Add an auth runner

[whiteinge]

What does this PR do?

Add a new 'auth' runner for creating, deleting, and managing eauth tokens.

What issues does this PR fix or reference?

#20363

Tests written?

No

[whiteinge]

@cachedout, @thatch45: This is a tad sensitive. Anything about this rub you the wrong way?

Primary use-case is to be able to create long-lived Salt tokens tied to an eauth user that can be used in scripts and API calls.

One option is to let the caller specify the expiration time when calling mk_token (as done in this PR; is config-gated). Another option would be to leave mk_token alone and make a separate method that does most of what mk_token does.

[cachedout]

Hrmm.

I don't like the fact that this user override is global. I can see the case for having a privileged user that's allowed to do that but this doesn't feel nearly granular enough to me. Thoughts?

[whiteinge]

Do agree. I've been puzzling over ways to differentiate "privileged" or not. We could check the calling user as root/sudo vs via eauth. Other thoughts?

[cachedout]

@whiteinge Yeah, that's kind of what I'm thinking. What do you think, @thatch45 ?

[thatch45]

I am going to agree with @cachedout but I think that the user granular setting could be an additional feature to this PR

[whiteinge]

Good suggestions. Added per-user whitelist.

[thatch45]

very nice

[cro]

ping @Lothiraldan
Helpful for SaltPad?

[cachedout]

Go Go Jenkins!

[cachedout]

Well something went sideways in the test suite here. @whiteinge do you have a moment to take a look?

[whiteinge]

Yay, tests. <3