How can I apply a Salt state without login to Salt master?
979 views
Skip to first unread message
sfresher
Sep 9, 2016, 5:38:32 PM9/9/16
to Salt-users
Hi,
Let's say I would like to apply a salt state "salt '*' state.apply test". Is it possible to do so without login to the Salt master?
Thank you!
Charles Baker
Sep 9, 2016, 5:57:59 PM9/9/16
to salt-...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Charles H. Baker
864.990.1297
864.990.1297
Knowing is not enough; we must apply. Willing is not enough; we must do. Bruce Lee
Jeff
Sep 9, 2016, 7:15:50 PM9/9/16
to salt-...@googlegroups.com
I think 'salt-call' only works on the machine you are currently on so you can't do all minions unless you want to log into each minion individually (unless I'm missing something). If you want to target multiple minions from a remote host (not the master), you should probably use the salt-api.
Florian Ermisch
Sep 10, 2016, 5:36:00 AM9/10/16
to salt-...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
you can use the peer system [1] to execute
`state.sls` on another minion. Like the client
ACL system [2] this is only limited to matching
_functions_ on matching minions but not the
functions' arguments.
Allowing someone to run `state.sls` on a set of
minions allows them to run any state on those
minions.
The more fine grained ACLs of the external
authentication modules [3] added in 2016.3
allow you to limit function parameters but
there you have to be logged in to the master
again.
I would think the code for finer grained ACLs
(including function arguments) could be reused
in the (non-eAuth) client ACL and peer systems.
You should check if there's an issue on GitHub
for this feature. If there isn't you may want to
get in direct contact with the devs.
Regards, Florian
[1]: https://docs.saltstack.com/en/latest/ref/peer.html
[2]: https://docs.saltstack.com/en/2015.8/ref/clientacl.html
[3]: https://docs.saltstack.com/en/latest/topics/eauth/index.html
Am 10. September 2016 01:15:27 MESZ, schrieb Jeff <preda...@gmail.com>:
> I think 'salt-call' only works on the machine you are currently on so
> you
> can't do all minions unless you want to log into each minion
> individually
> (unless I'm missing something). If you want to target multiple
> minions
> from a remote host (not the master), you should probably use the
> salt-api.
>
>
>
> On Fri, Sep 9, 2016 at 3:57 PM, Charles Baker
> <charle...@gmail.com>
> wrote:
>
> > salt-call state.apply test
> >
> > https://docs.saltstack.com/en/latest/ref/cli/salt-call.html
> >
> > On Fri, Sep 9, 2016 at 5:38 PM, sfresher <fei2...@gmail.com> wrote:
> >
> >> Hi,
> >>
> >> Let's say I would like to apply a salt state "salt '*' state.apply
> >> test". Is it possible to do so without login to the Salt master?
> >>
> >> Thank you!
> >>
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1
iQFTBAEBCAA9BQJX09P3NhxGbG9yaWFuIEVybWlzY2ggPGZsb3JpYW4uZXJtaXNj
aEBhbHVtbmkudHUtYmVybGluLmRlPgAKCRBAkXUY77vNq7DGB/9z4Vlw3l0SzTKW
+tjrC5t7Wmfu2L71+Ag/4UbgTLSqvS0QjyDBuzpGPRc6zrRsUHW69b8USbF1LZT9
y2Sqg1QWAA92zyCwynZNf0dC7VcSIlOc9da9vUkiPw87Xv5AkWY2D6Znsrhnt4NP
Cr3f8AUeaLqU2LWLPy86ZfUan480cT+LtslPvfwcITfoZOfq2rdWNdK0Ps3APFPn
6D7bX7p4GZBy0OTWOoO2+0pyhEbCewYsE4iUYZ6g7qQejz4nIW6msuCzrZlvyfFr
twqW0pz2AZtqYbi9EPuideTucy21DGeHdT81lE4NJgfYabsaiWI0Wj6xrerEm836
6e4YK6wp
=qLsD
-----END PGP SIGNATURE-----
Hash: SHA256
Hi,
you can use the peer system [1] to execute
`state.sls` on another minion. Like the client
ACL system [2] this is only limited to matching
_functions_ on matching minions but not the
functions' arguments.
Allowing someone to run `state.sls` on a set of
minions allows them to run any state on those
minions.
The more fine grained ACLs of the external
authentication modules [3] added in 2016.3
allow you to limit function parameters but
there you have to be logged in to the master
again.
I would think the code for finer grained ACLs
(including function arguments) could be reused
in the (non-eAuth) client ACL and peer systems.
You should check if there's an issue on GitHub
for this feature. If there isn't you may want to
get in direct contact with the devs.
Regards, Florian
[1]: https://docs.saltstack.com/en/latest/ref/peer.html
[2]: https://docs.saltstack.com/en/2015.8/ref/clientacl.html
[3]: https://docs.saltstack.com/en/latest/topics/eauth/index.html
Am 10. September 2016 01:15:27 MESZ, schrieb Jeff <preda...@gmail.com>:
> I think 'salt-call' only works on the machine you are currently on so
> you
> can't do all minions unless you want to log into each minion
> individually
> (unless I'm missing something). If you want to target multiple
> minions
> from a remote host (not the master), you should probably use the
> salt-api.
>
>
>
> On Fri, Sep 9, 2016 at 3:57 PM, Charles Baker
> <charle...@gmail.com>
> wrote:
>
> > salt-call state.apply test
> >
> > https://docs.saltstack.com/en/latest/ref/cli/salt-call.html
> >
> > On Fri, Sep 9, 2016 at 5:38 PM, sfresher <fei2...@gmail.com> wrote:
> >
> >> Hi,
> >>
> >> Let's say I would like to apply a salt state "salt '*' state.apply
> >> test". Is it possible to do so without login to the Salt master?
> >>
> >> Thank you!
> >>
Version: APG v1.1.1
iQFTBAEBCAA9BQJX09P3NhxGbG9yaWFuIEVybWlzY2ggPGZsb3JpYW4uZXJtaXNj
aEBhbHVtbmkudHUtYmVybGluLmRlPgAKCRBAkXUY77vNq7DGB/9z4Vlw3l0SzTKW
+tjrC5t7Wmfu2L71+Ag/4UbgTLSqvS0QjyDBuzpGPRc6zrRsUHW69b8USbF1LZT9
y2Sqg1QWAA92zyCwynZNf0dC7VcSIlOc9da9vUkiPw87Xv5AkWY2D6Znsrhnt4NP
Cr3f8AUeaLqU2LWLPy86ZfUan480cT+LtslPvfwcITfoZOfq2rdWNdK0Ps3APFPn
6D7bX7p4GZBy0OTWOoO2+0pyhEbCewYsE4iUYZ6g7qQejz4nIW6msuCzrZlvyfFr
twqW0pz2AZtqYbi9EPuideTucy21DGeHdT81lE4NJgfYabsaiWI0Wj6xrerEm836
6e4YK6wp
=qLsD
-----END PGP SIGNATURE-----
Ben Hosmer
Sep 10, 2016, 7:20:29 AM9/10/16
to Salt-users
Using the SALT Reactor you could create a webhook and apply your state without SSH to the master. You would probably want to add some type of
auth though to prevent anyone from applying your state at random times.
Charles Baker
Sep 10, 2016, 10:53:34 AM9/10/16
to salt-...@googlegroups.com
Well, if you want to issue commands to all minions w/o being on the master maybe investigate the peer system?
sfresher
Sep 13, 2016, 2:35:22 AM9/13/16
to Salt-users
Thank you all. I am able to use "salt-call publish.publish" to successfully run execution modules on other minion. However, I am not able to run a state with custom pillar "salt-call publish.publish '*' state.apply mystate pillar={"mypillar":"myvalue"}". The syntax is not correct?
sfresher
Oct 3, 2016, 3:41:06 PM10/3/16
to Salt-users
Reply all
Reply to author
Forward
0 new messages