FAQ
Hi,
I am playing around with salt for a few days and I like it a lot.
I think about using it for distributing ssh keys to servers.
I'd like to do this via the salt python client like this:

     import salt.client
     local = salt.client.LocalClient()
     print local.cmd_async('salt-minion', 'ssh.auth_keys', kwarg={ "user":
"cornelius" })

I realized, I can use the client_acl to allow a certain user to run all
ssh.* commands.

     client_acl:
          cornelius:
               - ssh.*

But I would have to open up some files /run /cache to this user.

What would be the recommended way if I want to avoid changing the file
permissions?

Would it be better to use salt-api and a remote call to the server?
How would I do this from the python client?

The documentation does not seem to that excelent like for the other
topics...
http://docs.saltstack.com/en/latest/ref/cli/salt-api.html
And what is external_auth in this respect?

Thanks a lot and kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

  • Seth House at Aug 11, 2014 at 7:25 pm

    On Thu, Aug 7, 2014 at 4:22 PM, wrote:
    What would be the recommended way if I want to avoid changing the file
    permissions?
    I *believe* using eauth does not require changing these permissions.
    It might output a warning that you can safely ignore. (Sorry I can't
    double-check that claim right now.)
    Would it be better to use salt-api and a remote call to the server?
    How would I do this from the python client?
    You'e on the right track. The authentication credentials must be given
    to the master (obviously) but the ``kwarg`` param to LocalClient is
    sent down to the minion. You pass eauth credentials directly to
    LocalClient as below:

    local = salt.client.LocalClient()
    print local.cmd_async('salt-minion', 'ssh.auth_keys',
    username='cornelius', password='thepassword', eauth='pam')
    The documentation does not seem to that excelent like for the other
    topics...
    That doc is just for the CLI command to start the salt-api daemon. The
    module types that salt-api loads are called "netapi modules". The full
    docs are here.

    http://docs.saltstack.com/en/latest/topics/netapi/index.html

    And the main REST netapi module docs are here:

    http://docs.saltstack.com/en/latest/ref/netapi/all/salt.netapi.rest_cherrypy.html
    And what is external_auth in this respect?
    External auth wraps the Client ACL system with pluggable
    authentication modules. That allows you to authenticate against
    external services like LDAP or Stormpath and more.

    http://docs.saltstack.com/en/latest/topics/eauth/index.html

    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Cornelius Kölbel at Aug 15, 2014 at 10:12 am

    Am 11.08.2014 um 21:25 schrieb Seth House:
    On Thu, Aug 7, 2014 at 4:22 PM, wrote:
    What would be the recommended way if I want to avoid changing the file
    permissions?
    I *believe* using eauth does not require changing these permissions.
    It might output a warning that you can safely ignore. (Sorry I can't
    double-check that claim right now.)
    Would it be better to use salt-api and a remote call to the server?
    How would I do this from the python client?
    You'e on the right track. The authentication credentials must be given
    to the master (obviously) but the ``kwarg`` param to LocalClient is
    sent down to the minion. You pass eauth credentials directly to
    LocalClient as below:

    local = salt.client.LocalClient()
    print local.cmd_async('salt-minion', 'ssh.auth_keys',
    username='cornelius', password='thepassword', eauth='pam')
    Hi seth, thanks for the reply.
    But it looks like I can not use the python salt module to remotely issue
    commands to the master.
    The master can provide the rest_cherrypy API, but at the moment this API
    does not seem to be
    wrapped in a nice python class. So I will have to do the REST API calls...

    Thanks a lot and kind regards
    Cornelius
    The documentation does not seem to that excelent like for the other
    topics...
    That doc is just for the CLI command to start the salt-api daemon. The
    module types that salt-api loads are called "netapi modules". The full
    docs are here.

    http://docs.saltstack.com/en/latest/topics/netapi/index.html

    And the main REST netapi module docs are here:

    http://docs.saltstack.com/en/latest/ref/netapi/all/salt.netapi.rest_cherrypy.html
    And what is external_auth in this respect?
    External auth wraps the Client ACL system with pluggable
    authentication modules. That allows you to authenticate against
    external services like LDAP or Stormpath and more.

    http://docs.saltstack.com/en/latest/topics/eauth/index.html
  • Seth House at Aug 15, 2014 at 7:43 pm

    On Aug 15, 2014 6:12 AM, "Cornelius Kölbel" wrote:
    wrapped in a nice python class. So I will have to do the REST API calls...
    Take a look at the Pepper project here:

    https://github.com/saltstack/pepper/blob/master/pepper/libpepper.py

    --
    You received this message because you are subscribed to the Google Groups "Salt-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Cornelius Kölbel at Aug 15, 2014 at 8:20 pm
    HI Seth,

    cool, thanks for the hint!

    Kind regards
    Cornelius

    Am 15.08.2014 um 21:43 schrieb Seth House:
    On Aug 15, 2014 6:12 AM, "Cornelius Kölbel"
    wrote:
    wrapped in a nice python class. So I will have to do the REST API
    calls...

    Take a look at the Pepper project here:

    https://github.com/saltstack/pepper/blob/master/pepper/libpepper.py

    --
    You received this message because you are subscribed to a topic in the
    Google Groups "Salt-users" group.
    To unsubscribe from this topic, visit
    https://groups.google.com/d/topic/salt-users/L6oS1FPbUjc/unsubscribe.
    To unsubscribe from this group and all its topics, send an email to
    salt-users+unsubscribe@googlegroups.com
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupsalt-users @
postedAug 7, '14 at 8:22p
activeAug 15, '14 at 8:20p
posts5
users2

2 users in discussion

Cornelius Kölbel: 3 posts Seth House: 2 posts

People

Translate

site design / logo © 2022 Grokbase