Run salt master as non root user.

The salt master service should not run as root. Run it as salt instead.

Change-Id: Ia5cdedf8c98684e25c5d88c59130cae3361c9fc3
Reviewed-on: https://review.openstack.org/14311
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins

modules/salt/manifests/master.pp

@@ -18,6 +18,27 @@ class salt::master {
     require => Apt::Ppa['ppa:saltstack/salt'],
   }
 
+  group { 'salt':
+    ensure => present,
+    system => true,
+  }
+
+  user { 'salt':
+    ensure => present,
+    gid    => 'salt',
+    home   => '/home/salt',
+    shell  => '/bin/bash',
+    system => true,
+  }
+
+  file { '/home/salt':
+    ensure  => directory,
+    owner   => 'salt',
+    group   => 'salt',
+    mode    => '0755',
+    require => User['salt'],
+  }
+
   file { '/etc/salt/master':
     ensure => present,
     owner   => 'root',
@@ -31,7 +52,10 @@ class salt::master {
   service { 'salt-master':
     ensure    => running,
     enable    => true,
-    require   => File['/etc/salt/master'],
+    require   => [
+      User['salt'],
+      File['/etc/salt/master'],
+    ],
     subscribe => [
       Package['salt-master'],
       File['/etc/salt/master'],

modules/salt/templates/master.erb

@@ -18,7 +18,7 @@
 # The user to run the salt-master as. Salt will update all permissions to
 # allow the specified user to run the master. If the modified files cause
 # conflicts set verify_env to False.
-#user: root
+user: salt
 
 # Max open files
 # Each minion connecting to the master uses AT LEAST one file descriptor, the