salt-api 0.8.0¶

RPM packaging¶

Thanks to Andrew Niemantsvedriet (@kaptk2) salt-api is now available in Fedora package repositories as well as RHEL compatible systems via EPEL.

• http://dl.fedoraproject.org/pub/epel/5/i386/repoview/salt-api.html

• http://dl.fedoraproject.org/pub/epel/5/x86_64/repoview/salt-api.html

• http://dl.fedoraproject.org/pub/epel/6/i386/repoview/salt-api.html

• http://dl.fedoraproject.org/pub/epel/6/x86_64/repoview/salt-api.html

Thanks also to Clint Savage (@herlo) and Thomas Spura (@tomspur) for helping with that process.

Ubuntu PPA packaging¶

Thanks to Sean Channel (@seanchannel, pentabular) salt-api is available as a PPA on the SaltStack LaunchPad team.

https://launchpad.net/~saltstack/+archive/ubuntu/salt

Authentication information on login¶

New in this release is displaying information about the current session and the current user. For example:

% curl -sS localhost:8000/login \
    -H 'Accept: application/x-yaml'
    -d username='saltdev'
    -d password='saltdev'
    -d eauth='pam'

return:
  - eauth: pam
    expire: 1365508324.359403
    perms:
      - '@wheel'
      - grains.*
      - state.*
      - status.*
      - sys.*
      - test.*
    start: 1365465124.359402
    token: caa7aa2b9dbc4a8adb6d2e19c3e52be68995ef4b
    user: saltdev

Bypass session handling¶

A convenience URL has been added (/run) to bypass the normal session-handling process.

The REST interface uses the concept of "lowstate" data to specify what function should be executed in Salt (plus where that function is and any arguments to the function). This is a thin wrapper around Salt's various "client" interfaces, for example Salt's LocalClient() which can accept authentication credentials directly.

Authentication with the REST API typically goes through the login URL and a session is generated that is tied to a Salt external_auth token. That token is then automatically added to the lowstate for subsequent requests that match the current session.

It is sometimes useful to handle authentication or token management manually from another program or script. For example:

curl -sS localhost:8000/run \
    -d client='local' \
    -d tgt='*' \
    -d fun='test.ping' \
    -d eauth='pam' \
    -d username='saltdev' \
    -d password='saltdev'

It is a Bad Idea (TM) to do this unless you have a very good reason and a well thought out security model.

Logout¶

An URL has been added (/logout) that will cause the client-side to expire the session cookie and the server-side session to be invalidated.

Running the REST interface via any WSGI-compliant server¶

The rest_cherrypy netapi module is a regular WSGI application written using the CherryPy framework. It was written with the intent of also running from any WSGI-compliant server such as Apache and mod_wsgi, Gunicorn, uWSGI, Nginx, and FastCGI, etc.

The WSGI application entry point has been factored out into a stand-alone file in this release suitable for calling from an external server. salt-api does not need to be running in this scenario.

For example, an Apache virtual host configuration:

<VirtualHost *:80>
    ServerName example.com
    ServerAlias *.example.com

    ServerAdmin webmaster@example.com

    LogLevel warn
    ErrorLog /var/www/example.com/logs/error.log
    CustomLog /var/www/example.com/logs/access.log combined

    DocumentRoot /var/www/example.com/htdocs

    WSGIScriptAlias / /path/to/salt/netapi/rest_cherrypy/wsgi.py
</VirtualHost>