Open nerdoc opened 2 months ago
erwindon
commented
2 months ago @nerdoc
I've applied the same PAM settings on my local installation, and that works fine.
And to check that I'm really using these settings, I deleted key.finger from the list, and then got the expected error message on the Keys screen.
Note that you should restart salt-api and salt-master after making changes to the master file.
erwindon
commented
2 months ago side-note...
removing key.finger from the list revealed an oversight in the Keys screen.
when that api failed, it was only compensating for the accepted keys.
I've now added compensation for unaccepted/rejected/denied keys too.
erwindon
commented
2 months ago I cant find any "log" file of SaltGUI - is there one
No, SaltGUI is an application that runs entirely in the browser. The closest are:
/var/log/salt/api (from salt-api)
nerdoc
commented
2 months ago Hm. About the issue: I restarted salt-master and salt-api services multiple times...
And sure, it's a browser-only software, the missing log file makes sense then, but there is the Js console, that helps a bit.
Many post requests are 401 here.
While
The path '/static/minions.txt' was not found. could be something else, the POST requests are weird to be 401.
payload e.g. is {"client":"runner","fun":"jobs.list_jobs"} - I get as answer: Authentication failure of type "token" occurred for user christian.
Maybe you could read something more from this now.
erwindon
commented
2 months ago Sorry for the delay, I missed the notification for your comment...
/static/minions.txt [and /static/salt-auth.txt, /static/salt-motd.txt, /static/salt-motd.html]
these should all be 404's, unless you already manually added these files. each of these 4 files can be added by you to the SaltGUI webcontent.
salt-auth.txt provides extra hints for the login screen for alternative login mechanisms.salt-motd.txt and salt-motd.html provide a before-login motd message on the login screen.minions.txt provides hints on the expected state of minions. they may be unreachable because the administrator did a shutdown on them. this file is typically filled using custom tools to reflect the status of cloud-based VMs.The others are for API functions and should follow the settings from external_auth. With your settings, most should succeed.
Authentication failure of type "token" occurred for user christian
I always forget to mention this one...
do salt-master and/or salt-api (typically running under user salt) have read-access to the file /etc/shadow?
on some Linuxes, you need command sudo setfacl -m u:salt:r /etc/shadow to get this done.
erwindon
commented
1 month ago @nerdoc do you still have this problem?
Broula-cmd
commented
1 month ago Hi, I'm currently dealing with a similar problem. I can't login to saltgui - session expired. When I try to connect locally to localhost:3333 , the logging works, but I get the same errors as in the post.
I have the same setup, it worked fine before.
erwindon
commented
1 month ago @Broula-cmd please open a new issue. my experience is that the causes are in the individual setups and should therefore be handled individually.
erwindon
commented
1 month ago @nerdoc I did not receive additional information. I'll close this issue. Feel free to open a new issue when you still have problems.
nerdoc
commented
1 month ago Sorry for the delay, I missed the notification for your comment... No problem, I was on holidays (and afterwords busy) so I did not respond in time. But the issue is still open for me.
The others are for API functions and should follow the settings from
external_auth. With your settings, most should succeed.
ok, so they should not disturb the rest of the software - and at least not this issue.
Authentication failure of type "token" occurred for user christian
I always forget to mention this one... do
salt-masterand/orsalt-api(typically running under usersalt) have read-access to the file/etc/shadow? on some Linuxes, you need commandsudo setfacl -m u:salt:r /etc/shadowto get this done.
the salt user (under which salt-master and salt-minion run) are in the "shadow" group which has r/o access to /etc/shadow:
root@salt:~# ls -la /etc/shadow
-rw-r----- 1 root shadow 865 Aug 2 22:13 /etc/shadow
root@salt:~# groups salt
salt : salt shadow
root@salt:~# ps aux|grep salt
salt 206813 0.3 2.5 242768 53684 ? Ss 07:14 0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-api MainProcess
salt 206879 0.5 2.6 249052 54900 ? Ss 07:14 0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master MainProcess
salt 206888 0.2 2.6 1600704 55692 ? Sl 07:14 0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-api RunNetapi(salt.loaded.int.netapi.rest_cherrypy)
[...]
salt 207063 0.0 2.3 330716 48568 ? Sl 07:14 0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master PubServerChannel._publish_daemon
salt 207066 0.0 2.2 256300 48132 ? S 07:14 0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master EventPublisher
salt 207067 0.0 2.3 252168 48648 ? S 07:14 0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master EventMonitor
salt 207076 0.2 2.7 257584 56952 ? S 07:14 0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master Maintenance
salt 207082 0.0 2.2 248920 47616 ? S 07:14 0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master ReqServer ReqServer_ProcessManager
salt 207101 0.6 2.3 625932 49272 ? Sl 07:14 0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master ReqServer MWorkerQueue
salt 207104 0.7 3.0 493612 64376 ? Sl 07:14 0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master ReqServer MWorker-0
salt 207106 0.0 2.2 323808 48120 ? Sl 07:14 0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master FileServerUpdate
salt 207107 0.7 3.0 493356 63864 ? Sl 07:14 0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master ReqServer MWorker-1
salt 207108 0.7 3.0 493312 63352 ? Sl 07:14 0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master ReqServer MWorker-2
salt 207118 0.7 3.0 501548 63480 ? Sl 07:14 0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master ReqServer MWorker-3
salt 207119 0.7 3.0 495180 64888 ? Sl 07:14 0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master ReqServer MWorker-4
[...]So everything seems fine, but the error stays.
nerdoc
commented
1 month ago I even added my user (christian) temporarily to the "salt" and "shadow" groups - because SaltGUI uses PAM as login method - and maybe when using this user, SaltGUI will use its permissions. No difference.
erwindon
commented
1 month ago ok, let me try to replicate your (exact) situation:
nerdoc
commented
1 month ago I am using plain Debian 12, up to date packages. And installed saltstack using their repo/install script: salt-{api|common»master|minion} v 3007.1
nerdoc
commented
1 month ago /etc/salt/master, is unchanged, and my /etc/salt/master.d/local.confis this:
file_roots:
base:
- /srv/salt/
keep_acl_in_token: True
allow_uid_change: True
allow_gid_change: True
mysql.host: 'db'
mysql.user: 'salt'
mysql.pass: 'XXXXXX'
mysql.db: 'salt'
mysql.port: 3306
rest_cherrypy:
port: 8080
host: 0.0.0.0
disable_ssl: true
app: /srv/saltgui/index.html
static: /srv/saltgui/static
static_path: /static
external_auth:
pam:
christian:
- .*
- '@runner':
- jobs.active
- jobs.list_job
- jobs.list_jobs
- manage.versions
- '@wheel':
- config.values
- key.finger
- key.list_all
- minions.connected
netapi_enable_clients:
- local
- local_async
- runner
- wheel
Describe the bug I finally installed SaltGui successfully (after a long, winding road... Salt is not easy.)
I can login to the UI using PAM, but I can't see any minions. The "issues" tab says:
When hovering over one of the lines, it says "Error: Unauthorized"
To Reproduce parts of my setup:
When using curl on ly rest-api, it works:
A "state.apply" using curl does work too.
Expected behaviour AFAICT when using ".*" in the pam/ setting, everything should be ok. I expect to be able to manage the minions ;)
I can't think of other things, and I cant find any "log" file of SaltGUI - is there one?