FAQ
Thanks for that, I'll take a look and see if it helps
On Friday, 27 June 2014 19:26:25 UTC+1, perlhoser wrote:

Hi Scott,

You might gain some insight and inspiration from the EC2 Autoscale
Reactor, which contains some logic to validate the source of an event
(in this case, fired from a webhook):

https://github.com/saltstack-formulas/ec2-autoscale-reactor

On Fri, Jun 27, 2014 at 10:38 AM, ScottW <scott....@gmail.com
<javascript:>> wrote:
Hi,

Please could anyone let me know if they can think of a way to get this
scenario to work

Currently we have a script that users can use to install salt-minion on a
target machine with a configurable host name which is specified on the
command line and could take any form
We check for a salt-key request to come in and then auto-accept it if it is
a request from the host name we have just configured (this is done in loop
checking for unaccepted keys and only accepting the key request when we see
an unaccepted key request matching our name)
I would like to do this more simply with events and reactors as detailed in
the salt docs, but I only want to accept the key if it is for a host name I
am expecting (or some other event value I could interrogate?). As I don't
know in advance what host name would be given a match such as
'data['id'].startswith('ink')' is not suitable. I'm thinking that ideally I
would like to add custom data to the salt/auth event so I only accept
requests I can trust, is this possible?
This is the event I see

Tag: salt/auth
{'_stamp': '2014-06-27T15:39:37.753246',
'act': 'pend',
'id': 'a_dynamic_hostname.domain.com',
'pub': '-----BEGIN PUBLIC KEY---- minion public key value-----END PUBLIC
KEY-----\n',
'result': True}

I only want to accept the auth request if its from the correct host

Cheers

--
You received this message because you are subscribed to the Google Groups
"Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to salt-users+...@googlegroups.com <javascript:>.
For more options, visit https://groups.google.com/d/optout.


--
"In order to create, you have to have the willingness, the desire to
be challenged, to be learning." -- Ferran Adria (speaking at Harvard,
2011)
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

  • ScottW at Jun 30, 2014 at 1:30 pm
    This has helped a bit but what I really need is to be able to have custom
    fields in the salt/auth event or to keep a list of host names I am
    expecting to call in so I only accept keys from hosts I know about; seems
    tricky with the current salt stack
    On Monday, 30 June 2014 10:47:59 UTC+1, ScottW wrote:

    Thanks for that, I'll take a look and see if it helps
    On Friday, 27 June 2014 19:26:25 UTC+1, perlhoser wrote:

    Hi Scott,

    You might gain some insight and inspiration from the EC2 Autoscale
    Reactor, which contains some logic to validate the source of an event
    (in this case, fired from a webhook):

    https://github.com/saltstack-formulas/ec2-autoscale-reactor
    On Fri, Jun 27, 2014 at 10:38 AM, ScottW wrote:
    Hi,

    Please could anyone let me know if they can think of a way to get this
    scenario to work

    Currently we have a script that users can use to install salt-minion on a
    target machine with a configurable host name which is specified on the
    command line and could take any form
    We check for a salt-key request to come in and then auto-accept it if it is
    a request from the host name we have just configured (this is done in loop
    checking for unaccepted keys and only accepting the key request when we see
    an unaccepted key request matching our name)
    I would like to do this more simply with events and reactors as
    detailed in
    the salt docs, but I only want to accept the key if it is for a host name I
    am expecting (or some other event value I could interrogate?). As I don't
    know in advance what host name would be given a match such as
    'data['id'].startswith('ink')' is not suitable. I'm thinking that ideally I
    would like to add custom data to the salt/auth event so I only accept
    requests I can trust, is this possible?
    This is the event I see

    Tag: salt/auth
    {'_stamp': '2014-06-27T15:39:37.753246',
    'act': 'pend',
    'id': 'a_dynamic_hostname.domain.com',
    'pub': '-----BEGIN PUBLIC KEY---- minion public key value-----END PUBLIC
    KEY-----\n',
    'result': True}

    I only want to accept the auth request if its from the correct host

    Cheers

    --
    You received this message because you are subscribed to the Google Groups
    "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to salt-users+...@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.


    --
    "In order to create, you have to have the willingness, the desire to
    be challenged, to be learning." -- Ferran Adria (speaking at Harvard,
    2011)
    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Joseph Hall at Jun 30, 2014 at 1:53 pm
    Nah, it's doable with the current develop, but you will want some
    custom code. You could do this in the reactor, but since the py
    renderer happens during the rendering phase (and not the work phase)
    you want to have the reactor call a custom runner to do the heavy
    lifting.

    Step 1: Set up a new custom reactor to intercept the events. The
    ec2-autoscale-reactor does validation, but again, it happens in the
    render phase. Look instead at the salt-cloud-reactor
    (https://github.com/saltstack-formulas/salt-cloud-reactor) which has a
    simpler example in it.
    Step 2: Set up a new custom runner to do the heavy lifting. You will
    want a function to do validation, a function to check against a custom
    list (in a file, database, etc) and a function that would be called
    from the reactor, which would call the first two, and then mimic the
    functionality in the cloud.create or cloud.profile runner.

    This is pretty specific to your use case, so I wouldn't expect it to
    show up in Salt itself anytime soon, unless somebody writes a generic
    version. But you already have plenty of framework available to do what
    you want to do.
    On Mon, Jun 30, 2014 at 7:30 AM, ScottW wrote:
    This has helped a bit but what I really need is to be able to have custom
    fields in the salt/auth event or to keep a list of host names I am expecting
    to call in so I only accept keys from hosts I know about; seems tricky with
    the current salt stack

    On Monday, 30 June 2014 10:47:59 UTC+1, ScottW wrote:

    Thanks for that, I'll take a look and see if it helps
    On Friday, 27 June 2014 19:26:25 UTC+1, perlhoser wrote:

    Hi Scott,

    You might gain some insight and inspiration from the EC2 Autoscale
    Reactor, which contains some logic to validate the source of an event
    (in this case, fired from a webhook):

    https://github.com/saltstack-formulas/ec2-autoscale-reactor
    On Fri, Jun 27, 2014 at 10:38 AM, ScottW wrote:
    Hi,

    Please could anyone let me know if they can think of a way to get this
    scenario to work

    Currently we have a script that users can use to install salt-minion on
    a
    target machine with a configurable host name which is specified on the
    command line and could take any form
    We check for a salt-key request to come in and then auto-accept it if
    it is
    a request from the host name we have just configured (this is done in
    loop
    checking for unaccepted keys and only accepting the key request when we
    see
    an unaccepted key request matching our name)
    I would like to do this more simply with events and reactors as
    detailed in
    the salt docs, but I only want to accept the key if it is for a host
    name I
    am expecting (or some other event value I could interrogate?). As I
    don't
    know in advance what host name would be given a match such as
    'data['id'].startswith('ink')' is not suitable. I'm thinking that
    ideally I
    would like to add custom data to the salt/auth event so I only accept
    requests I can trust, is this possible?
    This is the event I see

    Tag: salt/auth
    {'_stamp': '2014-06-27T15:39:37.753246',
    'act': 'pend',
    'id': 'a_dynamic_hostname.domain.com',
    'pub': '-----BEGIN PUBLIC KEY---- minion public key value-----END
    PUBLIC
    KEY-----\n',
    'result': True}

    I only want to accept the auth request if its from the correct host

    Cheers

    --
    You received this message because you are subscribed to the Google
    Groups
    "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send
    an
    email to salt-users+...@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.


    --
    "In order to create, you have to have the willingness, the desire to
    be challenged, to be learning." -- Ferran Adria (speaking at Harvard,
    2011)
    --
    You received this message because you are subscribed to the Google Groups
    "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.


    --
    "In order to create, you have to have the willingness, the desire to
    be challenged, to be learning." -- Ferran Adria (speaking at Harvard,
    2011)

    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupsalt-users @
postedJun 30, '14 at 9:48a
activeJun 30, '14 at 1:53p
posts3
users2

2 users in discussion

ScottW: 2 posts Joseph Hall: 1 post

People

Translate

site design / logo © 2022 Grokbase