Trouble limiting access to module in external_auth when kwargs are specified

[fs-nicola-worthington]

I have a use case where I want to limit access to a group of users, and want to continue to allow them to run a state.apply in test mode. I have been using the documentation at https://docs.saltproject.io/en/latest/topics/eauth/index.html as my guide.

This is the configuration block in my Salt master config file:

external_auth:
  ldap:
    SRE-ReadOnly%:
      - test.ping
      - test.providers
      - grains.item
      - grains.items
      - grains.get
      - grains.ls
      - pillar.item
      - pillar.items
      - pillar.get
      - pillar.ls
      - beacons.list
      - beacons.list_available
      - schedule.list
      - sys.doc
      - '*':
          - state.apply:
              kwargs:
                test: 'true'
      - '@wheel':
          - config.values
          - key.list_all
          - key.finger
          - minions.connected
      - '@runner':
          - state.orchestrate_show_sls
          - manage.versions
          - jobs.list_job
          - jobs.list_jobs
          - jobs.active
          - cache.grains
          - cache.pillar

This all works fine, except any and all invocation of state.apply is rejected with a 401.

If I change this:

      - '*':
          - state.apply:
              kwargs:
                test: 'true'

to this:

      - '*':
          - state.apply

Then state.apply is accepted once again, but it doesn't restrict it to only invocations with test=true.

I have tried changing test: 'true' to test: True and test: 'True' and test: '.*', but they all also return a 401 regardless of whether a pass in the kwarg test=true in the request.

There's obviously some silly nuance of the syntax that I'm getting wrong here, but I can't for the life of me see it.

Hoping someone can offer some guidance! 🙏 ❤️

$ salt --versions-report
Salt Version:
          Salt: 3007.1

Python Version:
        Python: 3.10.14 (main, Apr  3 2024, 21:30:09) [GCC 11.2.0]

Dependency Versions:
          cffi: 1.16.0
      cherrypy: unknown
      dateutil: 2.8.2
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.4
       libgit2: Not Installed
  looseversion: 1.3.0
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.7
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 23.1
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.19.1
        pygit2: Not Installed
  python-gnupg: 0.5.2
        PyYAML: 6.0.1
         PyZMQ: 25.1.2
        relenv: 0.16.0
         smmap: Not Installed
       timelib: 0.3.0
       Tornado: 6.3.3
           ZMQ: 4.3.4

Salt Package Information:
  Package Type: onedir

System Versions:
          dist: amzn 2023.6.20250115
        locale: utf-8
       machine: x86_64
       release: 6.1.119-129.201.amzn2023.x86_64
        system: Linux
       version: Amazon Linux 2023.6.20250115