Configuring Salt API - Java

Question

I'm attempting to use Salt-Api, so I created a salt-api.conf in /etc/salt/master.d/ as follows:

external_auth:
  pam:
    saltuser:
      - .*
      - '@wheel'   # to allow access to all wheel modules
      - '@runner'  # to allow access to all runner modules
      - '@jobs'    # to allow access to the jobs runner and/or wheel module

rest_cherrypy:
  port: 8000
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/certs/localhost.key
  disable_ssl: True
  webhook_disable_auth: True
  webhook_url: /hook

the user in /etc/salt/master is set as user: root. So when I try to authenticate using pam locally it works:

sudo salt -a pam '*' test.ping
username: saltuser
password: saltuser

minion:
    True

However when I attempt using curl, it fails:

curl -i http://localhost:8000/login -H "Accept: application/json" -d username='saltuser' -d password='saltuser' -d eauth='pam'
HTTP/1.1 401 Unauthorized
Content-Length: 760
Access-Control-Expose-Headers: GET, POST
Vary: Accept-Encoding
Server: CherryPy/3.5.0
Allow: GET, HEAD, POST
Access-Control-Allow-Credentials: true
Date: Mon, 16 Jan 2017 05:51:48 GMT
Access-Control-Allow-Origin: *
Content-Type: text/html;charset=utf-8
Set-Cookie: session_id=f4c747f23e95ea7742a11a6e6cef146b91a31737; expires=Mon, 16 Jan 2017 15:51:48 GMT; Path=/

<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
    <title>401 Unauthorized</title>
    <style type="text/css">
    #powered_by {
        margin-top: 20px;
        border-top: 2px solid black;
        font-style: italic;
    }

    #traceback {
        color: red;
    }
    </style>
</head>
    <body>
        <h2>401 Unauthorized</h2>
        <p>Could not authenticate using provided credentials</p>
        <pre id="traceback"></pre>
    <div id="powered_by">
      <span>
        Powered by <a href="http://www.cherrypy.org">CherryPy 3.5.0</a>
      </span>
    </div>
    </body>
</html>

Thus, I'm not being able to have either the Java client or the Python client connected. What am I missing in my configuration? The salt-master is already running as root. From my Java code:

import com.suse.salt.netapi.AuthModule;
import com.suse.salt.netapi.calls.WheelResult;
import com.suse.salt.netapi.calls.wheel.Key;
import com.suse.salt.netapi.client.SaltClient;
import com.suse.salt.netapi.exception.SaltException;

import java.net.URI;
import java.util.Optional;

/**
 * Example code calling wheel functions.
 */
public class Salt {

    private static final String SALT_API_URL = " http://localhost:8000";
    private static final String USER = "saltuser";
    private static final String PASSWORD = "saltuser";

    public static void main(String[] args) throws SaltException {
        // Init the client
        SaltClient client = new SaltClient(URI.create(SALT_API_URL));

        // List accepted and pending minion keys
        WheelResult<Key.Names> keyResults = Key.listAll().callSync(
                client, USER, PASSWORD, AuthModule.AUTO);
        Key.Names keys = keyResults.getData().getResult();

        System.out.println("\n--> Accepted minion keys:\n");
        keys.getMinions().forEach(System.out::println);
        System.out.println("\n--> Pending minion keys:\n");
        keys.getUnacceptedMinions().forEach(System.out::println);

        // Generate a new key pair and accept the public key
        WheelResult<Key.Pair> genResults = Key.genAccept("new.minion.id", Optional.empty())
                .callSync(client, USER, PASSWORD, AuthModule.AUTO);
        Key.Pair keyPair = genResults.getData().getResult();

        System.out.println("\n--> New key pair:");
        System.out.println("\nPUB:\n\n" + keyPair.getPub());
        System.out.println("\nPRIV:\n\n" + keyPair.getPriv());
    }
}

com.suse.salt.netapi.exception.SaltUserUnauthorizedException: Salt user does not have sufficient permissions
    at com.suse.salt.netapi.client.impl.HttpClientConnection.createSaltException(HttpClientConnection.java:217)
    at com.suse.salt.netapi.client.impl.HttpClientConnection.executeRequest(HttpClientConnection.java:204)
    at com.suse.salt.netapi.client.impl.HttpClientConnection.request(HttpClientConnection.java:85)
    at com.suse.salt.netapi.client.impl.HttpClientConnection.getResult(HttpClientConnection.java:73)

Answer 1

I encountered the same issue despite using the login endpoint as explained in sahama's answer. I solved it by explicitly setting "eauth": "pam". This is how my request looks like now:

curl -si localhost:8000/login \
-c ~/cookies.txt \
-H "Accept: application/json" \
-H "Content-type: application/json" \
-d '{
    "username": "saltuser",
    "password": "saltuser",
    "eauth": "pam"
}'