salt
salt copied to clipboard
saltstack
[master] Add autosign_grains to auth events with action 'pend'
What does this PR do?
It adds the "autosign_grains" that the minion sends during auth to the auth event that the master sends. This enables us to create a runner to do more cool autosign stuff (more than just shared secrets, which is already supported by autosign_grains).
To enable it, the option auth_events_pend_autosign_grains is added. By default it is false. When enabled, it only passes on the "autosign_grains" when the action is pending. This means that it not added any more when a key is accepted, rejected or denied.
Example auth event (with autosign grains):
salt/auth {
"_stamp": "2023-10-18T11:57:23.212718",
"act": "pend",
"id": "test.example.com",
"pub": "<REDACTED>",
"autosign_grains": {
"autosign_key": "abcdefgh"
}
}
As far as I can see, people has wanted something similar in the past: #37712, #43394, #56189 (all closed issues)
In addition to this, I also fixed so all auth events have the "act" field set (#56200) and moved variables that was only used when auth events were enabled.
What issues does this PR fix or reference?
Fixes: #56200 (not the main goal of the PR, but I had to touch that part of the code anyway)
New Behavior
Add "autosign_grains" to auth events when "act" is "pend".
Merge requirements satisfied?
[NOTICE] Bug fixes or features added to Salt require tests.
- [X] Docs
- [X] Changelog - https://docs.saltproject.io/en/master/topics/development/changelog.html
- [X] Tests written/updated
Commits signed with GPG?
No
Please review Salt's Contributing Guide for best practices.
See GitHub's page on GPG signing for more information about signing commits with GPG.
Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. Please be sure to review our Code of Conduct. Also, check out some of our community resources including:
- Community Wiki
- Salt’s Contributor Guide
- Join our Community Slack
- IRC on LiberaChat
- Salt Project YouTube channel
- Salt Project Twitch channel
There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. If you have additional questions, email us at [email protected]. We’re glad you’ve joined our community and look forward to doing awesome things with you!
![welcome[bot] avatar](https://avatars.githubusercontent.com/in/4141?v=4 "Published by a pub.dev verified publisher"){kind=small}
What is the timeline for reviewing this PR?
Please let me know if there is anything I can do to help or if there is anything missing that I should fix.
Programmatic control of what gets autoaccepted is nice!
- There is no need to modify the man page - it will be generated automatically
- Versionadded should be 3007 (hopefully)
- Do you see any valid use-cases for these grains being added to different auth events (not only
pend)? If so, maybe the setting could be more generic:auth_events_autosign_grains: [pend, accept, reject, denied, full, error] - If you have the time, please document the remaining
actvalues here: https://docs.saltproject.io/en/latest/topics/event/master_events.html#event-master-auth
Thanks for commenting my PR, @max-arnold :)
- There is no need to modify the man page - it will be generated automatically
Thanks, I'll remove it.
- Versionadded should be 3007 (hopefully)
I'll update the version.
- Do you see any valid use-cases for these grains being added to different auth events (not only
pend)? If so, maybe the setting could be more generic:auth_events_autosign_grains: [pend, accept, reject, denied, full, error]
That would make it more flexible and useable for even more use cases, so I think it's a great idea. I originally didn't want to do it like that, since I didn't want to add options for every auth event (auth_events_pend_autosign_grains, auth_events_accept_autosign_grains, and so on). I didn't think of using a list, which looks really elegant! I'll change the code to work for every auth event.
- If you have the time, please document the remaining
actvalues here: https://docs.saltproject.io/en/latest/topics/event/master_events.html#event-master-auth
I'll take a look at fixing the documentation, as well :)
Thanks again for your time!
Thanks, @twangboy!
Do you want the changes in this PR or should I create a new branch, open a new PR and close this one? My experience is that different project teams have different preferences regarding this :)
Just make the changes in this branch. You'll need to pull since I rebased this PR.
Sorry for the delay, I had some other projects I needed to finish first. I have now rebased with master, and I'm working on implementing the changes you wanted.
Changes:
- Removed the man page changes I did earlier.
- Changed version added to 3007.
- Added the missing actions in salt/auth events to the documentation.
- Added another test to test for when the option is not present.
- Modified the option to support logging autosign_grains for all the actions, by adding the actions to a list, as suggested.
Thanks for the help so far! Have a nice weekend!
Bumped the version added to 3008, and fixed a typo I made in the documentation :)