Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit which Salt states can be executed by the storage-operator #1528

Closed
slaperche-scality opened this issue Aug 19, 2019 · 0 comments
Closed

Limit which Salt states can be executed by the storage-operator #1528

slaperche-scality opened this issue Aug 19, 2019 · 0 comments
Assignees
@gdemonet
Labels
topic:storage Issues related to storage

Comments

@slaperche-scality
Copy link
Contributor

Component:

salt

Why this is needed:

Currently the storage-operator is allowed to execute state.sls which is too wide (it can run any kind of states).
Processes should only have the minimum permissions to allow them to do their job, not more.

What should be done:

Update the ACL for the storage-operator account in salt/metalk8s/salt/master/files/master-99-metalk8s.conf.j2.

Implementation proposal (strongly recommended):

We should limit which states can be given to state.sls, using this feature.

Test plan:

Try to run arbitrary Salt state while using storage-operator credentials: it should fails.
@slaperche-scality slaperche-scality added topic:storage Issues related to storage moonshot labels Aug 19, 2019
@slaperche-scality slaperche-scality mentioned this issue Aug 19, 2019
Merged
@slaperche-scality slaperche-scality mentioned this issue Nov 22, 2019
Merged
@gdemonet gdemonet self-assigned this Jun 18, 2020
gdemonet added a commit that referenced this issue Jun 18, 2020
@gdemonet
salt, storage-operator: Limit allowed Salt states
7951394 
Reduce to only state formulas in `metalk8s.volumes`.

Fixes: #1528
@gdemonet gdemonet mentioned this issue Jun 18, 2020
Merged
gdemonet added a commit that referenced this issue Jun 19, 2020
@gdemonet
salt, storage-operator: Limit allowed Salt states
547a96b 
Reduce to only state formulas in `metalk8s.volumes`.

Fixes: #1528
@bert-e bert-e closed this as completed in 803d521 Jun 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gdemonet gdemonet

Labels
topic:storage Issues related to storage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@slaperche-scality @gdemonet