Foreman UI "run Salt" requires root user

When configuring Salt plugin for Foreman it is required to configure root as the SALT_COMMAND_USER in /

When I used the dedicated user recommended by the documentation I received an error in the UI (see details at the end) but when I switched to root, it worked fine. A while ago I had a similar issue when importing Salt states and I discovered a reported bug in Foreman redmine. Note that this bug was caused by Cherrypy 3.5.0 which had to be downgraded.

Seems the problem is with the saltuser not having access to /var/log/salt/master (which is owned by root).

/usr/bin/sudo -u saltuser /usr/bin/salt --async myServer state.highstate
No permissions to access "/var/log/salt/master", are you running as the correct user?

Is that expected or should salt have installed a user and group that govern the salt related files?

I wouldn’t mind to create such a group and user by hand but I guess future upgrades will revert the changes?

Expected outcome:
Foreman UI should be able to “run Salt” for a host with the saltuser user that was created during plugin installation.

Foreman and Proxy versions:
Foreman 1.18.1
ruby-foreman-salt/plugins,plugins,now 10.1.0-1 all [installed]

Salt and Proxy plugin versions:
ruby-smart-proxy-salt/plugins,plugins,now 2.1.9-1 all [installed]
ruby-foreman-salt/plugins,plugins,now 10.1.0-1 all [installed]
salt-api/unknown,unknown,now 2018.3.2+ds-1 all [installed]

Other relevant data:


    I, [2018-08-23T10:33:49.974925 af125ff0]  INFO -- : Will run state.highstate for myServer. Full command: /usr/bin/sudo -u saltuser /usr/bin/salt --async myServer                               h state.highstate
    I, [2018-08-23T10:33:50.124926 af125ff0]  INFO -- : Result:
    W, [2018-08-23T10:33:50.125083 af125ff0]  WARN -- : Non-null exit code when executing '["/usr/bin/sud                               o", "-u", "saltuser", "/usr/bin/salt", "--async", "myServer", "state.highstate"]                               '
    E, [2018-08-23T10:33:50.125326 af125ff0] ERROR -- : Failed salt run for myServer                           
    : Check Log files

The files in /var/log/salt/master are owned by root and only writeable by the owner:

    $ ls -la /var/log/salt/
    total 146684
    drwxr-s---  2 root adm         4096 Aug 19 06:25 .
    drwxr-xr-x 14 root syslog      4096 Aug 23 06:25 ..
    -rw-r-----  1 root adm    120168209 Aug 20 11:28 api
    -rw-r--r--  1 root adm            0 Jul 20 09:35 key
    -rw-r-----  1 root adm         6052 Aug 21 10:21 master
    -rw-r-----  1 root adm          213 Aug 17 09:57 master.1.gz
    -rw-r-----  1 root adm      2110459 Aug  7 20:57 master.2.gz
    -rw-r-----  1 root adm      5519892 Aug  5 06:25 master.3.gz
    -rw-r-----  1 root adm        16319 Jul 26 15:00 master.4.gz
    -rw-r-----  1 root adm         2753 Jul 20 16:00 master.5.gz
    -rw-r-----  1 root adm            0 Aug  5 06:25 minion
    -rw-r-----  1 root adm          220 Jul 30 13:06 minion.1.gz
    -rw-r-----  1 root adm          218 Jul 26 14:29 minion.2.gz
    -rw-r-----  1 root adm        83047 Jul 20 14:28 minion.3.gz
    -rw-r-----  1 root adm     22254107 Aug 23 10:45 syndic