Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix/syndic/62618 - external auth #63257

Closed
wants to merge 20 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog/62618.fixed
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fixed syndic eauth. Now jobs will be published when a valid eauth user is targeting allowed minions/functions.
1 change: 1 addition & 0 deletions changelog/62933.fixed
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Restored channel for Syndic minions to send job returns to the Salt master.
32 changes: 19 additions & 13 deletions doc/topics/topology/syndic.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,31 +4,37 @@
Salt Syndic
===========

.. warning::

Syndics are supported when running ``salt`` as the root/service user on the
Master of Masters, but :ref:`external auth or publisher_acl<acl-eauth>`
may be unstable or not fully supported.

Ensure minions have unique names under different Syndics. Using the same
name for minions under different Syndics is not supported as currently
documented. For example, if ``syndic_a`` and ``syndic_b`` both have a
``minion_1``, this behavior is undocumented and unsupported.

Any other undocumented Syndic implementation should be considered
unsupported, such as using a Syndic as a Master of Masters.

The most basic or typical Salt topology consists of a single Master node
controlling a group of Minion nodes. An intermediate node type, called Syndic,
when used offers greater structural flexibility and scalability in the
construction of Salt topologies than topologies constructed only out of Master
and Minion node types.

A Syndic node can be thought of as a special passthrough Minion node. A Syndic
node consists of a ``salt-syndic`` daemon and a ``salt-master`` daemon running
on the same system. The ``salt-master`` daemon running on the Syndic node
controls a group of lower level Minion nodes and the ``salt-syndic`` daemon
connects higher level Master node, sometimes called a Master of Masters.
A Syndic node is a special passthrough Minion node. A Syndic node consists of
a ``salt-syndic`` daemon and a ``salt-master`` daemon running on the same
system. The ``salt-master`` daemon running on the Syndic node controls a group
of lower level Minion nodes and the ``salt-syndic`` daemon connects to a higher
level Master node, sometimes called a Master of Masters.

The ``salt-syndic`` daemon relays publications and events between the Master
node and the local ``salt-master`` daemon. This gives the Master node control
over the Minion nodes attached to the ``salt-master`` daemon running on the
Syndic node.

.. warning::

Salt does not officially support Syndic and :ref:`external auth or
publisher_acl<acl-eauth>`. It's possible that it might work under certain
circumstances, but comprehensive support is lacking. See `issue #62618 on
GitHub <https://github.com/saltstack/salt/issues/62618>`_ for more
information. Currently Syndic is only expected to work when running Salt as
root, though work is scheduled to fix this in Salt 3006 (Sulfur).

Configuring the Syndic
======================
Expand Down
Loading