配置鹽API - Java的

Question

我試圖使用Salt-Api，所以我在/etc/salt/master.d/創建salt-api.conf如下：

external_auth: 
    pam: 
    saltuser: 
     - .* 
     - '@wheel' # to allow access to all wheel modules 
     - '@runner' # to allow access to all runner modules 
     - '@jobs' # to allow access to the jobs runner and/or wheel module 

rest_cherrypy: 
    port: 8000 
    ssl_crt: /etc/pki/tls/certs/localhost.crt 
    ssl_key: /etc/pki/tls/certs/localhost.key 
    disable_ssl: True 
    webhook_disable_auth: True 
    webhook_url: /hook 

在/etc/salt/master用戶設置爲user: root。所以，當我嘗試驗證使用pam本地工作原理：

sudo salt -a pam '*' test.ping 
username: saltuser 
password: saltuser 

minion: 
    True 

然而，當我嘗試使用捲曲，它失敗：

curl -i http://localhost:8000/login -H "Accept: application/json" -d username='saltuser' -d password='saltuser' -d eauth='pam' 
HTTP/1.1 401 Unauthorized 
Content-Length: 760 
Access-Control-Expose-Headers: GET, POST 
Vary: Accept-Encoding 
Server: CherryPy/3.5.0 
Allow: GET, HEAD, POST 
Access-Control-Allow-Credentials: true 
Date: Mon, 16 Jan 2017 05:51:48 GMT 
Access-Control-Allow-Origin: * 
Content-Type: text/html;charset=utf-8 
Set-Cookie: session_id=f4c747f23e95ea7742a11a6e6cef146b91a31737; expires=Mon, 16 Jan 2017 15:51:48 GMT; Path=/ 

<!DOCTYPE html PUBLIC 
"-//W3C//DTD XHTML 1.0 Transitional//EN" 
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html> 
<head> 
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta> 
    <title>401 Unauthorized</title> 
    <style type="text/css"> 
    #powered_by { 
     margin-top: 20px; 
     border-top: 2px solid black; 
     font-style: italic; 
    } 

    #traceback { 
     color: red; 
    } 
    </style> 
</head> 
    <body> 
     <h2>401 Unauthorized</h2> 
     <p>Could not authenticate using provided credentials</p> 
     <pre id="traceback"></pre> 
    <div id="powered_by"> 
     <span> 
     Powered by <a href="http://www.cherrypy.org">CherryPy 3.5.0</a> 
     </span> 
    </div> 
    </body> 
</html> 

因此，我不能夠有任何的Java客戶端或連接了Python客戶端。我在配置中缺少什麼？ salt-master已經以root身份運行。從我的Java代碼：

import com.suse.salt.netapi.AuthModule; 
import com.suse.salt.netapi.calls.WheelResult; 
import com.suse.salt.netapi.calls.wheel.Key; 
import com.suse.salt.netapi.client.SaltClient; 
import com.suse.salt.netapi.exception.SaltException; 

import java.net.URI; 
import java.util.Optional; 

/** 
* Example code calling wheel functions. 
*/ 
public class Salt { 

    private static final String SALT_API_URL = " http://localhost:8000"; 
    private static final String USER = "saltuser"; 
    private static final String PASSWORD = "saltuser"; 

    public static void main(String[] args) throws SaltException { 
     // Init the client 
     SaltClient client = new SaltClient(URI.create(SALT_API_URL)); 

     // List accepted and pending minion keys 
     WheelResult<Key.Names> keyResults = Key.listAll().callSync(
       client, USER, PASSWORD, AuthModule.AUTO); 
     Key.Names keys = keyResults.getData().getResult(); 

     System.out.println("\n--> Accepted minion keys:\n"); 
     keys.getMinions().forEach(System.out::println); 
     System.out.println("\n--> Pending minion keys:\n"); 
     keys.getUnacceptedMinions().forEach(System.out::println); 

     // Generate a new key pair and accept the public key 
     WheelResult<Key.Pair> genResults = Key.genAccept("new.minion.id", Optional.empty()) 
       .callSync(client, USER, PASSWORD, AuthModule.AUTO); 
     Key.Pair keyPair = genResults.getData().getResult(); 

     System.out.println("\n--> New key pair:"); 
     System.out.println("\nPUB:\n\n" + keyPair.getPub()); 
     System.out.println("\nPRIV:\n\n" + keyPair.getPriv()); 
    } 
} 

com.suse.salt.netapi.exception.SaltUserUnauthorizedException: Salt user does not have sufficient permissions 
    at com.suse.salt.netapi.client.impl.HttpClientConnection.createSaltException(HttpClientConnection.java:217) 
    at com.suse.salt.netapi.client.impl.HttpClientConnection.executeRequest(HttpClientConnection.java:204) 
    at com.suse.salt.netapi.client.impl.HttpClientConnection.request(HttpClientConnection.java:85) 
    at com.suse.salt.netapi.client.impl.HttpClientConnection.getResult(HttpClientConnection.java:73) 

Answer 1

你得到401未授權因爲你不認證。

根據此頁salt.netapi.rest_cherrypy 首先，您必須請求登錄URL並獲取訪問令牌，然後才能通過此令牌訪問其他功能。

我會解釋更多，如果你需要。

編輯：更多的解釋：

實例的請求通過捲曲：

curl -si localhost:8000/login \ 
-c ~/cookies.txt \ 
-H "Accept: application/json" \ 
-H "Content-type: application/json" \ 
-d '{ 
    "username": "saltuser", 
    "password": "saltuser", 
    "eauth": "auto" 
}' 

，並通過這個curl命令發送該請求

POST/HTTP/1.1 
Host: localhost:8000 
Content-Length: 42 
Content-Type: application/json 
Accept: application/json 

{"username": "saltuser", "password": "saltuser", "eauth": "auto"} 

，並響應你

HTTP/1.1 200 OK 
Content-Type: application/json 
Content-Length: 206 
X-Auth-Token: 6d1b722e 
Set-Cookie: session_id=6d1b722e; expires=Sat, 17 Nov 2012 03:23:52 GMT; Path=/ 

{"return": { 
"token": "6d1b722e", 
"start": 1363805943.776223, 
"expire": 1363849143.776224, 
"user": "saltuser", 
"eauth": "pam", 
"perms": [ 
    "grains.*", 
    "status.*", 
    "sys.*", 
    "test.*" 
] 
}} 

，你可以看到令牌它「令牌」：「6d1b722e」

現在你可以把您的要求包含令牌解釋弓爲驗證令牌。

編輯2：

保持在你的心中，你使用PAM進行身份驗證，這意味着你必須有相同的用戶在OS 編輯3：

，並在不工作中使用這個最小爲體質salt-api conf

external_auth: 
    pam: 
     saltuser: 
     - .* 

    rest_cherrypy: 
    port: 8000 
    disable_ssl: True 
    host: 0.0.0.0 

Answer 2

儘管使用了sahama的回答中解釋的登錄終結點，但我遇到了同樣的問題。我通過明確設置"eauth": "pam"解決了這個問題。這是我的請求現在的樣子：

curl -si localhost:8000/login \ 
-c ~/cookies.txt \ 
-H "Accept: application/json" \ 
-H "Content-type: application/json" \ 
-d '{ 
    "username": "saltuser", 
    "password": "saltuser", 
    "eauth": "pam" 
}'