用户
# chmod 755 /etc/salt/master /var/run/salt /var/cache/salt
修改master配置文件
external_auth:
pam:
a1:
- '*':
- test.*
- cmd.*
http://docs.saltstack.com/en/latest/topics/eauth/index.html#acl-eauth
切换a1用户进行测试
salt -a pam * test.ping
salt -a pam * cmd.run 'whoami'
测试令牌
$ salt -T -a pam web\* test.ping
[a1@zabbix_server ~]$ salt -T -a pam * test.ping
username: a1
password:
zabbixnode1.example.com:
True
API
yum install salt-api -y
cd /etc/pki/tls/certs
# 生成自签名证书, 过程中需要输入key密码及RDNs
make testcert
cd /etc/pki/tls/private/
# 解密key文件,生成无密码的key文件, 过程中需要输入key密码,该密码为之前生成证书时设置的密码
openssl rsa -in localhost.key -out localhost_nopass.key
或者
yum install gcc make python-devel libffi-develpip-python install PyOpenSSL
salt-call tls.create_self_signed_cert #生成证书,需要有salt-minion,salt-call在salt-minion包里
添加saltapi.conf 文件
vim /etc/salt/master.d/saltapi.conf
rest_cherrypy:
port: 8000
host: 127.0.0.1
#disable_ssl: true 开关https
ssl_crt: /etc/pki/tls/certs/localhost.crt #使用前面生成的证书
ssl_key: /etc/pki/tls/certs/localhost.key
external_auth:
pam:
saltapi:
- .*
- '@runner'
- '@wheel'
#添加用户 useradd -M -s /sbin/nologin saltapi echo "spassword" | passwd saltapi --stdin
重启master
启动salt-api
----------------------------------------
import json
import urllib
import urllib2
class SaltAPI(object):
__token_id = ''
def __init__(self):
self.__url = url
self.__user = user
self.__password = pass
params = {'eauth': 'pam', 'username': self.__user, 'password': self.__password}
content = self.postRequest(params, prefix='/login')
print content['return'][0]['token']
self.__token_id = content['return'][0]['token']
def postRequest(self, obj, prefix='/'):
url = self.__url + prefix
headers = {'X-Auth-Token': self.__token_id}
data = urllib.urlencode(obj)
req = urllib2.Request(url, data, headers)
opener = urllib2.urlopen(req)
content = json.loads(opener.read())
return content
def postRequest1(self, obj, prefix='/'):
url = self.__url + prefix
headers = {'X-Auth-Token': self.__token_id}
req = urllib2.Request(url, obj, headers)
opener = urllib2.urlopen(req)
content = opener.info()
return content
def list_all_key(self):
params = {'client': 'wheel', 'fun': 'key.list_all'}
content = self.postRequest(params)
# minions = content['return'][0]['data']['return']['minions']
# minions_pre = content['return'][0]['data']['return']['minions_pre']
# return minions,minions_pre
minions = content['return'][0]['data']['return']
return minions
def delete_key(self, node_name):
params = {'client': 'wheel', 'fun': 'key.delete', 'match': node_name}
content = self.postRequest(params)
ret = content['return'][0]['data']['success']
return ret
def accept_key(self, node_name):
params = {'client': 'wheel', 'fun': 'key.accept', 'match': node_name}
content = self.postRequest(params)
ret = content['return'][0]['data']['success']
return ret
def reject_key(self, node_name):
params = {'client': 'wheel', 'fun': 'key.reject', 'match': node_name}
content = self.postRequest(params)
ret = content['return'][0]['data']['success']
return ret
def remote_noarg_execution(self, tgt, fun):
''' Execute commands without parameters '''
params = {'client': 'local', 'tgt': tgt, 'fun': fun}
content = self.postRequest(params)
ret = content['return'][0][tgt]
return ret
def remote_execution(self, tgt, fun, arg):
''' Command execution with parameters '''
params = {'client': 'local', 'tgt': tgt, 'fun': fun, 'arg': arg}
content = self.postRequest(params)
ret = content['return'][0][tgt]
return ret
def shell_remote_execution(self, tgt, arg):
''' Shell command execution with parameters '''
params = {'client': 'local', 'tgt': tgt, 'fun': 'cmd.run', 'arg': arg, 'expr_form': 'list'}
content = self.postRequest(params)
ret = content['return'][0]
return ret
def grains(self, tgt, arg):
''' Grains.item '''
params = {'client': 'local', 'tgt': tgt, 'fun': 'grains.item', 'arg': arg}
content = self.postRequest(params)
ret = content['return'][0]
return ret
def target_remote_execution(self, tgt, fun, arg):
''' Use targeting for remote execution '''
params = {'client': 'local', 'tgt': tgt, 'fun': fun, 'arg': arg, 'expr_form': 'nodegroup'}
content = self.postRequest(params)
jid = content['return'][0]['jid']
return jid
def deploy(self, tgt, arg):
''' Module deployment '''
params = {'client': 'local', 'tgt': tgt, 'fun': 'state.sls', 'arg': arg}
content = self.postRequest(params)
return content
def async_deploy(self, tgt, arg):
''' Asynchronously send a command to connected minions '''
params = {'client': 'local_async', 'tgt': tgt, 'fun': 'state.sls', 'arg': arg}
content = self.postRequest(params)
jid = content['return'][0]['jid']
return jid
def target_deploy(self, tgt, arg):
''' Based on the list forms deployment '''
params = {'client': 'local_async', 'tgt': tgt, 'fun': 'state.sls', 'arg': arg, 'expr_form': 'list'}
content = self.postRequest(params)
jid = content['return'][0]['jid']
return jid
def jobs_list(self):
''' Get Cache Jobs Defaut 24h '''
url = self.__url + '/jobs/'
headers = {'X-Auth-Token': self.__token_id}
req = urllib2.Request(url, headers=headers)
opener = urllib2.urlopen(req)
content = json.loads(opener.read())
jid = content['return'][0]
return jid
def runner_status(self, arg):
''' Return minion status '''
params = {'client': 'runner', 'fun': 'manage.' + arg}
content = self.postRequest(params)
jid = content['return'][0]
return jid
def runner(self, arg):
''' Return minion status '''
params = {'client': 'runner', 'fun': arg}
content = self.postRequest(params)
jid = content['return'][0]
return jid
cl = SaltAPI()
print cl.shell_remote_execution('aws-ms1','date')
print cl.grains('aws-ms1','ipv4')
WEB(halite)很不好用
这个还行 https://github.com/yueyongyue/saltshaker/
yum install salt-api git
cd /var/www/
git clone https://github.com/saltstack/halite
cd halite/halite
./genindex.py -C
vim /etc/salt/master
rest_cherrypy:
host: 0.0.0.0
port: 8080
debug: true
disable_ssl: True
static: /var/www/halite/halite
app: /var/www/halite/halite/index.html
external_auth:
pam:
salt:
- .*
- '@runner'
- '@wheel'
/etc/init.d/salt-master restart
useradd salt
echo salt | passwd –stdin salt
salt -a pam \* test.ping
输入用户和密码 如看到minion返回信息 则表示登陆验证成功
启动 salt-api
salt-api -d 或
cd /var/www/halite/halite
python server_bottle.py -d -C -l debug -s cherrypy
打开http://ip:8080/app