 2.0.5
        timelib: 0.2.4
        Tornado: 4.5.3
            ZMQ: 4.3.1

System Versions:
           dist:
         locale: cp1252
        machine: AMD64
        release: 2019Server
         system: Windows
        version: 2019Server 10.0.17763 SP0 Multiprocessor Free

autosign_grains used in the process is windowsdomain.

waynew commented 4 years ago

It looks like it may just be due to missing 'act': 'denied' in this block https://github.com/saltstack/salt/blob/d2a5bd8adddb98ec1718d79384aa13b4f37e8028/salt/transport/mixins/auth.py#L384-L388