Merge branch 'mine_publish' into 'master'
Salt ACL and API updates
See merge request !12
diff --git a/README.rst b/README.rst
index 488dac8..a46f85b 100644
--- a/README.rst
+++ b/README.rst
@@ -28,11 +28,25 @@
.. code-block:: yaml
salt:
- master:
- ...
api:
enabled: true
- port: 8000
+ ssl:
+ engine: salt
+ bind:
+ address: 0.0.0.0
+ port: 8000
+
+Salt master with defined user ACLs
+
+.. code-block:: yaml
+
+ salt:
+ master:
+ user:
+ peter:
+ permissions:
+ - 'fs.fs'
+ - 'fs.\*'
Salt master with preset minions
diff --git a/metadata/service/master/cluster.yml b/metadata/service/master/cluster.yml
index 69d192b..591f5f1 100644
--- a/metadata/service/master/cluster.yml
+++ b/metadata/service/master/cluster.yml
@@ -11,4 +11,4 @@
source:
engine: pkg
command_timeout: 5
- worker_threads: 2
+ worker_threads: 3
diff --git a/metadata/service/master/single.yml b/metadata/service/master/single.yml
index b1a0e67..80334b1 100644
--- a/metadata/service/master/single.yml
+++ b/metadata/service/master/single.yml
@@ -13,5 +13,5 @@
source:
engine: pkg
command_timeout: 5
- worker_threads: 2
+ worker_threads: 3
base_environment: ${_param:salt_master_base_environment}
diff --git a/salt/api.sls b/salt/api.sls
index 4e3fe4a..4bc3e9b 100644
--- a/salt/api.sls
+++ b/salt/api.sls
@@ -1,14 +1,19 @@
{%- from "salt/map.jinja" import api with context %}
{%- if api.enabled %}
-include:
-- salt.master
-
salt_api_packages:
- pkg.installed
+ pkg.installed:
- names: {{ api.pkgs }}
+
+/etc/salt/master.d/_api.conf:
+ file.managed:
+ - source: salt://salt/files/_api.conf
+ - user: root
+ - template: jinja
- require:
- - {{ master.install_state }}
+ - pkg: salt_api_packages
+ - watch_in:
+ - service: salt_api_service
salt_api_service:
service.running:
@@ -16,6 +21,6 @@
- require:
- pkg: salt_api_packages
- watch:
- - file: /etc/salt/master
+ - file: /etc/salt/master.d/_api.conf
{%- endif %}
diff --git a/salt/files/_api.conf b/salt/files/_api.conf
new file mode 100644
index 0000000..3757fb1
--- /dev/null
+++ b/salt/files/_api.conf
@@ -0,0 +1,20 @@
+{%- from "linux/map.jinja" import system with context %}
+{%- from "salt/map.jinja" import api with context %}
+
+rest_cherrypy:
+ port: {{ api.bind.port }}
+ host: {{ api.bind.address }}
+ {%- if api.get('ssl', {}).get('enabled', False) %}
+ {%- if api.ssl.engine == 'salt' %}
+ ssl_crt: /etc/ssl/certs/{{ system.name }}.{{ system.domain }}.crt
+ ssl_key: /etc/ssl/private/{{ system.name }}.{{ system.domain }}.key
+ {%- else %}
+ ssl_crt: {{ api.ssl.get('cert_file')|default("/etc/ssl/certs/"+grains.get('fqdn')+".crt") }}
+ ssl_crt: {{ api.ssl.get('key_file')|default("/etc/ssl/private/"+grains.get('fqdn')+".key") }}
+ {%- endif %}
+ {%- else %}
+ disable_ssl: True
+ {%- endif %}
+ {%- if api.get('debug', False) %}
+ debug: True
+ {%- endif %}
diff --git a/salt/files/master.conf b/salt/files/master.conf
index b9fbf38..47f563f 100644
--- a/salt/files/master.conf
+++ b/salt/files/master.conf
@@ -64,29 +64,12 @@
{%- endif %}
-{%- if master.acl is defined %}
+{%- if master.user is defined %}
client_acl:
- {%- for acl in master.acl %}
- {{ acl.name }}:
- {%- for right in acl.rights %}
- - {{ right }}
+ {%- for user_name, user in master.user.iteritems() %}
+ {{ user_name }}: {{ user.permissions|yaml }}
{%- endfor %}
- {%- endfor %}
-
-{%- endif %}
-
-{%- if master.bind.api is defined %}
-
-rest_cherrypy:
- port: {{ master.api.port }}
- ssl_crt: /etc/ssl/certs/{{ system.name }}.{{ system.domain }}.crt
- ssl_key: /etc/ssl/private/{{ system.name }}.{{ system.domain }}.key
- {%- if pillar.halite is defined %}
- static: /srv/halite/halite
- app: /srv/halite/halite/index.html
- {%- endif %}
- debug: True
{%- endif %}