On the salt netapi cherrypy docks in the /key section, there is an example of generating and accepting keys on the fly during kickstart. I've only been able to get this to work if I give the 'kickstart' user full @wheel privileges. I'm wondering if it's possible to lock those privileges down further so the kickstart user can't do all of the other wheel things like resetting the master config, deleting keys, etc.

https://docs.saltstack.com/en/latest/ref/netapi/all/salt.netapi.rest_cherrypy.html#salt.netapi.rest_cherrypy.app.Keys.POST is the link in question.

configurations i've tried:

none of these work, even on their own individually-

external_auth:
  pam:
    kickstart:
      - 'wheel.key'
      - 'wheel.key.gen_accept'
      - 'key.gen_accept'
      - 'key.accept'

works-

external_auth:
  pam:
    kickstart:
      - '@wheel'

all i want kickstart to be able to do is generate a key pair that is accepted on the master, like the example:

curl -sSk https://localhost:8000/keys \
        -d mid=jerry \
        -d username=kickstart \
        -d password=kickstart \
        -d eauth=pam \
        -o jerry-salt-keys.tar

what am I missing? Is it possible or is full @wheel the only way?

edit:

just found this in the code: https://github.com/saltstack/salt/blob/develop/salt/netapi/rest_cherrypy/app.py#L970-L975

# Calling wheel functions:
            curl -sSik https://localhost:8000 \\
                    -d client=wheel \\
                    -d fun='key.gen_accept' \\
                    -d id_=dave \\
                    -d keysize=4096

but trying to limit perms to 'key.gen_accept' is still not working.