[BUG] publisher_acl does not work

[gotsmth]

Hello,

Seems like publisher_acl does not work.
Salt commands called from root user works okay.

Simple master config:

interface: 0.0.0.0

publisher_acl:
  tobitest:
    - '*'
  tobi2:
    - '*'

log_level: trace

Some command for test:

[tobitest@sdlxhost ~]$ id
uid=42016(tobitest) gid=42016(tobitest) groups=42016(tobitest) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[tobitest@sdlxhost ~]$ salt '*' test.ping

2025-04-07 09:20:23,454 [salt.loader.lazy :32  ][TRACE   ][66916] Error loading log_handlers.sentry_mod: Cannot find 'raven' python library, 'sentry_handler' config is empty or not defined
2025-04-07 09:20:23,454 [salt.utils.parsers:222 ][DEBUG   ][66916] Configuration file path: /etc/salt/master
2025-04-07 09:20:23,455 [salt.config      :2033][DEBUG   ][66916] Reading configuration from /etc/salt/master
2025-04-07 09:20:23,456 [salt.config      :3655][DEBUG   ][66916] Using cached minion ID from /etc/salt/minion_id: sdlxhost
2025-04-07 09:20:23,457 [salt.config      :2155][DEBUG   ][66916] Missing configuration file: /home/tobitest/.saltrc
2025-04-07 09:20:23,458 [salt.utils.event :312 ][DEBUG   ][66916] MasterEvent PUB socket URI: /var/run/salt/master/master_event_pub.ipc
2025-04-07 09:20:23,458 [salt.utils.event :313 ][DEBUG   ][66916] MasterEvent PULL socket URI: /var/run/salt/master/master_event_pull.ipc
2025-04-07 09:20:23,481 [salt.transport.ipc:32  ][TRACE   ][66916] IPCClient: Connecting to socket: /var/run/salt/master/master_event_pub.ipc
2025-04-07 09:20:23,482 [salt.transport.ipc:32  ][TRACE   ][63417] IPCServer: Handling connection to address:
2025-04-07 09:20:23,483 [salt.channel.client:32  ][TRACE   ][66916] ReqChannel send clear load={'cmd': 'publish', 'tgt': '*', 'fun': 'test.ping', 'arg': [], 'key': '', 'tgt_type': 'glob', 'ret': '', 'jid': '', 'kwargs': {'show_timeout': True, 'show_jid': False, 'delimiter': ':'}, 'user': 'tobitest'}
2025-04-07 09:20:23,485 [salt.master      :32  ][TRACE   ][63424] Clear payload received with command publish
2025-04-07 09:20:23,486 [salt.auth        :366 ][WARNING ][63424] Authentication failure of type "user" occurred.
2025-04-07 09:20:23,486 [salt.master      :2230][WARNING ][63424] Authentication failure of type "user" occurred.
2025-04-07 09:20:23,486 [salt.transport.ipc:32  ][TRACE   ][63424] IPCClient: Connecting to socket: /var/run/salt/master/master_event_pull.ipc
2025-04-07 09:20:23,487 [salt.transport.ipc:32  ][TRACE   ][63417] IPCServer: Handling connection to address: <socket.socket fd=37, family=AddressFamily.AF_UNIX, type=SocketKind.SOCK_STREAM, proto=0, laddr=/var/run/salt/master/master_event_pull.ipc>
2025-04-07 09:20:23,487 [salt.utils.event :823 ][DEBUG   ][63424] Sending event: tag = salt/job/error; data = {'cmd': 'publish', 'tgt': '*', 'fun': 'test.ping', 'arg': [], 'tgt_type': 'glob', 'ret': '', 'jid': '', 'kwargs': {'show_timeout': True, 'show_jid': False, 'delimiter': ':'}, 'user': 'tobitest', 'error': {'name': 'AuthenticationError', 'message': 'Authentication error occurred.'}, '_stamp': '2025-04-07T07:20:23.487434'}
2025-04-07 09:20:23,488 [salt.channel.client:345 ][DEBUG   ][66916] Closing AsyncReqChannel instance
2025-04-07 09:20:23,489 [salt.transport.ipc:359 ][DEBUG   ][66916] Closing IPCMessageSubscriber instance
2025-04-07 09:20:23,491 [salt.loader.lazy :977 ][DEBUG   ][66916] The functions from module 'nested' are being loaded by dir() on the loaded module
2025-04-07 09:20:23,491 [salt.utils.lazy  :98  ][DEBUG   ][66916] LazyLoaded nested.output
2025-04-07 09:20:23,491 [salt.output      :32  ][TRACE   ][66916] data = Authentication error occurred.
2025-04-07 09:20:23,889 [salt.utils.process:32  ][TRACE   ][63222] Process manager iteration
2025-04-07 09:20:23,928 [salt.utils.process:32  ][TRACE   ][63421] Process manager iteration


Authentication error occurred.

System info:

[root@sdlx ~]# ls -lhd /var/run/salt/master/
drwxr-xr-x. 2 root root 120 Apr  7 09:14 /var/run/salt/master/
[root@sdlx ~]#
[root@sdlx ~]#
[root@sdlx ~]#
[root@sdlx ~]# ls -lh /var/run/salt/master/*
srw-rw-rw-. 1 root root 0 Apr  7 09:14 /var/run/salt/master/master_event_pub.ipc
srw-rw-rw-. 1 root root 0 Apr  7 09:14 /var/run/salt/master/master_event_pull.ipc
srw-rw-rw-. 1 root root 0 Apr  7 09:14 /var/run/salt/master/publish_pull.ipc
srw-rw-rw-. 1 root root 0 Apr  7 09:14 /var/run/salt/master/workers.ipc


[tobitest@sdlxhost ~]$
[tobitest@sdlxhost ~]$ salt -V
Salt Version:
          Salt: 3006.10

Python Version:
        Python: 3.10.16 (main, Mar  6 2025, 02:23:15) [GCC 11.2.0]

Dependency Versions:
          cffi: 1.14.6
      cherrypy: unknown
  cryptography: 42.0.5
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.6
       libgit2: Not Installed
  looseversion: 1.0.2
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 22.0
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.19.1
        pygit2: Not Installed
  python-gnupg: 0.4.8
        PyYAML: 6.0.1
         PyZMQ: 23.2.0
        relenv: 0.18.1
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4

System Versions:
          dist: rhel 8.10 Ootpa
        locale: utf-8
       machine: x86_64
       release: 4.18.0-553.44.1.el8_10.x86_64
        system: Linux
       version: Red Hat Enterprise Linux 8.10 Ootpa

Any idea what is going on?
Thank you.

[whytewolf]

that should be

publisher_acl:
  tobitest:
    - '.*'
  tobi2:
    - '.*'

* = infinite amount of the char proceeding this.
. = any single char.

so * by itself doesn't make sense.

[gotsmth]

Hey,

It makes no sense cause i made mistake here when i was writing the post from hand, sorry.

master conf:

[root@sdlxhost~]# cat /etc/salt/master
interface: 0.0.0.0

#external_auth:
#  pam:
#    tobitest:
#      - .*

publisher_acl:
  tobitest:
    - '.*'
  tobi2:
    - '.*'
  someother:
    - '.*'

log_level: trace

And it does not work:

[tobitest@sdlxhost ~]$ id
uid=42016(tobitest) gid=42016(tobitest) groups=42016(tobitest) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[tobitest@sdlxhost ~]$
[tobitest@sdlxhost ~]$
[tobitest@sdlxhost ~]$
[tobitest@sdlxhost ~]$ salt '*' test.ping
[TRACE   ] Setting up log file logging: {'log_path': '/var/log/salt/master', 'log_level': 'trace', 'log_format': '%(asctime)s,%(msecs)03d [%(name)-17s:%(lineno)-4d][%(levelname)-8s][%(process)d] %(message)s', 'date_format': '%Y-%m-%d %H:%M:%S', 'max_bytes': 0, 'backup_count': 0, 'user': 'tobitest'}
[TRACE   ] The required configuration section, 'fluent_handler', was not found the in the configuration. Not loading the fluent logging handlers module.
[TRACE   ] None of the required configuration sections, 'logstash_udp_handler' and 'logstash_zmq_handler', were found in the configuration. Not loading the Logstash logging handlers module.
[TRACE   ] Error loading log_handlers.sentry_mod: Cannot find 'raven' python library, 'sentry_handler' config is empty or not defined
[DEBUG   ] Configuration file path: /etc/salt/master
[DEBUG   ] Reading configuration from /etc/salt/master
[DEBUG   ] Using cached minion ID from /etc/salt/minion_id: sdlxhost
[DEBUG   ] Missing configuration file: /home/tobitest/.saltrc
[DEBUG   ] MasterEvent PUB socket URI: /var/run/salt/master/master_event_pub.ipc
[DEBUG   ] MasterEvent PULL socket URI: /var/run/salt/master/master_event_pull.ipc
[TRACE   ] IPCClient: Connecting to socket: /var/run/salt/master/master_event_pub.ipc
[TRACE   ] ReqChannel send clear load={'cmd': 'publish', 'tgt': '*', 'fun': 'test.ping', 'arg': [], 'key': '', 'tgt_type': 'glob', 'ret': '', 'jid': '', 'kwargs': {'show_timeout': True, 'show_jid': False, 'delimiter': ':'}, 'user': 'tobitest'}
[DEBUG   ] Closing AsyncReqChannel instance
[DEBUG   ] Closing IPCMessageSubscriber instance
[DEBUG   ] The functions from module 'nested' are being loaded by dir() on the loaded module
[DEBUG   ] LazyLoaded nested.output
[TRACE   ] data = Authentication error occurred.
Authentication error occurred.
[tobitest@sdlxhost ~]$