Digest Auth and REST Queries with Opencast 4
252 views
Skip to first unread message
Maxime Pedrotti
Apr 13, 2018, 3:38:40 AM4/13/18
to Opencast Users
Hi,
I am trying to get a capture agent connected to my test setups of Opencast 4, but having trouble with the connection to the REST endpoints. At first, I tried using pyCA, which started up fine, but could not register itself with my admin server and thus could not request the schedule or any other part of my OC setup. I then tried to send some basic queries myself following the CA guide from the developer documentation (https://docs.opencast.org/r/4.x/developer/modules/capture-agent/), using cURL and HTTPie, but all without success.
I tried sending the following via cURL to the remote server:
I also tried sending this via HTTPie:
...to make sure I was not missing issues generated by a firewall or the Apache proxy I tried curl with the same parameters as aboce locally on the server (with http://localhost:8080 as URL base), as well.
...to make sure it was not just my particular setup, I tried the same with another server I have, with a vanilla installation of Opencast (basic configuration as per documentation, web login works as expected).
In all cases, instead of the extected response (200), I get a 302 and am redirected to the login page.
When I send a request like above (with digest auth) to the /info/me.json endpoint, the user information shows as anonymous user without any roles or privileges.
After this I checked the external API access:
* created a user from admin UI
* assigned this user admin and API roles
* activated basic auth by editing ../etc/security/mh_default_org.xml
I then sent queries to the user info endpoints, using credentials for the new user, once with basic and once with digest auth.
* /info/me.json came back as anonymous user when using digest auth, but with correct user information when using basic auth
* /api/info/me came back with a 302 when using digest auth (as expected, since only basic auth is supported by the external API), and with correct user info when using basic auth
I am running Opencast 4.3 (build 28bd9e7) from the official DEB repository, my tests covered one all-in-one setup, and one 4-node setup (admin, engage, 2 workers).
Now, I am left wondering:
Have I missed something in the documentation about activating digest auth? Is there something else I could try to get the CA working? Am I the only one with this issue, or can someone reproduce this?
Thanks in advance for replies, and best regards,
Maxime
I am trying to get a capture agent connected to my test setups of Opencast 4, but having trouble with the connection to the REST endpoints. At first, I tried using pyCA, which started up fine, but could not register itself with my admin server and thus could not request the schedule or any other part of my OC setup. I then tried to send some basic queries myself following the CA guide from the developer documentation (https://docs.opencast.org/r/4.x/developer/modules/capture-agent/), using cURL and HTTPie, but all without success.
I tried sending the following via cURL to the remote server:
curl -v --digest -u opencast_system_account:<PW> --url 'https://<ADMIN_SERVER>/services/available.json?serviceType=org.opencastproject.capture.admin' I also tried sending this via HTTPie:
http --auth opencast_system_account:<PW> --auth-type digest GET 'https://<ADMIN_SERVER>/services/available.json?serviceType=org.opencastproject.capture.admin'...to make sure I was not missing issues generated by a firewall or the Apache proxy I tried curl with the same parameters as aboce locally on the server (with http://localhost:8080 as URL base), as well.
...to make sure it was not just my particular setup, I tried the same with another server I have, with a vanilla installation of Opencast (basic configuration as per documentation, web login works as expected).
In all cases, instead of the extected response (200), I get a 302 and am redirected to the login page.
When I send a request like above (with digest auth) to the /info/me.json endpoint, the user information shows as anonymous user without any roles or privileges.
After this I checked the external API access:
* created a user from admin UI
* assigned this user admin and API roles
* activated basic auth by editing ../etc/security/mh_default_org.xml
I then sent queries to the user info endpoints, using credentials for the new user, once with basic and once with digest auth.
* /info/me.json came back as anonymous user when using digest auth, but with correct user information when using basic auth
* /api/info/me came back with a 302 when using digest auth (as expected, since only basic auth is supported by the external API), and with correct user info when using basic auth
I am running Opencast 4.3 (build 28bd9e7) from the official DEB repository, my tests covered one all-in-one setup, and one 4-node setup (admin, engage, 2 workers).
Now, I am left wondering:
Have I missed something in the documentation about activating digest auth? Is there something else I could try to get the CA working? Am I the only one with this issue, or can someone reproduce this?
Thanks in advance for replies, and best regards,
Maxime
Maxime Pedrotti
Apr 13, 2018, 3:44:02 AM4/13/18
to Opencast Users
Forgot to mention:
* Startup logs show no errors for the endpoints
* Service registry listing in admin UI shows services active, e.g. org.opencastproject.capture.admin is there on my admin node
* distributed setup works fine across all four nodes, server nodes can register themselves with the admin node, and jobs can be dispatched
Christian Greweling
Apr 13, 2018, 3:52:02 AM4/13/18
to Opencast Users
Hi,
Maxime. Mybe you just need to add -X Heades to your curl test command.
Here is an example which works on our system:
curl -i -f --digest -u opencast_system_account:PASSWORD -H "X-Requested-Auth: Digest" http://yourOpencastAdminNode/recordings/calendars
If not please, post the curl response.
Best
Christian
Maxime. Mybe you just need to add -X Heades to your curl test command.
Here is an example which works on our system:
curl -i -f --digest -u opencast_system_account:PASSWORD -H "X-Requested-Auth: Digest" http://yourOpencastAdminNode/recordings/calendars
If not please, post the curl response.
Best
Christian
Ruth Lang
Apr 13, 2018, 4:15:46 AM4/13/18
to Opencast Users
Hi Maxime,
are you using the correct opencast_system_account ?
There is a special account for calling the REST endpoints.
# The username and password to present to other Opencast servers when calling their REST endpoints. The remote server
# must contain matching values.
org.opencastproject.security.digest.user={{ digest_user }}
org.opencastproject.security.digest.pass={{ digest_pass }}
Regards
Ruth
Maxime Pedrotti
Apr 13, 2018, 4:50:36 AM4/13/18
to Opencast Users
Hi,
Thanks @Christian, the header did the trick for my test queries. The user info still comes up as anonymous:
...but my guess is this is supposed to be, since all other queries (e.g. service endpoints, schedule information, etc.) work as expected now.
I had just assumed it would default to digest auth if I send credentials this way, while it actually defaults to the form based login, my mistake.
Thanks @Ruth, I definitely used the opencast_system_account set in the custom.properties configuration.
It would appear that my pyCA problem was unrelated (tried setting a name with spaces in it, which was not handled correctly by pyCA), but equally easily corrected. :)
Kind regards,
Maxime
Thanks @Christian, the header did the trick for my test queries. The user info still comes up as anonymous:
"roles": [
"ROLE_ANONYMOUS"
],
"userRole": "ROLE_USER_ANONYMOUS",
"user": {
"provider": null,
"name": null,
"email": null,
"username": "anonymous"
}I had just assumed it would default to digest auth if I send credentials this way, while it actually defaults to the form based login, my mistake.
Thanks @Ruth, I definitely used the opencast_system_account set in the custom.properties configuration.
It would appear that my pyCA problem was unrelated (tried setting a name with spaces in it, which was not handled correctly by pyCA), but equally easily corrected. :)
Kind regards,
Maxime
Reply all
Reply to author
Forward
0 new messages