salt-api安装

salt-api安装方法有两种。

方法一：

yum安装，需要的依赖包cherry也会被补全装上。
安装salt-api，并设置开机启动

yum -y install salt-api pyOpenSSL 
systemctl enable salt-api

方法二：

pip安装，首先要确认机器上有没有安装pip模块，如果没安装先安装pip模块：

yum install python-pip

如果提示没有python-pip包的话，先安装epel扩展源

yum -y install epel-release

然后再安装pip

安装完pip模块后进行salt-api的安装

pip install cherrypy==3.2.3
pip install salt-api

配置自签名证书

cd /etc/pki/tls/certs/
make testcert

Enter pass phrase:    ===>  键入加密短语，4到8191个字符
Verifying - Enter pass phrase:    ===>  确认加密短语
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt -set_serial 0
Enter pass phrase for /etc/pki/tls/private/localhost.key:    ===>  再次输入相同的加密短语
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  ===>  都可以选填
State or Province Name (full name) []:Hangzhou
Locality Name (eg, city) [Default City]:Hangzhou
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

解密key文件，生成无密码的key文件, 过程中需要输入key密码，该密码为之前生成证书时设置的密码

cd /etc/pki/tls/private/
openssl rsa -in localhost.key -out localhost_nopass.key

添加用户

为salt-api创建用户并设定密码，用户名没有特别要求。

useradd -M -s /sbin/nologin saltapi
#由于是测试，故采用了弱密码"password"，正式环境必须采用强密码，多用特殊字符
passwd saltapi

新增加配置文件/etc/salt/master.d/api.conf和/etc/salt/master.d/eauth.conf

#该配置文件给予saltapi用户所有模块使用权限，出于安全考虑一般只给予特定模块使用权限
[root@saltstack master.d]# cat eauth.conf
external_auth:
  pam:
    saltapi:
      - .*
[root@saltstack master.d]# cat api.conf
rest_cherrypy:
  port: 8888
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/private/localhost_nopass.key

启动saltapi

systemctl restart salt-master
systemctl start salt-api

验证服务

登录获取token

curl -k https://192.168.123.146:8888/login -H "Accept: application/x-yaml" -d username='saltapi' -d password='password' -d eauth='pam'
return:
- eauth: pam
  expire: 1503290289.867183
  perms:
  - .*
  start: 1503247089.867182
  token: e95bb49bd4d8407ce241cf06eb56a4ac1ba1f191
  user: saltapi

获取token后就可以使用token通信

curl -k https://192.168.123.146:8888/ -H "Accept: application/x-yaml" -H "X-Auth-Token: e95bb49bd4d8407ce241cf06eb56a4ac1ba1f191" -d client='local' -d tgt='*' -d fun='test.ping' 
return:
- minion-one: true

# 相当于在salt-master本地执行salt * test.ping

编写saltapi类

运维开发如果像上述这样使用是很不方便的，将它编写成一个类，方便更好的使用。下面写的是一个salt-api的类（Python3环境）

#!/usr/bin/env python3
#coding=utf-8

import urllib.request, urllib.parse, json, re

import ssl
context = ssl._create_unverified_context()

class saltAPI:
    def __init__(self):
        self.__url = '' #salt-api监控的地址和端口如:'https://192.168.123.146:8888'
        self.__user =  ''             #salt-api用户名如:'saltapi'
        self.__password = ''          #salt-api用户密码如:'password123'
        self.__token_id = self.salt_login()

    def salt_login(self):
        params = {'eauth': 'pam', 'username': self.__user, 'password': self.__password}
        encode = urllib.parse.urlencode(params).encode(encoding='UTF8')
        headers = {'X-Auth-Token':''}
        url = self.__url + '/login'
        req = urllib.request.Request(url, encode, headers)
        opener = urllib.request.urlopen(req, context=context)
        content = json.loads(opener.read().decode('utf8'))
        try:
            token = content['return'][0]['token']
            return token
        except KeyError:
            raise KeyError

    def postRequest(self, obj, prefix='/'):
        headers = {'X-Auth-Token': self.__token_id}
        url = self.__url + prefix
        req = urllib.request.Request(url, obj, headers)
        opener = urllib.request.urlopen(req, context=context)
        #print(opener)
        content = json.loads(opener.read().decode('utf8'))
        return content

    def saltCmd(self, params):
        obj = urllib.parse.urlencode(params).encode(encoding='UTF8')
        obj, number = re.subn(b'arg\d', b'arg', obj)
        res = self.postRequest(obj)
        return res

def main():
    #以下是用来测试saltAPI类的部分
    sapi = saltAPI()
    params = {'client':'local', 'fun':'test.ping', 'tgt':'*'}
    #params = {'client':'local', 'fun':'test.ping', 'tgt':'某台服务器的key'}
    #params = {'client':'local', 'fun':'test.echo', 'tgt':'某台服务器的key', 'arg1':'hello'}
    #params = {'client':'local', 'fun':'test.ping', 'tgt':'某组服务器的组名', 'expr_form':'nodegroup'}
    test = sapi.saltCmd(params)
    print(test)

if __name__ == '__main__':
    main()