1. 安装salt-api

yum install salt-api

2. 安装cherrypy

pip install cherrypy==3.2.3

如果是centos 6.5建议安装这个版本

3. 生成自签名证书

cd /etc/pki/tls/certs/

进入证书存放目录后使用make testcert生成证书

make testcert
umask 77 ; \
	/usr/bin/openssl req -utf8 -new -key /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt -set_serial 0
Enter pass phrase for /etc/pki/tls/private/localhost.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shenzhen
Locality Name (eg, city) [Default City]:Shenzhen
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:36634584@qq.com

此时在当前目录生成了localhost.key文件，以及../private/目录也生成了一个localhost.key文件

cd ../private/
openssl rsa -in localhost.key -out localhost_nopass.key
Enter pass phrase for localhost.key:
writing RSA key

这时private（/etc/pki/tls/private/）目录有生成了一个localhost_nopass.key文件。到此自签名证书就生成好了。

4. 配置master文件

vim /etc/salt/master
# 取消default_include签名的#号注释
default_include: master.d/*.conf

在当前目录创建master.d目录

mkdir master.d

在master.d目录创建eauth.conf和api.conf文件

touch eauth.conf
touch api.conf

编辑api.conf写入以下内容

est_cherrypy:
  port: 8888
  ssl_crt: /etc/pki/tls/certs/localhost.crt
  ssl_key: /etc/pki/tls/private/localhost_nopass.key

编辑eauth.conf文件写入以下内容

external_auth:
  pam:
    saltapi:
      - .*
      - '@wheel'
      - '@runner'

saltapi是指linux系统用户，如果没有则需要创建。或者使用当前登录的系统用户。

useradd -M -s /sbin/nologin saltapi  
echo 'saltapi' | passwd saltapi --stdin  

5. 一切配置好后重启salt-master和salt-api

/etc/init.d/salt-master restart
/etc/init.d/salt-api restart

6. 查看salt-api是否启动成功

netstat -lntp|grep 8888
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:8888                0.0.0.0:*                   LISTEN      -

7. 登录salt-api拿到token

curl -k https://127.0.0.1:8888/login -H "Accept: application/x-yaml"  -d username='saltapi' -d password='saltapi' -d eauth='pam' 
return:
- eauth: pam
  expire: 1517582521.5378239
  perms:
  - .*
  - '@wheel'
  - '@runner'
  start: 1517539321.537823
  token: b330140a43ec8411cfdb3038e853612e5ca9c490
  user: saltapi

可以看到token是b330140a43ec8411cfdb3038e853612e5ca9c490

8. 通过token执行命令

curl -k https://127.0.0.1:8888 -H "Accept: application/x-yaml" -H "X-Auth-Token: b330140a43ec8411cfdb3038e853612e5ca9c490" -d client='local' -d tgt='*' -d fun='test.ping'

这样api请求命令等于 salt '*' test.ping