Authenticate via a PKI certificate.
Note
This module is Experimental and should be used with caution
Provides an authenticate function that will allow the caller to authenticate a user via their public cert against a pre-defined Certificate Authority.
TODO: Add a 'ca_dir' option to configure a directory of CA files, a la Apache.
pyOpenSSL module
salt.auth.pki.
auth
(username, password, **kwargs)¶Returns True if the given user cert (password is the cert contents) was issued by the CA and if cert's Common Name is equal to username.
Returns False otherwise.
username
: we need it to run the auth function from CLI/API;it should be in master config auth/acl
password
: contents of user certificate (pem-encoded user public key);why "password"? For CLI, it's the only available name
Configure the CA cert in the master config file:
external_auth:
pki:
ca_file: /etc/pki/tls/ca_certs/trusted-ca.crt
your_user:
- .*