doc/topics/releases/0.10.4.rst
=========================
Salt 0.10.4 Release Notes
=========================
:release: 2012-10-23
Salt 0.10.4 is a monumental release for the Salt team, with two new module
systems, many additions to allow granular access to Salt, improved platform
support and much more.
This release is also exciting because we have been able to shorten the release
cycle back to under a month. We are working hard to keep up the aggressive pace
and look forward to having releases happen more frequently!
This release also includes a serious security fix and all users are very
strongly recommended to upgrade. As usual, upgrade the master first, and then
the minion to ensure that the process is smooth.
Major Features
==============
External Authentication System
------------------------------
The new external authentication system allows for Salt to pass through
authentication to any authentication system to determine if a user has
permission to execute a Salt command. The Unix PAM system is the first
supported system with more to come!
The external authentication system allows for specific users to be granted
access to execute specific functions on specific minions. Access is configured
in the master configuration file, and uses the new access control system:
.. code-block:: yaml
external_auth:
pam:
thatch:
- 'web*':
- test.*
- network.*
The configuration above allows the user `thatch` to execute functions in the
test and network modules on minions that match the web* target.
Access Control System
---------------------
All Salt systems can now be configured to grant access to non-administrative
users in a granular way. The old configuration continues to work. Specific
functions can be opened up to specific minions from specific users in the case
of external auth and client ACLs, and for specific minions in the case of the
peer system.
Access controls are configured like this:
.. code-block:: yaml
client_acl:
fred:
- web\*:
- pkg.list_pkgs
- test.*
- apache.*
Target by Network
-----------------
A new matcher has been added to the system which allows for minions to be
targeted by network. This new matcher can be called with the `-S` flag on the
command line and is available in all places that the matcher system is
available. Using it is simple:
.. code-block:: bash
$ salt -S '192.168.1.0/24' test.ping
$ salt -S '192.168.1.100' test.ping
Nodegroup Nesting
-----------------
Previously a nodegroup was limited by not being able to include another
nodegroup, this restraint has been lifted and now nodegroups will be expanded
within other nodegroups with the `N@` classifier.
Salt Key Delete by Glob
-----------------------
The ability to delete minion keys by glob has been added to ``salt-key``. To
delete all minion keys whose minion name starts with 'web':
.. code-block:: bash
$ salt-key -d 'web*'
Master Tops System
------------------
The `external_nodes` system has been upgraded to allow for modular subsystems
to be used to generate the top file data for a highstate run.
The `external_nodes` option still works but will be deprecated in the future in
favor of the new `master_tops` option.
Example of using `master_tops`:
.. code-block:: yaml
master_tops:
ext_nodes: cobbler-external-nodes
Next Level Solaris Support
--------------------------
A lot of work has been put into improved Solaris support by Romeo Theriault.
Packaging modules (pkgadd/pkgrm and pkgutil) and states, cron support and user
and group management have all been added and improved upon. These additions
along with SMF (Service Management Facility) service support and improved
Solaris grain detection in 0.10.3 add up to Salt becoming a great tool
to manage Solaris servers with.
Security
========
A vulnerability in the security handshake was found and has been repaired, old
minions should be able to connect to a new master, so as usual, the master
should be updated first and then the minions.
Pillar Updates
--------------
The pillar communication has been updated to add some extra levels of
verification so that the intended minion is the only one allowed to gather the
data. Once all minions and the master are updated to salt 0.10.4 please
activate pillar `2` by changing the `pillar_version` in the master config to
`2`. This will be set to `2` by default in a future release.