Salt ACL and API updates See merge request !12

il y a 8 ans · 7ff7459674
--- a/README.rst
+++ b/README.rst
 .. code-block:: yaml
    salt:
      master:
        ...
      api:
        enabled: true
        port: 8000
        ssl:
          engine: salt
        bind:
          address: 0.0.0.0
          port: 8000
 Salt master with defined user ACLs
 .. code-block:: yaml
    salt:
      master:
        user:
          peter:
            permissions:
            - 'fs.fs'
            - 'fs.\*'
 Salt master with preset minions
--- a/metadata/service/master/cluster.yml
+++ b/metadata/service/master/cluster.yml
      source:
        engine: pkg
      command_timeout: 5
      worker_threads: 2
      worker_threads: 3
--- a/metadata/service/master/single.yml
+++ b/metadata/service/master/single.yml
      source:
        engine: pkg
      command_timeout: 5
      worker_threads: 2
      worker_threads: 3
      base_environment: ${_param:salt_master_base_environment}
--- a/salt/api.sls
+++ b/salt/api.sls
 {%- from "salt/map.jinja" import api with context %}
 {%- if api.enabled %}
 include:
 - salt.master
 salt_api_packages:
  pkg.installed
  pkg.installed:
  - names: {{ api.pkgs }}
 /etc/salt/master.d/_api.conf:
  file.managed:
  - source: salt://salt/files/_api.conf
  - user: root
  - template: jinja
  - require:
    - {{ master.install_state }}
    - pkg: salt_api_packages
  - watch_in:
    - service: salt_api_service
 salt_api_service:
  service.running:
  - require:
    - pkg: salt_api_packages
  - watch:
    - file: /etc/salt/master
    - file: /etc/salt/master.d/_api.conf
 {%- endif %}
--- a/salt/files/_api.conf
+++ b/salt/files/_api.conf
 {%- from "linux/map.jinja" import system with context %}
 {%- from "salt/map.jinja" import api with context %}
 rest_cherrypy:
  port: {{ api.bind.port }}
  host: {{ api.bind.address }}
  {%- if api.get('ssl', {}).get('enabled', False) %}
  {%- if api.ssl.engine == 'salt' %}
  ssl_crt: /etc/ssl/certs/{{ system.name }}.{{ system.domain }}.crt
  ssl_key: /etc/ssl/private/{{ system.name }}.{{ system.domain }}.key
  {%- else %}
  ssl_crt: {{ api.ssl.get('cert_file')|default("/etc/ssl/certs/"+grains.get('fqdn')+".crt") }}
  ssl_crt: {{ api.ssl.get('key_file')|default("/etc/ssl/private/"+grains.get('fqdn')+".key") }}
  {%- endif %}
  {%- else %}
  disable_ssl: True
  {%- endif %}
  {%- if api.get('debug', False) %}
  debug: True
  {%- endif %}
--- a/salt/files/master.conf
+++ b/salt/files/master.conf
 {%- endif %}
 {%- if master.acl is defined %}
 {%- if master.user is defined %}
 client_acl:
  {%- for acl in master.acl %}
  {{ acl.name }}:
  {%- for right in acl.rights %}
  - {{ right }}
  {%- for user_name, user in master.user.iteritems() %}
  {{ user_name }}: {{ user.permissions|yaml }}
  {%- endfor %}
  {%- endfor %}
 {%- endif %}
 {%- if master.bind.api is defined %}
 rest_cherrypy:
  port: {{ master.api.port }}
  ssl_crt: /etc/ssl/certs/{{ system.name }}.{{ system.domain }}.crt
  ssl_key: /etc/ssl/private/{{ system.name }}.{{ system.domain }}.key
  {%- if pillar.halite is defined %}
  static: /srv/halite/halite
  app: /srv/halite/halite/index.html
  {%- endif %}
  debug: True
 {%- endif %}