Salt-Api with Saltstack in 2018

This article is related to SaltStack. SaltStack, also known as Salt, is a configuration management and orchestration tool. It uses a central repository to provision new servers and other IT infrastructure, to make changes to existing ones, and to install software in IT environments, including physical and virtual servers, as well as the cloud.
This is specific to salt-api which is part of open salt. Many of the articles on the internet are for salt-api are from time 2014 – 2016 period where  salt-api was different project from salt-master, and then they merge into the salt core
This is walk through of using salt-api on Ubuntu 16/17/18

Step 1

Install salt-api package, this would install all dependencies which are needed by salt-master to host salt api http server
sudo apt-get install salt-api

Step 2

Configure external auth
salt-api is flexible and can integrate pam, ldap and other authentication
external_auth:
  pam:
     saltuser:
        – ‘.*’
        – ‘@wheel’   # to allow access to all wheel modules
        – ‘@runner’  # to allow access to all runner modules
        – ‘@jobs’    # to allow access to the jobs runner and/or wheel module
What this config tells is
External auth is ‘pam’
saltuser is the linux system user, which has following permission
.* – everything
‘@wheel’ – allow wheel modules permission
‘@runner’ – allow runners modules permission
‘@jobs’ – allow jobs modules permission

Step 3

Configure cherrypy, which has port 8000, ssl_crt, ssl_key, certificates. I have create self signed certificates with openssl for this.
rest_cherrypy:
  port: 8000
  ssl_crt: /etc/salt/tls/certs/localhost.crt
  ssl_key: /etc/salt/tls/certs/localhost.key
  disable_ssl: True
This changes were done in separate file
/etc/salt/master.d/salt-api.conf
complete file look something like this
external_auth:
  pam:
     saltuser:
        – ‘.*’
        – ‘@wheel’   # to allow access to all wheel modules
        – ‘@runner’  # to allow access to all runner modules
        – ‘@jobs’    # to allow access to the jobs runner and/or wheel module
 
 
rest_cherrypy:
  port: 8000
  ssl_crt: /etc/salt/tls/certs/localhost.crt
  ssl_key: /etc/salt/tls/certs/localhost.key
  disable_ssl: True

Step 4

Restart the salt-master service
# systemctl restart salt-master

Step 5

Test with curl
curl -si localhost:8000/login \
-c ~/cookies.txt \
-H “Accept: application/json” \
-H “Content-type: application/json” \
-d ‘{
    “username”: “saltuser”,
    “password”: “saltuser”,
    “eauth”: “pam”
}’
Output would be similar
> -c ~/cookies.txt \
> -H “Accept: application/json” \
> -H “Content-type: application/json” \
> -d ‘{
>     “username”: “saltuser”,
>     “password”: “saltuser”,
>     “eauth”: “pam”
> }’
HTTP/1.1 200 OK
Content-Length: 206
Access-Control-Expose-Headers: GET, POST
Vary: Accept-Encoding
Server: CherryPy/3.5.0
Allow: GET, HEAD, POST
Access-Control-Allow-Credentials: true
Date: Mon, 09 Jul 2018 10:03:26 GMT
Access-Control-Allow-Origin: *
X-Auth-Token: 464914c055cfa5529865564567eb7782554af025
Content-Type: application/json
Set-Cookie: session_id=464914c055cfa5529865564567eb7782554af025; expires=Mon, 09 Jul 2018 20:03:26 GMT; Path=/
{“return”: [{“perms”: [“.*”, “@wheel”, “@runner”, “@jobs”], “start”: 1531130606.41419, “token”: “464914c055cfa5529865564567eb7782554af025”, “expire”: 1531173806.414191, “user”: “saltuser”, “eauth”: “pam”}]}

Step 6

Test with curl function test.ping
curl -b ~/cookies.txt -si localhost:8000/ \
    -H “Accept: application/json” \
    -d client=’local’ -d tgt=’*’ -d fun=’test.ping’
If you get output, you are all great with salt-api for 2018.3 version of salt.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s