SaltGui cannot access rest-api somehow?

[nerdoc]

Describe the bug
I finally installed SaltGui successfully (after a long, winding road... Salt is not easy.)

I can login to the UI using PAM, but I can't see any minions.
The "issues" tab says:

	Could not retrieve list of unaccepted keys
	Could not retrieve list of connected minions
	Could not retrieve list of jobs
	Could not retrieve list of keys
	Could not retrieve list of schedulers
	Could not retrieve list of schedules
	Could not retrieve list of beacons
	Could not retrieve list of beacon

When hovering over one of the lines, it says "Error: Unauthorized"

To Reproduce
parts of my setup:

rest_cherrypy:
  port: 8080
  host: 0.0.0.0
  disable_ssl: true
  app: /srv/saltgui/index.html
  static: /srv/saltgui/static
  static_path: /static
external_auth:
  pam:
    christian:
      - .*
      - '@runner':
        - jobs.active
        - jobs.list_job
        - jobs.list_jobs
        - manage.versions
      - '@wheel':
        - config.values
        - key.finger
        - key.list_all
        - minions.connected
netapi_enable_clients:
    - local
    - local_async
    - runner
    - wheel

When using curl on ly rest-api, it works:

curl -sS localhost:8080/run -H 'Accept: application/x-yaml'      \
  -d eauth='pam'      -d username='christian'    \
  -d password='xxx`  -d client='local'   \
  -d tgt='minion1'      -d fun='test.ping'
return:
- minion1: true

A "state.apply" using curl does work too.

Expected behaviour
AFAICT when using ".*" in the pam/ setting, everything should be ok. I expect to be able to manage the minions ;)

I can't think of other things, and I cant find any "log" file of SaltGUI - is there one?

[erwindon]

@nerdoc
I've applied the same PAM settings on my local installation, and that works fine.
And to check that I'm really using these settings, I deleted key.finger from the list, and then got the expected error message on the Keys screen.

Note that you should restart salt-api and salt-master after making changes to the master file.

[erwindon]

side-note...
removing key.finger from the list revealed an oversight in the Keys screen.
when that api failed, it was only compensating for the accepted keys.
I've now added compensation for unaccepted/rejected/denied keys too.

[erwindon]

I cant find any "log" file of SaltGUI - is there one

No, SaltGUI is an application that runs entirely in the browser.
The closest are:

• logfile /var/log/salt/api (from salt-api)
• the browser console

[nerdoc]

Hm. About the issue: I restarted salt-master and salt-api services multiple times...
And sure, it's a browser-only software, the missing log file makes sense then, but there is the Js console, that helps a bit.

Many post requests are 401 here.
While The path '/static/minions.txt' was not found. could be something else, the POST requests are weird to be 401.
payload e.g. is {"client":"runner","fun":"jobs.list_jobs"} - I get as answer: Authentication failure of type "token" occurred for user christian.
Maybe you could read something more from this now.

[erwindon]

Sorry for the delay, I missed the notification for your comment...

/static/minions.txt
[and /static/salt-auth.txt, /static/salt-motd.txt, /static/salt-motd.html]

these should all be 404's, unless you already manually added these files.
each of these 4 files can be added by you to the SaltGUI webcontent.

• salt-auth.txt provides extra hints for the login screen for alternative login mechanisms.
• salt-motd.txt and salt-motd.html provide a before-login motd message on the login screen.
• minions.txt provides hints on the expected state of minions. they may be unreachable because the administrator did a shutdown on them. this file is typically filled using custom tools to reflect the status of cloud-based VMs.

The others are for API functions and should follow the settings from external_auth. With your settings, most should succeed.

Authentication failure of type "token" occurred for user christian

I always forget to mention this one...
do salt-master and/or salt-api (typically running under user salt) have read-access to the file /etc/shadow?
on some Linuxes, you need command sudo setfacl -m u:salt:r /etc/shadow to get this done.

[erwindon]

@nerdoc do you still have this problem?

[Broula-cmd]

Hi, I'm currently dealing with a similar problem. I can't login to saltgui - session expired. When I try to connect locally to localhost:3333 , the logging works, but I get the same errors as in the post.

I have the same setup, it worked fine before.

[erwindon]

@Broula-cmd please open a new issue. my experience is that the causes are in the individual setups and should therefore be handled individually.

[erwindon]

@nerdoc
I did not receive additional information.
I'll close this issue. Feel free to open a new issue when you still have problems.

[nerdoc]

Sorry for the delay, I missed the notification for your comment...
No problem, I was on holidays (and afterwords busy) so I did not respond in time. But the issue is still open for me.

The others are for API functions and should follow the settings from external_auth. With your settings, most should succeed.

ok, so they should not disturb the rest of the software - and at least not this issue.

Authentication failure of type "token" occurred for user christian

I always forget to mention this one... do salt-master and/or salt-api (typically running under user salt) have read-access to the file /etc/shadow? on some Linuxes, you need command sudo setfacl -m u:salt:r /etc/shadow to get this done.

the salt user (under which salt-master and salt-minion run) are in the "shadow" group which has r/o access to /etc/shadow:

root@salt:~# ls -la /etc/shadow
-rw-r----- 1 root shadow 865 Aug  2 22:13 /etc/shadow
root@salt:~# groups salt
salt : salt shadow
root@salt:~# ps aux|grep salt
salt      206813  0.3  2.5 242768 53684 ?        Ss   07:14   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-api MainProcess
salt      206879  0.5  2.6 249052 54900 ?        Ss   07:14   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master MainProcess
salt      206888  0.2  2.6 1600704 55692 ?       Sl   07:14   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-api RunNetapi(salt.loaded.int.netapi.rest_cherrypy)
[...]
salt      207063  0.0  2.3 330716 48568 ?        Sl   07:14   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master PubServerChannel._publish_daemon
salt      207066  0.0  2.2 256300 48132 ?        S    07:14   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master EventPublisher
salt      207067  0.0  2.3 252168 48648 ?        S    07:14   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master EventMonitor
salt      207076  0.2  2.7 257584 56952 ?        S    07:14   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master Maintenance
salt      207082  0.0  2.2 248920 47616 ?        S    07:14   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master ReqServer ReqServer_ProcessManager
salt      207101  0.6  2.3 625932 49272 ?        Sl   07:14   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master ReqServer MWorkerQueue
salt      207104  0.7  3.0 493612 64376 ?        Sl   07:14   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master ReqServer MWorker-0
salt      207106  0.0  2.2 323808 48120 ?        Sl   07:14   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master FileServerUpdate
salt      207107  0.7  3.0 493356 63864 ?        Sl   07:14   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master ReqServer MWorker-1
salt      207108  0.7  3.0 493312 63352 ?        Sl   07:14   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master ReqServer MWorker-2
salt      207118  0.7  3.0 501548 63480 ?        Sl   07:14   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master ReqServer MWorker-3
salt      207119  0.7  3.0 495180 64888 ?        Sl   07:14   0:00 /opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master ReqServer MWorker-4
[...]

So everything seems fine, but the error stays.

[nerdoc]

I even added my user (christian) temporarily to the "salt" and "shadow" groups - because SaltGUI uses PAM as login method - and maybe when using this user, SaltGUI will use its permissions. No difference.

[erwindon]

ok, let me try to replicate your (exact) situation:

• which Linux distribution and version are you using?
• which SaltStack version are you using?

[nerdoc]

I am using plain Debian 12, up to date packages.
And installed saltstack using their repo/install script: salt-{api|common»master|minion} v 3007.1

[nerdoc]

/etc/salt/master, is unchanged, and my /etc/salt/master.d/local.confis this:

file_roots:
  base:
    - /srv/salt/

keep_acl_in_token: True

allow_uid_change: True
allow_gid_change: True

mysql.host: 'db'
mysql.user: 'salt'
mysql.pass: 'XXXXXX'
mysql.db: 'salt'
mysql.port: 3306

rest_cherrypy:
  port: 8080
  host: 0.0.0.0
  disable_ssl: true
  app: /srv/saltgui/index.html
  static: /srv/saltgui/static
  static_path: /static

external_auth:
  pam:
    christian:
      - .*
      - '@runner':
        - jobs.active
        - jobs.list_job
        - jobs.list_jobs
        - manage.versions
      - '@wheel':
        - config.values
        - key.finger
        - key.list_all
        - minions.connected

netapi_enable_clients:
    - local
    - local_async
    - runner
    - wheel

[erwindon]

I can repeat your situation when I also set keep_acl_in_token: True.
Do you really need that?

[nerdoc]

the reason why I set this was that If I didn't set it, I get some errors in the logs:

The 'rest' external_auth backend requires 'keep_acl_in_token' to be True. Setting 'keep_acl_in_token' to True.

So I assume it is set to True anyway internally.

And it doesn't make a difference if I comment out this directive.

[erwindon]

According to the source code of Salt, that warning is only raised when rest is present as a key under external_auth.
See file salt/config/__init__.py (line 3978 in my dev version of SaltStack).
In your sample, you do not mention rest.
It looks like enabling the rest authentication provider breaks the other authentication providers (or at least it breaks pam).
Do you have other salt-api clients besides SaltGUI?
Or is there another reason why you want to use rest in the salt-api as an authentication provider?
Note that in a standard SaltGUI installation you cannot even select rest as provider on the login screen. You would need to place a file salt-auth.txt on your system for that. See the SaltGUI manual for details.

[nerdoc]

That's correct, my fault, I snipped out all comments from my config, and the (in my thoughts additional...) rest part under external_auth too. Sorry, I didn't think that would make a difference, as it is an "additional" authentication, so this is my "real" copy'n'pasted external auth config.
I additionally tried to setup alcali - therefore I have rest as auth provider too, but with the same negative success. Both UIs are working, but have problems authenticating.

TL;DR: I removed the rest:part under external_auth - and it miraculously worked, flawless.

Thanks for your time and support.

[erwindon]

re-opening because I want add a warning in the SaltGUI README file