概述： 开启对系统上非root的系统用户可以在master上执行一些特殊的模块，或者禁止用户执行某些模块，或者某个模块里面的具体的某个方法等 查看当前saltstack版本有哪些模块 [admin@master ~]$ sudo salt 'proxy01*' sys.list_modules 查看每个模块有哪些方法（以pkg为例） [admin@master ~]$ sudo salt 'proxy01*' sys.list_functions pkg * 开启配置： 案例：运行admin用户执行service和pkg模块里面的所有方法 ~~~ client_acl: admin: - service.* - pkg.* ~~~ [admin@master ~]$ sudo systemctl restart salt-master 测试： ~~~ [admin@master ~]$ salt -I 'apache:httpd' pkg.install httpd huancun03.51yuki.cn: ---------- httpd: ---------- new: 2.4.6-67.el7.centos.6 old: httpd-tools: ---------- new: 2.4.6-67.el7.centos.6 old: mailcap: ---------- new: 2.1.41-2.el7 old: [admin@master ~]$ salt -I 'apache:httpd' cmd.run 'sudo systemctl restart httpd' Failed to authenticate! This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage). [admin@master ~]$ salt -I 'apache:httpd' service.enable httpd huancun03.51yuki.cn: True 发现：刚刚设置的service和pkg模块可以使用，cmd模块不能用 ~~~ * 报错总结 [WARNING ] Failed to open log file, do you have permission to write to /var/log/salt/master? 解决：chmod 777 /var/log/salt/master chmod 755 /var/cache/salt /var/cache/salt/master /var/cache/salt/master/jobs /var/run/salt /var/run/salt/master Salt request timed out. The master is not responding. If this error persists after verifying the master is up, worker_threads may need to be increased. 解决：这里是因为master的interface的地址不是0.0.0.0 导致的。改为0.0.0.0 重启服务就不报错了，这个好像是个bug 第二种：通过设置黑名单 ~~~ #client_acl_blacklist: # users: # - root # - '^(?!sudo_).*$' # all non sudo users # modules: # - cmd client_acl_blacklist: users: - admin modules: - service.stop - cmd ~~~