salt-api使用并接入ldap认证
目录
简要描述
salt-api是一个基于cherrypy的rest接口。
安装依赖
|
1 2 3 |
yum install salt-api systemctl start salt-api systemctl enable salt-api |
Salt配置
不使用ldap的话,可以将ldap替换为pam,使用主机的pam验证。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
auth.ldap.server: <ldap_ip> auth.ldap.port: 389 auth.ldap.tls: False auth.ldap.basedn: cn=users,cn=accounts,dc=demo,dc=local auth.ldap.binddn: uid=test_user,cn=users,cn=accounts,dc=demo,dc=local auth.ldap.bindpw: testPassword auth.ldap.filter: uid={{ username }} external_auth: ldap: user01: # 用户 - .* # 给予所有模块的权限 user02: - .* user03: - .* - '@runner' user04: - test.* rest_cherrypy: host: <listen_ip> port: 8000 disable_ssl: true |
Salt-API使用
获取token
|
1 2 3 4 5 6 7 8 9 |
> curl http://<salt-api>:8000/login -H "Accept: application/x-yaml" -d username='user1' -d password='Pass' -d eauth=ldap return: - eauth: ldap expire: 1641405523.7927551 perms: - .* start: 1641362323.7927547 token: 6dd9b442d266f5d450e8bc6a3376ef9c21bf6c04 user: user1 |
接口调用
|
1 |
curl http://172.18.25.3:8000 -H "Accept: application/x-yaml" -H "X-Auth-Token: 6dd9b442d266f5d450e8bc6a3376ef9c21bf6c04" -d client=local -d tgt='test01.host.local' -d fun='status.diskusage'' |
配置自签名证书
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
cd /etc/pki/tls/certs/ make testcert Enter pass phrase: ===> 输入加密短语,这里我使用salt2017 Verifying - Enter pass phrase: ===> 确认加密短语 umask 77 ; \ /usr/bin/openssl req -utf8 -new -key /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt -set_serial 0 Enter pass phrase for /etc/pki/tls/private/localhost.key: ===> 再次输入相同的加密短语 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BeiJing Locality Name (eg, city) [Default City]:BeiJing Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: |
解密key文件,生成无密码的key文件, 过程中需要输入key密码,该密码为之前生成证书时设置的密码
|
1 2 |
cd /etc/pki/tls/private/ openssl rsa -in localhost.key -out localhost_nopass.key |
修改文件权限
|
1 2 3 |
chmod 755 /etc/pki/tls/certs/localhost.crt chmod 755 /etc/pki/tls/private/localhost.key chmod 755 /etc/pki/tls/private/localhost_nopass.key |
最后在修改配置
|
1 2 3 4 |
rest_cherrypy: port: 8001 ssl_crt: /etc/pki/tls/certs/localhost.crt ssl_key: /etc/pki/tls/private/localhost_nopass.key |