概述： 開啟對系統上非root的系統用戶可以在master上執行一些特殊的模塊，或者禁止用戶執行某些模塊，或者某個模塊里面的具體的某個方法等 查看當前saltstack版本有哪些模塊 [admin@master ~]$ sudo salt 'proxy01*' sys.list_modules 查看每個模塊有哪些方法（以pkg為例） [admin@master ~]$ sudo salt 'proxy01*' sys.list_functions pkg * 開啟配置： 案例：運行admin用戶執行service和pkg模塊里面的所有方法 ~~~ client_acl: admin: - service.* - pkg.* ~~~ [admin@master ~]$ sudo systemctl restart salt-master 測試： ~~~ [admin@master ~]$ salt -I 'apache:httpd' pkg.install httpd huancun03.51yuki.cn: ---------- httpd: ---------- new: 2.4.6-67.el7.centos.6 old: httpd-tools: ---------- new: 2.4.6-67.el7.centos.6 old: mailcap: ---------- new: 2.1.41-2.el7 old: [admin@master ~]$ salt -I 'apache:httpd' cmd.run 'sudo systemctl restart httpd' Failed to authenticate! This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage). [admin@master ~]$ salt -I 'apache:httpd' service.enable httpd huancun03.51yuki.cn: True 發現：剛剛設置的service和pkg模塊可以使用，cmd模塊不能用 ~~~ * 報錯總結 [WARNING ] Failed to open log file, do you have permission to write to /var/log/salt/master? 解決：chmod 777 /var/log/salt/master chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master Salt request timed out. The master is not responding. If this error persists after verifying the master is up, worker_threads may need to be increased. 解決：這里是因為master的interface的地址不是0.0.0.0 導致的。改為0.0.0.0 重啟服務就不報錯了，這個好像是個bug 第二種：通過設置黑名單 ~~~ #client_acl_blacklist: # users: # - root # - '^(?!sudo_).*$' # all non sudo users # modules: # - cmd client_acl_blacklist: users: - admin modules: - service.stop - cmd ~~~