Security concerns

Several security topics are covered in this chapter.

Authentication keys

Salt-key executes simple management of Salt server public keys used for authentication.

salt-key [ options ]

On initial connection, a Salt minion sends its public key to the Salt master. This key must be accepted using the salt-key command on the Salt master. Salt minion keys can be in one of the following states:

Unaccepted

Key is waiting to be accepted.

Accepted

Key was accepted and the minion can communicate with the Salt master.

Rejected

Key was rejected using the salt-key command. In this state the minion does not receive any communication from the Salt master.

Denied

Key was rejected automatically by the Salt master. This occurs when a minion has a duplicate ID, or when a minion was rebuilt or had new keys generated and the previous key was not deleted from the Salt master. In this state the minion does not receive any communication from the Salt master.

To change the state of a minion key, use -d to delete the key and then accept or reject the key.

The “pki_dir”

Defaults to /etc/salt/pki directory, it is the directory used to store the minion’s public and private keys.

pki_dir: /etc/salt/pki

In /etc/salt/pki are two directories - master and minion.

master directory

  • private and public part of master key
  • minions directory - all of minions
  • minions_denied - denied keys
  • minions_pre - preseed keys
  • minions_reject - reject keys
master.pem  master.pub  minions  minions_autosign  minions_denied  minions_pre  minions_reject

minion directory - here are private, public part of minion key and minion_master public key

minion.pem  minion.pub  minion_master.pub

Client ACLs

The salt client ACL system is a means to allow system users other than root to have access to execute select salt commands on minions from the master.

The client ACL system is configured in the master configuration file via the client_acl configuration option. Under the client_acl configuration option the users open to send commands are specified and then a list of regular expressions which specify the minion functions which will be made available to specified user. This configuration is much like the peer configuration:

client_acl:
# Allow superusr to execute anything.
superuser:
    - .*
# Allow user to use test and pkg, but only on "web*" minions.
user:
    - web*:
    - test.*
    - pkg.*

Directories required for client_acl must be modified to be readable by the users specified:

chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master

If you are upgrading from earlier versions of salt you must also remove any existing user keys and re-start the Salt master:

rm /var/cache/salt/.*key
service salt-master restart

Storing secure data

For sensitive data we use the GPG renderer on salt master to cipher all sensitive data.

To generate a cipher from a secret use following command:

$ echo -n "supersecret" | gpg --homedir --armor --encrypt -r <KEY-name>

The ciphered secret is stored in block of text within PGP MESSAGE delimiters, which are part of cipher.

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1
-----END PGP MESSAGE-----

Following example shows full use of generated cipher for virtually any secret.

parameters:
  _param:
    rabbitmq_secret_key: |
      -----BEGIN PGP MESSAGE-----
      Version: GnuPG v1

      hQEMAweRHKaPCfNeAQf9GLTN16hCfXAbPwU6BbBK0unOc7i9/etGuVc5CyU9Q6um
      QuetdvQVLFO/HkrC4lgeNQdM6D9E8PKonMlgJPyUvC8ggxhj0/IPFEKmrsnv2k6+
      cnEfmVexS7o/U1VOVjoyUeliMCJlAz/30RXaME49Cpi6No2+vKD8a4q4nZN1UZcG
      RhkhC0S22zNxOXQ38TBkmtJcqxnqT6YWKTUsjVubW3bVC+u2HGqJHu79wmwuN8tz
      m4wBkfCAd8Eyo2jEnWQcM4TcXiF01XPL4z4g1/9AAxh+Q4d8RIRP4fbw7ct4nCJv
      Gr9v2DTF7HNigIMl4ivMIn9fp+EZurJNiQskLgNbktJGAeEKYkqX5iCuB1b693hJ
      FKlwHiJt5yA8X2dDtfk8/Ph1Jx2TwGS+lGjlZaNqp3R1xuAZzXzZMLyZDe5+i3RJ
      skqmFTbOiA==
      =Eqsm
      -----END PGP MESSAGE-----
  rabbitmq:
    server:
      secret_key: ${_param:rabbitmq_secret_key}
      ...

As you can see the GPG encrypted parameters can be further referenced with reclass interpolation ${_param:rabbitmq_secret_key} statement.

Lab: Understanding Salt keys

Use salt-key -L to list all of your public key.

cfg01# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
svc01.saltstack.local
svc02.saltstack.local
Rejected Keys:

Now you see the keys which are unaccepted, so use salt-key -A command to accept all pending keys.

cfg01# salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
svc01.saltstack.local
svc02.saltstack.local
Proceed? [n/Y] Y
Key for minion svc01.saltstack.local accepted.
Key for minion svc02.saltstack.local accepted.

Check that keys are now accepted.

cfg01# salt-key
Accepted Keys:
svc01.saltstack.local
svc02.saltstack.local
Denied Keys:
Unaccepted Keys:
Rejected Keys:

If you want to accept specified public key, use parameter -a and name of key.

cfg01# salt-key -a svc01.saltstack.local
The following keys are going to be accepted:
Unaccepted Keys:
svc01.saltstack.local
Proceed? [n/Y] Y
Key for minion svc01.saltstack.local accepted.

Check that key is now accepted.

cfg01# salt-key
Accepted Keys:
svc01.saltstack.local
Denied Keys:
Unaccepted Keys:
svc02.saltstack.local
Rejected Keys:

Use salt-key -d command to deleting specified key. If you use parameter -D, it delete all keys.

cfg01# salt-key -d svc01.saltstack.local
The following keys are going to be deleted:
Accepted Keys:
svc01.saltstack.local
Proceed? [N/y] y
Key for minion svc01.saltstack.local deleted.

Check your keys.

cfg01# salt-key
Accepted Keys:
Denied Keys:
Unaccepted Keys:
svc02.saltstack.local
Rejected Keys:

Lab: Configure client ACLs

To allow jdoe user to have access to execute select salt commands on minions from the master, you must configured the client ACL system in master configuration file.

cfg01# vim /etc/salt/master.d/master.conf

The client ACL system configure via the client_acl configuration option.

...
client_acl:
  # Allow jdoe to execute anything.
  jdoe:
    - .*
...

It is neccessary modified directories for client_acl to be readable by the users specified:

cfg01# chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master /var/log/salt

Now test the with salt command.

[email protected]# salt '*svc01*' test.ping
svc01.saltstack.local:
    True