Configuring Salt API - Java

Question

I'm attempting to use Salt-Api, so I created a salt-api.conf in /etc/salt/master.d/ as follows:

external_auth:
  pam:
    saltuser:
      - .*
      - '@wheel'   # to allow access to all wheel modules
      - '@runner'  # to allow access to all runner modules
      - '@jobs'    # to allow access to the jobs runner and/or wheel module

rest_cherrypy:
  port: 8000
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/certs/localhost.key
  disable_ssl: True
  webhook_disable_auth: True
  webhook_url: /hook

the user in /etc/salt/master is set as user: root. So when I try to authenticate using pam locally it works:

sudo salt -a pam '*' test.ping
username: saltuser
password: saltuser

minion:
    True

However when I attempt using curl, it fails:

curl -i http://localhost:8000/login -H "Accept: application/json" -d username='saltuser' -d password='saltuser' -d eauth='pam'
HTTP/1.1 401 Unauthorized
Content-Length: 760
Access-Control-Expose-Headers: GET, POST
Vary: Accept-Encoding
Server: CherryPy/3.5.0
Allow: GET, HEAD, POST
Access-Control-Allow-Credentials: true
Date: Mon, 16 Jan 2017 05:51:48 GMT
Access-Control-Allow-Origin: *
Content-Type: text/html;charset=utf-8
Set-Cookie: session_id=f4c747f23e95ea7742a11a6e6cef146b91a31737; expires=Mon, 16 Jan 2017 15:51:48 GMT; Path=/

<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
    <title>401 Unauthorized</title>
    <style type="text/css">
    #powered_by {
        margin-top: 20px;
        border-top: 2px solid black;
        font-style: italic;
    }

    #traceback {
        color: red;
    }
    </style>
</head>
    <body>
        <h2>401 Unauthorized</h2>
        <p>Could not authenticate using provided credentials</p>
        <pre id="traceback"></pre>
    <div id="powered_by">
      <span>
        Powered by <a href="http://www.cherrypy.org">CherryPy 3.5.0</a>
      </span>
    </div>
    </body>
</html>

Thus, I'm not being able to have either the Java client or the Python client connected. What am I missing in my configuration? The salt-master is already running as root. From my Java code:

import com.suse.salt.netapi.AuthModule;
import com.suse.salt.netapi.calls.WheelResult;
import com.suse.salt.netapi.calls.wheel.Key;
import com.suse.salt.netapi.client.SaltClient;
import com.suse.salt.netapi.exception.SaltException;

import java.net.URI;
import java.util.Optional;

/**
 * Example code calling wheel functions.
 */
public class Salt {

    private static final String SALT_API_URL = " http://localhost:8000";
    private static final String USER = "saltuser";
    private static final String PASSWORD = "saltuser";

    public static void main(String[] args) throws SaltException {
        // Init the client
        SaltClient client = new SaltClient(URI.create(SALT_API_URL));

        // List accepted and pending minion keys
        WheelResult<Key.Names> keyResults = Key.listAll().callSync(
                client, USER, PASSWORD, AuthModule.AUTO);
        Key.Names keys = keyResults.getData().getResult();

        System.out.println("\n--> Accepted minion keys:\n");
        keys.getMinions().forEach(System.out::println);
        System.out.println("\n--> Pending minion keys:\n");
        keys.getUnacceptedMinions().forEach(System.out::println);

        // Generate a new key pair and accept the public key
        WheelResult<Key.Pair> genResults = Key.genAccept("new.minion.id", Optional.empty())
                .callSync(client, USER, PASSWORD, AuthModule.AUTO);
        Key.Pair keyPair = genResults.getData().getResult();

        System.out.println("\n--> New key pair:");
        System.out.println("\nPUB:\n\n" + keyPair.getPub());
        System.out.println("\nPRIV:\n\n" + keyPair.getPriv());
    }
}

com.suse.salt.netapi.exception.SaltUserUnauthorizedException: Salt user does not have sufficient permissions
    at com.suse.salt.netapi.client.impl.HttpClientConnection.createSaltException(HttpClientConnection.java:217)
    at com.suse.salt.netapi.client.impl.HttpClientConnection.executeRequest(HttpClientConnection.java:204)
    at com.suse.salt.netapi.client.impl.HttpClientConnection.request(HttpClientConnection.java:85)
    at com.suse.salt.netapi.client.impl.HttpClientConnection.getResult(HttpClientConnection.java:73)

Is there any auth attempt in /var/log/auth.log? – kwarunek Jan 26 '17 at 00:09 — kwarunek, Jan 26 '17 at 00:09

score 4 · Answer 1 · answered Feb 14 '17 at 08:57

I encountered the same issue despite using the login endpoint as explained in sahama's answer. I solved it by explicitly setting "eauth": "pam". This is how my request looks like now:

curl -si localhost:8000/login \
-c ~/cookies.txt \
-H "Accept: application/json" \
-H "Content-type: application/json" \
-d '{
    "username": "saltuser",
    "password": "saltuser",
    "eauth": "pam"
}'

sahama · Answer 2 · 2017-01-22T10:00:54.013

3

You get 401 Unauthorized because you don't authenticated.

according to this page salt.netapi.rest_cherrypy first you have to request to login URL and get access token and then you can access other functionalities via this token.

I will explain more if you need.

EDIT: more explain:

Example request via curl:

curl -si localhost:8000/login \
-c ~/cookies.txt \
-H "Accept: application/json" \
-H "Content-type: application/json" \
-d '{
    "username": "saltuser",
    "password": "saltuser",
    "eauth": "auto"
}'

and via this curl command you send this request

POST / HTTP/1.1
Host: localhost:8000
Content-Length: 42
Content-Type: application/json
Accept: application/json

{"username": "saltuser", "password": "saltuser", "eauth": "auto"}

and in response you get

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 206
X-Auth-Token: 6d1b722e
Set-Cookie: session_id=6d1b722e; expires=Sat, 17 Nov 2012 03:23:52 GMT; Path=/

{"return": {
"token": "6d1b722e",
"start": 1363805943.776223,
"expire": 1363849143.776224,
"user": "saltuser",
"eauth": "pam",
"perms": [
    "grains.*",
    "status.*",
    "sys.*",
    "test.*"
]
}}

and you can see token in it "token": "6d1b722e"

now you can send your request contain token explained a bow as Auth-Token.

EDIT 2:

keep in your mind that you use pam for authentication and this mean you have to have same user in your os EDIT 3:

and in not work use this minimal con as salt-api conf

  external_auth:
    pam:
      saltuser:
        - .*

  rest_cherrypy:
    port: 8000
    disable_ssl: True
    host: 0.0.0.0

edited Jan 22 '17 at 10:00

answered Jan 22 '17 at 08:50

sahama

669
8
16

Please explain more! – cybertextron Jan 22 '17 at 09:11
@cybertextron i added more explains – sahama Jan 22 '17 at 09:37
does it work for remote users? Have you tried doing it from a remote server? – cybertextron Jan 22 '17 at 09:48
@cybertextron 401? – sahama Jan 22 '17 at 09:51
@cybertextron i will explain more – sahama Jan 22 '17 at 09:51
Ok. Have you seen my `/etc/salt/master.d/salt-api.conf`? is it correct? I use `pam` authentication. My username and password match exactly the given. – cybertextron Jan 22 '17 at 09:53
@cybertextron i add minimal conf in answer – sahama Jan 22 '17 at 10:02
same problem. I wonder if I should just create a new salt-master to test it. I don't think there's anything wrong. I will keep you posted. – cybertextron Jan 22 '17 at 10:02
are you have username saltuser in master ? – sahama Jan 22 '17 at 10:03
yes ... I have the `saltuser` in master. I have `salt-master`, `salt-api` and `salt-minion` installed in the same node. – cybertextron Jan 22 '17 at 10:08
@cybertextron try to create user via `sudo adduser saltuser` and change password via `sudo passwd saltuser` and try again – sahama Jan 22 '17 at 10:14

Configuring Salt API - Java

2 Answers2