SaltStack 文件服务器访问控制 [英] SaltStack File Server Access Control
问题描述
我正在尝试为不同的仆从设置不同的安全级别.我已经有不同的支柱,所以一个仆从的秘密 ssh 密钥不能被另一个仆从看到.
I am trying to have different security levels for different minions. I already have different pillars, so a secret ssh key for one minion can not be seen from another.
我想要达到的是:一个容易被攻击的小兵,比如别人运行的边缘云服务器,无法下载甚至看不到我在高安全性上安装的文件根目录中的软件包在我自己的数据中心的 Minions.
What I want to attain is: that an easy-to-attack minion, say an edge cloud server run by someone else, cannot download or even see the software packages in the file-roots that I am installing on high-security minions in my own data center.
看来,除了存在于多个环境中的重载文件名之外,Salt 文件服务器将为每个小程序提供每个文件.
It appears that the Salt file server, apart from overloaded filenames existing in multiple environments, will serve every file to every minion.
这似乎不可能以任何方式使用环境、支柱或巧妙的文件根包含来使特定的随从无法访问某些文件?
It does not seem that this is possible in any way, using environments, pillars, or clever file-root includes to make certain files inaccessible to a particular minion?
推荐答案
通过设计,salt 文件服务器将为每个小程序提供每个文件.
By design the salt file server will serve every file to every minion.
您可以采取一些措施来解决这个问题.
There is something you could do to work around this.
使用辛迪克.Minion 只能看到它直接连接的 master 的 file_roots,因此您可以让 easy-to-attack minion 连接到特定的 Syndic,但您仍然可以从顶层控制它们其他随从直接连接的主控.
Use a syndic. A minion can only see the file_roots of the master it is directly attached to, so you could have your easy-to-attack minions connect to a specific syndic, but you could still control them from the top level master that the rest of your minions connect directly to.
这篇关于SaltStack 文件服务器访问控制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
