salt/auth/sharedsecret.py
# -*- coding: utf-8 -*-
'''Provide authentication using configured shared secret
.. code-block:: yaml
external_auth:
sharedsecret:
fred:
- .*
- '@jobs'
The shared secret should be added to the master configuration, for
example in /etc/salt/master.d/sharedsecret.conf (make sure that file
is only readable by the user running the master):
.. code-block:: yaml
sharedsecret: OIUHF_CHANGE_THIS_12h88
This auth module should be used with caution. It was initially
designed to work with a frontal that takes care of authentication (for
example kerberos) and places the shared secret in the HTTP headers to
the salt-api call. This salt-api call should really be done on
localhost to avoid someone eavesdropping on the shared secret.
See the documentation for cherrypy to setup the headers in your
frontal.
.. versionadded:: Beryllium
'''
# Import python libs
from __future__ import absolute_import, print_function, unicode_literals
import logging
log = logging.getLogger(__name__)
def auth(username, password):
'''
Shared secret authentication
'''
return password == __opts__.get('sharedsecret')