Skip to content

Zero Trust Host Access

The salt channels allow users to perform changes required on the Infrastructure layer. This helps to send customized commands to their instances. Only Org Admins are allowed to make the request. Swagger Rest API is supported to perform operations on Salt Exec


Salt Exec Core Model

  • The Org Admin calls the API with target nodes and commands
  • The Salt-exec authenticates and authorizes the call. The authorization process checks the following:
  • If all the nodes belong to the projects
  • If the user is authorized to access the project
  • The user receives the salt-exec ID
  • Use another API along with this ID is to get the status and standard output response from the commands sent
  • Use an API for an audit trail that contains the information - { command ran, user, target nodes, project, source IP address, timestamps }
  • The request, salt-exec ID, and responses are stored in the Database

Salt Exec Architecture


API commands

Step 1: Post

/cmdexec/v1/projects/:project_id/edges/:edge_id/execute/

Example of Post request:

{        
      "target" : "" (If node, specify the hostname and if cluster this will be nil)
      "target_type" : "<node/cluster>""
      command: ""
      "content_type": "<string/base64>" (string is default)
      "timeout": 60 (default)
}
  • Target is either array of nodes or a single cluster
  • Any large script can be executed in a single command (base64 or otherwise)
  • Users should not retry when the nodes are unreachable; thus call the API again
  • Users cannot send commands to unapproved nodes. Only Approved and Provisioned nodes respond to commands
  • TRIMMED_VALUE is shown if the return standard output from the node is large

Example of Post Request Output

{         
    Id: hashvalue
    SubmittedAt:
    EdgeId:
    ProjectId:
    OrganizationId:
    PartnerId:
    Command:
    Target:
    TargetType:
    TargetNodes:
    ContentType:
    Timeout:
    Username:
    UnreachableNodes:
    UnapprovedNodes:
}

Step 2: Get Response

Enter the below command to fetch the required information.

/cmdexec/v1/projects/:project_id/edges/:edge_id/execution/:exec_id/

Provide the ID retrieved from the post request output

Get Response Output

{
    NodeResponses: [
      {
        "Name" :
        "Resp" : {
          "Return":
          "Retcode":
          "Success":
        }
      },
      ...
    ]
    Responded: [
      "",
      "",
    ]
    Unreachable: [
      "",
    ]
    Unapproved: [
      "",
    ]
    Pending: [
      "",
    ]

 }        
 ```


### Step 3: Get History

```bash
/cmdexec/v1/projects/:project_id/history/?limit=10&offset=0

The query limit and offset control the history data count. The default limit is 10 responses, and the offset is 0 if no input is passed