disable session and put token in request body

[derek0377]

Hi:
Excuse me for interrupting you.
I use a redis session plugin which search from github and it works,and change token backends from file to redis on salt-master,
Mainly I use the login and run two functions.
Here is the problems I meet in my environment:;
1 file session backend do not delete session as session has already expire in my environment.
2 too many session lock files when too many requests

    I see token get from login url is not the real token which checked by salt-master,but is the session-id, and put the real token in session file.
   And people will put the session id in http header and post it to the run url,cherrpy will fetch the real token from session file according to the session id in http header

   If  fetch the real salt-token from login, and disable the session function,and put real-token in http body instead of put session-id in http header, and put the  token to salt-master directly.

It would be possible? Thanks very much!

[derek0377]

@whiteinge

[whiteinge]

It is possible to use Salt's eauth tokens directly instead of the session tokens. salt-api provides a few, lightweight checks but Salt's LocalClient actually enforces authentication and authorization. The /run and /events endpoints can both bypass the salt-api session checks.

curl -sSi localhost:8000/run \
    -d client=local \
    -d tgt='*' \
    -d fun=test.ping \
    -d token=<salt token here>

Salt tokens support arbitrary expiration times but that functionality was not directly exposed until the change in saltstack/salt#33296 . However eauth tokens can be created manually if needed.