kevins9/etc_salt_master Secret

## etc_salt_master
external_auth:
  pam:
    newminion:
      - '@wheel'

rest_cherrypy:
  port: 8000
  host: 0.0.0.0
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/private/localhost.key

## evidence
credentials are good:
---------------------
[root@saltmaster ~]# curl -ksi https://localhost:8000/login -H "Accept: application/json" -d username=newminion -d password=password -d eauth=pam
HTTP/1.1 200 OK
Content-Length: 184
Access-Control-Expose-Headers: GET, POST
Vary: Accept-Encoding
Server: CherryPy/3.2.2
Allow: GET, HEAD, POST
Access-Control-Allow-Credentials: true
Date: Wed, 10 Jun 2015 22:28:17 GMT
Access-Control-Allow-Origin: *
X-Auth-Token: 80a898f412b457a6bbe51714137b22847c8fabc5
Content-Type: application/json
Set-Cookie: session_id=80a898f412b457a6bbe51714137b22847c8fabc5; expires=Thu, 11 Jun 2015 08:28:17 GMT; Path=/

{"return": [{"perms": ["@wheel"], "start": 1433975297.5599329, "token": "80a898f412b457a6bbe51714137b22847c8fabc5", "expire": 1434018497.5599339, "user": "newminion", "eauth": "pam"}]}

keys request fails:
-------------------
[root@saltmaster ~]# curl -sSk https://localhost:8000/keys -d mid=foobar.test.example.net -d username=newminion -d password=password -d euath=pam
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
    <title>401 Unauthorized</title>
    <style type="text/css">
    #powered_by {
        margin-top: 20px;
        border-top: 2px solid black;
        font-style: italic;
    }

    #traceback {
        color: red;
    }
    </style>
</head>
    <body>
        <h2>401 Unauthorized</h2>
        <p>No permission -- see authorization schemes</p>
        <pre id="traceback"></pre>
    <div id="powered_by">
    <span>Powered by <a href="http://www.cherrypy.org">CherryPy 3.2.2</a></span>
    </div>
    </body>
</html>

now any call fails with 500:
----------------------------
[root@saltmaster ~]# curl -ksi https://localhost:8000/login -H "Accept: application/json" -d username=newminion -d password=password -d eauth=pam
HTTP/1.1 500 Internal Server Error
Content-Length: 805
Access-Control-Expose-Headers: GET, POST
Server: CherryPy/3.2.2
Allow: GET, HEAD, POST
Access-Control-Allow-Credentials: true
Date: Wed, 10 Jun 2015 22:31:37 GMT
Access-Control-Allow-Origin: *
Content-Type: text/html;charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
    <title>500 Internal Server Error</title>
    <style type="text/css">
    #powered_by {
        margin-top: 20px;
        border-top: 2px solid black;
        font-style: italic;
    }

    #traceback {
        color: red;
    }
    </style>
</head>
    <body>
        <h2>500 Internal Server Error</h2>
        <p>The server encountered an unexpected condition which prevented it from fulfilling the request.</p>
        <pre id="traceback"></pre>
    <div id="powered_by">
    <span>Powered by <a href="http://www.cherrypy.org">CherryPy 3.2.2</a></span>
    </div>
    </body>
</html>

salt-api must be restarted for it to respond to any call.
This worked previously!  Now /keys consistently results in a 401 followed by 500s to all requests.

## user setup
# getent passwd newminion
newminion:x:501:99:new minion creation only:/dev/null:/sbin/nologin

## versions
# salt --versions
           Salt: 2014.7.1
         Python: 2.6.6 (r266:84292, Jan 22 2014, 09:42:36)
         Jinja2: unknown
       M2Crypto: 0.20.2
 msgpack-python: 0.4.4
   msgpack-pure: Not Installed
       pycrypto: 2.0.1
        libnacl: Not Installed
         PyYAML: 3.10
          ioflo: Not Installed
          PyZMQ: 14.3.1
           RAET: Not Installed
            ZMQ: 3.2.5
           Mako: Not Installed
	external_auth:
	pam:
	newminion:
	- '@wheel'

	rest_cherrypy:
	port: 8000
	host: 0.0.0.0
	ssl_crt: /etc/pki/tls/certs/localhost.crt
	ssl_key: /etc/pki/tls/private/localhost.key
	credentials are good:
	---------------------
	[root@saltmaster ~]# curl -ksi https://localhost:8000/login -H "Accept: application/json" -d username=newminion -d password=password -d eauth=pam
	HTTP/1.1 200 OK
	Content-Length: 184
	Access-Control-Expose-Headers: GET, POST
	Vary: Accept-Encoding
	Server: CherryPy/3.2.2
	Allow: GET, HEAD, POST
	Access-Control-Allow-Credentials: true
	Date: Wed, 10 Jun 2015 22:28:17 GMT
	Access-Control-Allow-Origin: *
	X-Auth-Token: 80a898f412b457a6bbe51714137b22847c8fabc5
	Content-Type: application/json
	Set-Cookie: session_id=80a898f412b457a6bbe51714137b22847c8fabc5; expires=Thu, 11 Jun 2015 08:28:17 GMT; Path=/

	{"return": [{"perms": ["@wheel"], "start": 1433975297.5599329, "token": "80a898f412b457a6bbe51714137b22847c8fabc5", "expire": 1434018497.5599339, "user": "newminion", "eauth": "pam"}]}

	keys request fails:
	-------------------
	[root@saltmaster ~]# curl -sSk https://localhost:8000/keys -d mid=foobar.test.example.net -d username=newminion -d password=password -d euath=pam
	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
	<html>
	<head>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
	<title>401 Unauthorized</title>
	<style type="text/css">
	#powered_by {
	margin-top: 20px;
	border-top: 2px solid black;
	font-style: italic;
	}

	#traceback {
	color: red;
	}
	</style>
	</head>
	<body>
	<h2>401 Unauthorized</h2>
	<p>No permission -- see authorization schemes</p>
	<pre id="traceback"></pre>
	<div id="powered_by">
	<span>Powered by <a href="http://www.cherrypy.org">CherryPy 3.2.2</a></span>
	</div>
	</body>
	</html>

	now any call fails with 500:
	----------------------------
	[root@saltmaster ~]# curl -ksi https://localhost:8000/login -H "Accept: application/json" -d username=newminion -d password=password -d eauth=pam
	HTTP/1.1 500 Internal Server Error
	Content-Length: 805
	Access-Control-Expose-Headers: GET, POST
	Server: CherryPy/3.2.2
	Allow: GET, HEAD, POST
	Access-Control-Allow-Credentials: true
	Date: Wed, 10 Jun 2015 22:31:37 GMT
	Access-Control-Allow-Origin: *
	Content-Type: text/html;charset=utf-8

	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
	<html>
	<head>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
	<title>500 Internal Server Error</title>
	<style type="text/css">
	#powered_by {
	margin-top: 20px;
	border-top: 2px solid black;
	font-style: italic;
	}

	#traceback {
	color: red;
	}
	</style>
	</head>
	<body>
	<h2>500 Internal Server Error</h2>
	<p>The server encountered an unexpected condition which prevented it from fulfilling the request.</p>
	<pre id="traceback"></pre>
	<div id="powered_by">
	<span>Powered by <a href="http://www.cherrypy.org">CherryPy 3.2.2</a></span>
	</div>
	</body>
	</html>

	salt-api must be restarted for it to respond to any call.
	This worked previously! Now /keys consistently results in a 401 followed by 500s to all requests.
	# getent passwd newminion
	newminion:x:501:99:new minion creation only:/dev/null:/sbin/nologin
	# salt --versions
	Salt: 2014.7.1
	Python: 2.6.6 (r266:84292, Jan 22 2014, 09:42:36)
	Jinja2: unknown
	M2Crypto: 0.20.2
	msgpack-python: 0.4.4
	msgpack-pure: Not Installed
	pycrypto: 2.0.1
	libnacl: Not Installed
	PyYAML: 3.10
	ioflo: Not Installed
	PyZMQ: 14.3.1
	RAET: Not Installed
	ZMQ: 3.2.5
	Mako: Not Installed