Merge branch 'mine_publish' into 'master'

Salt ACL and API updates

See merge request !12

README.rst

@@ -28,11 +28,25 @@ Salt master with API
 .. code-block:: yaml
 
     salt:
-      master:
-        ...
       api:
         enabled: true
-        port: 8000
+        ssl:
+          engine: salt
+        bind:
+          address: 0.0.0.0
+          port: 8000
+
+Salt master with defined user ACLs
+
+.. code-block:: yaml
+
+    salt:
+      master:
+        user:
+          peter:
+            permissions:
+            - 'fs.fs'
+            - 'fs.\*'
 
 Salt master with preset minions
 

metadata/service/master/cluster.yml

@@ -11,4 +11,4 @@ parameters:
       source:
         engine: pkg
       command_timeout: 5
-      worker_threads: 2
+      worker_threads: 3

metadata/service/master/single.yml

@@ -13,5 +13,5 @@ parameters:
       source:
         engine: pkg
       command_timeout: 5
-      worker_threads: 2
+      worker_threads: 3
       base_environment: ${_param:salt_master_base_environment}

salt/api.sls

@@ -1,14 +1,19 @@
 {%- from "salt/map.jinja" import api with context %}
 {%- if api.enabled %}
 
-include:
-- salt.master
-
 salt_api_packages:
-  pkg.installed
+  pkg.installed:
   - names: {{ api.pkgs }}
+
+/etc/salt/master.d/_api.conf:
+  file.managed:
+  - source: salt://salt/files/_api.conf
+  - user: root
+  - template: jinja
   - require:
-    - {{ master.install_state }}
+    - pkg: salt_api_packages
+  - watch_in:
+    - service: salt_api_service
 
 salt_api_service:
   service.running:
@@ -16,6 +21,6 @@ salt_api_service:
   - require:
     - pkg: salt_api_packages
   - watch:
-    - file: /etc/salt/master
+    - file: /etc/salt/master.d/_api.conf
 
 {%- endif %}

salt/files/_api.conf

@@ -0,0 +1,20 @@
+{%- from "linux/map.jinja" import system with context %}
+{%- from "salt/map.jinja" import api with context %}
+
+rest_cherrypy:
+  port: {{ api.bind.port }}
+  host: {{ api.bind.address }}
+  {%- if api.get('ssl', {}).get('enabled', False) %}
+  {%- if api.ssl.engine == 'salt' %}
+  ssl_crt: /etc/ssl/certs/{{ system.name }}.{{ system.domain }}.crt
+  ssl_key: /etc/ssl/private/{{ system.name }}.{{ system.domain }}.key
+  {%- else %}
+  ssl_crt: {{ api.ssl.get('cert_file')|default("/etc/ssl/certs/"+grains.get('fqdn')+".crt") }}
+  ssl_crt: {{ api.ssl.get('key_file')|default("/etc/ssl/private/"+grains.get('fqdn')+".key") }}
+  {%- endif %}
+  {%- else %}
+  disable_ssl: True
+  {%- endif %}
+  {%- if api.get('debug', False) %}
+  debug: True
+  {%- endif %}

salt/files/master.conf

@@ -64,29 +64,12 @@ master_tops:
 
 {%- endif %}
 
-{%- if master.acl is defined %}
+{%- if master.user is defined %}
 
 client_acl:
-  {%- for acl in master.acl %}
-  {{ acl.name }}:
-  {%- for right in acl.rights %}
-  - {{ right }}
+  {%- for user_name, user in master.user.iteritems() %}
+  {{ user_name }}: {{ user.permissions|yaml }}
   {%- endfor %}
-  {%- endfor %}
-
-{%- endif %}
-
-{%- if master.bind.api is defined %}
-
-rest_cherrypy:
-  port: {{ master.api.port }}
-  ssl_crt: /etc/ssl/certs/{{ system.name }}.{{ system.domain }}.crt
-  ssl_key: /etc/ssl/private/{{ system.name }}.{{ system.domain }}.key
-  {%- if pillar.halite is defined %}
-  static: /srv/halite/halite
-  app: /srv/halite/halite/index.html
-  {%- endif %}
-  debug: True
 
 {%- endif %}