In its default setup, users only communicate with Salt with one user: usually either root
or salt
. Any user who has access to log in as that user will be able to issue Salt commands. This may be OK with smaller setups, but it does not scale well at all. Larger organizations will want each user to manage Salt with their own login, and be able to set access controls on a per-user basis. There are also other programs, including Salt API, which require the use of external authentication modules.
External authentication (or auth or eauth) modules allow individual users to have their own permissions to the various components of Salt. The simplest is probably the pam
module, in part because other existing access control mechanisms can be configured inside PAM itself. Unfortunately, PAM is rarely used outside of Linux, so other modules are needed on other platforms.