-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Salt Mine: area of visibility for collected data #44564
Comments
Why can't publish.publish be used to tie this down and only let certain commands be run? Daniel |
Because when you lock certain of commands, you doesn't lock number of hosts as arguments for this commands. Question not in commands but in virtual groups for minions Like I have 3 minions, I want share data between 1 &2 but I don't want to let 3 know about 1 and 2 at all Ansible can do it out of the box for example. With salt currently I should setup separate salt masters for first 2 minions and third one |
If the peering system could lock down to what options could be passed, would this solve the problem? Thanks, |
Possibly yes but for me this variant looks like a dirty hack in compare with the splitting Mine data. Because you can configure Mine one time on master and all necessary minions would know facts about other necessary minions by defaut, but with peering system you should additionally execute publish event Imagine, that I want just populate /etc/hosts with hostname of some group of hosts, not all hosts.
Then I can use this code:
for 'hypothetical group of hosts' all should be fine, for 'another group of hosts' just nothing How to convert it into clear state with peering system? |
@saltstack/team-core does anyone have any opinions about this proposal? Thanks, |
Given that mine_functions can be applied using pillar, can grains be used to lock down where the mine functions run and therefore help you group them, alternatively, we can also add different "names" using grains to support groups of mine functions ? |
Guys, again, main idea it's create groups of minions THAT DON'T KNOW ABOUT OTHER GROUPS! |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. |
I think this bug is still relevant... |
Thank you for updating this issue. It is no longer marked as stale. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue. |
Still not stale |
Thank you for updating this issue. It is no longer marked as stale. |
Does #55760 sufficiently address some of the concerns raised in this issue? |
Maybe :) |
Minion-side ACL is not about preventing minions from executing specific functions, but it is about preventing other minions (implemented by allowing only specific minions) to get function data from the salt mine:
or
would make minion |
Currently all collected data can be fetched by any minion. Because of this Mine feature (and direct Peer Communication too) become unapplicable in setups with untrusted minions like multiple clients on one master or even multiple environments.
For example, ansible collect and share information only between hosts of current execution and any of this hosts and only them can get facts about other hosts. It's very convenient!
With salt currently we should hardcode data into pillar instead of dynamic lookups over group of hosts :(
There is old opened task that can explain typical situation
The text was updated successfully, but these errors were encountered: