Installing and Configuring Salt-API

A free video tutorial from Packt Publishing
Tech Knowledge in Motion
Rating: 3.9 out of 5Instructor rating
1,262 courses
401,208 students
Installing and Configuring Salt-API

Lecture description

The aim of this video is to learn how to install and configure Salt's REST API.

Learn more from the full course

Learning Path: Automation with Ansible, Puppet, and Salt

Use popular automation tools for a scalable, reliable, and secure IT environment.

13:55:42 of on-demand video • Updated May 2018

Configure and manage your infrastructure using Ansible Playbooks
Create task blocks and choose the right Ansible Strategy for the job
Understand the nuances of Ansible 2 and its new features
Write efficient, reusable, and modularized Puppet code
Write extensive tests for the code and run automated builds using Jenkins Integration
Create a pipeline for effective code management
Understand Salt’s state system and write and manage complex states
Use and react to real-time events across an infrastructure
English [Auto]
Section 7 the salt rest AAPI in the previous section we learned about salty bone system in the reactor in this section. We're going to learn how to use salts rest API to access all the parts of salt that we have covered throughout the series. We're going to talk about how to install and configure all the API. We're going to talk about the difference between synchronous and asynchronous commands. We're going to use all the API to integrate with extra All systems and then we're going to wrap the series up and come and talk about some additional material install and configures all the API. And this video we're going to take a look at what NET API modules are we're going to talk about Salt's Python API. We're going to talk about Salt's ex-journalists system. And then finally we're going to install and configure rest's Cherry by so many API modules or a yet another module type insult. And now the contract that they bind to a port and start a service we come to the module index and down to and we can see the list of API modules that ship with salt. There's three risk cherry pie risk tornado unrest whiskey. Now these three provide a rest interface but net API modules are open ended enough that they can provide any kind of interface that listens on a port. So keep that in mind. Rest which is a very bare bones rest interface it's no depth. It's sort of a proof of concept is not recommended for most who use resk tornado is the new kid on the block since salt deps on tornado for its concurrency library. It makes sense for us to have to start providing the default rest interface using tornado because that's one fewer dept to install and also tornadoes is nice and performant but it is it is not feature complete. Its missing quite a few features and its not recommended for most to you rest. Cherry Pie is the currently recommended rest interface the net API module for salt it is the most featureful and in most cases it performant enough for most people. So we'll talk about those in detail in the next video in order to use Net API modules you have to know a little something about Salt's Python API because salt API is a thin wrapper around Salt. It just exposes Salt's Python API for external consumption. So that means we have to dive into the python API just a little bit. Now if you're not a Python programmer the function calls that we're making still have good documentation and you don't need to know Python 2 to call into them you just need to know where to look them up in the docs do that. Now if you jumped to the Saw Docs and scroll down here there's a page called API as we bring that up. One of them is python client API and that goes through all of the client interfaces. Now what client interfaces are they are classes in salt that abstract some kind of section or part of salt for certain things. And this document also talks about how salt will say load the master or Minion opts into the OPs dictionary and how it loads grains and other modules that sort of thing so it's well worth reading if you're interested in that. But we're just going to talk about the client interfaces. So if you use salt of the seal then you are calling into local client a class called local client that has various methods on it for sending commands down to minion's if you call out to Salt in the reactor or via orchestrate. Again you're calling into local and you're calling something that wraps local land. That's true of salt run and run client as well. Every time you call us all run at the Selye you're calling it to run a client called Call is caller client. We're client is sort of an outlier. It came a little bit later in life. Say well before Salt Key will client wraps we'll modules we'll modules are intended to programmatically manage the salt master. We can see them in the module index. We jumped onto the four wheel and so wheel models allow you to programmatically manage the saw Master. So managing the master config or files on file routes or files and pillar roads. You can also accept and do things with minyon keys right there on the master and so salt key has been retrofitted to use the key wheel module but that's why it doesn't have a direct CLIA equivalent cloud client and S-sh client then wraps all the gladdens all the S-sh in each case these client interfaces are different from one another because they do different things. Local client send the commands and minions run or client calls functions directly on the master. So in all cases you'll want to pull up the docs on each to see what arguments and what arguments they they accept and don't accept that sort of thing because they are different from one another. Now let's talk about salt ex-journalists subsystem. It uses what are called off modules yet another module type installed. So if we go back to a module index into a off modules are modules that can authenticate a user with some external system. Now Salt's external auth subsystem is intended to provide authentication into salt from some external place like arrest API or something like that. So if you want to provide authentication with salt from an external place external auth modules are usually the way to go if you can log in to the system that is running the salt master. You probably want the client ACL subsystem instead. Now you can use Salti out system at the C alive and we'll see that in just a moment. But in general it's less useful if you can log directly into the box client ACL as is usually preferred. So you can see that these models allow you to authenticate with various services like Django upside or Keystone if you're running open stack or elde app or you can authenticate with the local Pams system but you know again from an external place or you can authenticate with some arbitrary arrests service or a storm path. The web service that sort of thing and again salt API just wraps salt. So the external subsystem is doing all of that work. It's authorizing it's authenticating users and then it's also authorizing these commands that you run. So let's go ahead and take a look at it. To do this we're going to edit this all Master config and there is a section in here called external So we're going to take this and we're going to copy it and the backend that we're going to use the external module we're going to use is auto audio is something that we use for testing. And what it does is it returns true for any user name that you pass. And let's change this to solve that. All right. Now after this is a list of modules that we want to whitelist this user to be able to run these are regular expression matches. So that's why we've got the dot star because it's a regular expression match. So this is the sort dev user can run anything in the test module right. We can do the same if we just want to allow a user to run anything that looks like that. And then if we want to use a tool to allow the user to run either run or modules or wheel modules then we have to fight the waitlists those specifically. And it looks like that. So now our sort dev user can run anything anywhere if we wanted to restrict this by a host. We could do that as well by providing one additional level of indentation here. So this would be the host. So in this case it would be it would be compact. And so you know Graines at Hoya's family. Right. And then with that in place we just increase everything by one additional level of indentation. And so that allows us to target a host. Right so now the sort of user can run any of these commands only on this host. And then if we wanted to run different commands on different host we could say how about you know now the test user the sort of user can run anything on Redhat but only things in the test module on Debian. So keep in mind this is a compound match and these are regular expression matches against the function. We're just going to allow a user to run everything on one. All right. So with that change in place going to restart us on Master System TTL restarts all master. I'll take my minions just a moment to reconnect and then we can test out the system here to see a live and run our regular test. I ping just to check to see if they're authenticated yet. And then in order to use the external subsystem we're going to use the dash 8 flag to assault and then this flag takes the backend that we're authenticating with. In this case it's the onno back in. So now I was asking me for username and password. So I do this all day. And then any password will do because we're using the on the back in. And there we go. So it has allowed this user. We do fake user and Saltwell then denied that. Now this is a master site. Check those so the strike only happens on the master so if you're logged into a minion then you know you're logged in as root already presumably. This isn't going to help you. This is just for sending commands down to them. And so there's the external subsystem. Now when we've authenticated like that salt generates what's called an EOS token and we can take that a token and we can reuse it in subsequent calls and we'll see that and we'll see what that looks like when we talk about the rest cherry pie model here in a moment. But first let's install and configure rest by as I mentioned this module is the default rest interface and salt. And by far the most featureful. Now one caveat to mention is that there are some SSL problems with some cherry pie versions and that is compounded by the fact that there some SSL problems with between Python 2 7 and 3 4. We got a little fiddly and then there's a couple of open as is all version problems as well. So the whole thing is a bit of a mess I'm afraid. But in general running Python or excuse me running a cherry pie three to three is best on most distros and most Python versions. It's not going to be a silver bullet. But generally speaking it's good enough or it's the most robust. So in order to start an API module what you do is you put the configuration for that module into the master config and then if it's there then it will start that module. In this case we need to say rest cherry pie and what port we want it to start on. So let's go ahead and do that. So still in our master configure on the left and jump down to the bottom and I'm going to add a new configuration here risk's cherry pie port eight thousand. And let's also go ahead and generate some self-signed certificates for this because we're going to be sending solid authentication credentials over the wire. It's a good idea to always secure this even in testing because it's kind of an important thing right. Those credentials are keys to the kingdom essentially. So if we jump to the rest of my docs it will kind of walk you through this in this set up section and we can generate Self-Signed Certificate Using salt. Right. Also we have to do is have the PI open SSL package installed. We're going to call a module that the tailless module in order to do this and we're going to do that from the SOL master. But we're going to salt call to call this module which means we need to have the minyon package installed even if we're not going to be running the minyon daemon. Let's go ahead and yum install by hopen SSL and salt in. And this is on sent us our Masters on Sunday it will not start them in India and by default and I will just give us access to that Salta call Saola. With that in place I'm going to go ahead and copy this and that will generate those certificates for us and we'll put them in this expected location. Can you tell us. OK. So now we can specify the SSL certain the US is our key and our estuary by config and it will use those if it gets for us. So that implies I'm going to once again restart my sol master because we edited the master config once again. And I'm also going to start saltpetre. Now if this worked then we are now listening on port eight thousand and we can of course check that with a variety of ways we can call it that stat to see if it's actually listening on the board or we can just try to access it so as to then specify the K flag to curl to ignore to not do not check SSL certificate since it self-signed that's not going to do anything for us. I have to specify it to be here so that Krull uses the right port or excuse me uses the right request and then we'll close it does. Go we got a reply back from from our Harry bye. All right. So in this video we learned about the python API and how that is exposed as a REST interface using these various NET API modules. And the next video we're going to dive into and explore the rest the cherry pie interface.