Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication denied in FreeBSD #504

Closed
andrewhotlab opened this issue Sep 15, 2023 · 2 comments
Closed

Authentication denied in FreeBSD #504

andrewhotlab opened this issue Sep 15, 2023 · 2 comments

Comments

@andrewhotlab
Copy link

First of all, thank you so much @mattLLVW for this precious piece of software!

Unfortunately, I'm having trouble making it work in our FreeBSD environment, and I'd be very grateful if anyone might point me to the right direction for troubleshoot this issue.

Salt (v3006.1) Master, API and ALCALI (vrunning all in FreeBSD 12.4. I'm pretty new on Salt, thus I'm likely missing something here...

I setup ALCALI to authenticate with its eauth module to salt-api, and it seems to me that there is no problem at authenticating the alcali admin user account by using curl:

# alcali manage_token admin
user admin's token: 396f9d6f9906b8f9c480722f2edc2ecaaa6209b7

# curl -ski https://localhost:8080/login -H 'Accept: application/json' -d eauth='alcali' -d username='admin' -d password='396f9d6f9906b8f9c480722f2edc2ecaaa6209b7'
HTTP/1.1 200 OK
Content-Type: application/json
Server: CherryPy/18.8.0
Date: Fri, 15 Sep 2023 16:55:00 GMT
Allow: GET, HEAD, POST
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: GET, POST
Access-Control-Allow-Credentials: true
X-Auth-Token: 913d982bf7f2517d6506dbd4dd9a3d8801130691
Vary: Accept-Encoding
Content-Length: 209
Set-Cookie: session_id=913d982bf7f2517d6506dbd4dd9a3d8801130691; expires=Sat, 16 Sep 2023 02:55:00 GMT; Max-Age=36000; Path=/

{"return": [{"token": "913d982bf7f2517d6506dbd4dd9a3d8801130691", "expire": 1694840100.9966853, "start": 1694796900.996685, "user": "admin", "eauth": "alcali", "perms": [".*", "@local", "@runner", "@wheel"]}]}

But when I login into the web UI and try to refresh keys, I receive this error:

Screenshot_2023-09-15_18-56-29

Here are the relevant lines from salt-api logs:

[INFO    ] [api_acl] Authentication not checked for user admin from IP 192.168.171.8
[TRACE   ] ReqChannel send clear load={'username': 'admin', 'password': '396f9d6f9906b8f9c480722f2edc2ecaaa6209b7', 'eauth': 'alcali', 'cmd': 'mk_token'}
[DEBUG   ] Closing AsyncReqChannel instance
[15/Sep/2023:19:07:00] ENGINE Started monitor thread 'Session cleanup'.
[INFO    ] [15/Sep/2023:19:07:00] ENGINE Started monitor thread 'Session cleanup'.
192.168.171.8 - - [15/Sep/2023:19:07:00] "POST /login HTTP/1.1" 200 209 "" "Python-urllib/3.9"
[INFO    ] 192.168.171.8 - - [15/Sep/2023:19:07:00] "POST /login HTTP/1.1" 200 209 "" "Python-urllib/3.9"
[TRACE   ] ReqChannel send clear load={'client': 'wheel', 'token': '860d6fc7193f1a53d223e7b195b08158650f686644d3edcfbf39d8931f862267', 'fun': 'key.list_all', 'cmd': 'wheel'}
[DEBUG   ] Closing AsyncReqChannel instance
[ERROR   ] Authentication failure of type "token" occurred for user admin.
192.168.171.8 - - [15/Sep/2023:19:07:00] "POST / HTTP/1.1" 401 3023 "" "Python-urllib/3.9"
[INFO    ] 192.168.171.8 - - [15/Sep/2023:19:07:00] "POST / HTTP/1.1" 401 3023 "" "Python-urllib/3.9"

Relevant lines in files under /usr/local/etc/master.d/:

rest_cherrypy:
  port: 8080
  host: 0.0.0.0
  debug: True
  ssl_crt: /usr/local/etc/salt/pki/tls/certs/localhost.crt
  ssl_key: /usr/local/etc/salt/pki/tls/certs/localhost.key
keep_acl_in_token: True
netapi_enable_clients:
  - local
  - local_async
  - local_batch
  - local_subset
  - runner
  - runner_async
  - wheel
  - wheel_async
auth_dirs: [/usr/local/etc/salt/auth]
external_auth:
  alcali:
    admin:
      - .*
      - '@local'
      - '@runner'
      - '@wheel'

I also tried with the REST eauth module, but it seems that the salt-api response at login misses the permissions list:

curl -ski https://localhost:8080/login -H 'Accept: application/json' -d eauth='rest' -d username='admin' -d password='396f9d6f9906b8f9c480722f2edc2ecaaa6209b7'
HTTP/1.1 200 OK
Content-Type: application/json
Server: CherryPy/18.8.0
Date: Fri, 15 Sep 2023 17:10:20 GMT
Allow: GET, HEAD, POST
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: GET, POST
Access-Control-Allow-Credentials: true
X-Auth-Token: f21e710df7be8b040b04e50661adfeefeb2b464a
Vary: Accept-Encoding
Content-Length: 173
Set-Cookie: session_id=f21e710df7be8b040b04e50661adfeefeb2b464a; expires=Sat, 16 Sep 2023 03:10:20 GMT; Max-Age=36000; Path=/

{"return": [{"token": "f21e710df7be8b040b04e50661adfeefeb2b464a", "expire": 1694841020.3685005, "start": 1694797820.3685002, "user": "admin", "eauth": "rest", "perms": {}}]}

For this tentative, I used the same config lines above except these ones (obviously I modified the ALCALI .env file accordingly) :

external_auth:
  rest:
    ^url: http://localhost:8000/api/token/verify
    admin:
      - .*
      - '@local'
      - '@runner'
      - '@wheel'

Since I haven't a long experience with SaltStack and its API, my troubleshooting tools are pretty basic: I can't do much more than run the daemons with debug logging and try to interpret the output... maybe someone can suggest me how to better investigate the cause of this?

TIA
@mattLLVW
Copy link
Contributor

it should be fixed by #507

@andrewhotlab
Copy link
Author

Wonderful, thank you @mattLLVW : it's working now! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mattLLVW @andrewhotlab