PAM authentication with the HTTP API
85 views
Skip to first unread message
Vasilis Lemonias
Mar 13, 2024, 10:18:34 AM3/13/24
to iRODS-Chat
Hello,
I am using the 0.2.0 HTTP API and trying to authenticate with PAM. The iRODS version is 4.2.11.
I am not very good with C++, so my naive approach was to replace in the API code the calls to clientLoginWithPassword with clientLoginPam.
I got this working and successfully got a token back.
My issue now is that it is failing to use the token for the rest of the API calls.
Specifically when trying to to list the contents of a selection for example, I get:
[2024-03-13 13:03:26.722] [P:1] [error] [T:13] get_connection: clientLoginPam error: -993000
[2024-03-13 13:03:26.724] [P:1] [error] [T:13] op_list: SYS_INTERNAL_ERR: clientLoginPam error.
[2024-03-13 13:03:26.722] [P:1] [error] [T:13] get_connection: clientLoginPam error: -993000
[2024-03-13 13:03:26.724] [P:1] [error] [T:13] op_list: SYS_INTERNAL_ERR: clientLoginPam error.
I also tried running at the same time an unmodified version of the API and using the token I got from the modified. The error in this case is:
[2024-03-13 13:04:19.938] [P:1] [error] [T:15] resolve_client_identity: Could not find bearer token matching [token_here].
[2024-03-13 13:06:33.062] [P:1] [error] [T:14] resolve_client_identity: Could not find bearer token matching [token_here].
[2024-03-13 13:04:19.938] [P:1] [error] [T:15] resolve_client_identity: Could not find bearer token matching [token_here].
[2024-03-13 13:06:33.062] [P:1] [error] [T:14] resolve_client_identity: Could not find bearer token matching [token_here].
Has anyone been successful in using PAM with the HTTP API? Any suggestions or help will be much appreciated.
Thank you,
Vasilis
Kory Draughn
Mar 13, 2024, 12:18:20 PM3/13/24
to irod...@googlegroups.com
Hi Vasilis,
The HTTP API does not support PAM at this time. We haven't heard anyone ask for that until now.
I've opened the following issue to track this conversation.
I got this working and successfully got a token back.
My issue now is that it is failing to use the token for the rest of the API calls.
To make PAM work, you'd need the same functionality that's provided for native authentication. That is, a new API for verifying the PAM credentials are correct. There could be other things too.
And while clientLoginPam compiled, it's likely that function does not meet the requirements for the HTTP API.
.I also tried running at the same time an unmodified version of the API and using the token I got from the modified. The error in this case is:
[2024-03-13 13:04:19.938] [P:1] [error] [T:15] resolve_client_identity: Could not find bearer token matching [token_here].
[2024-03-13 13:06:33.062] [P:1] [error] [T:14] resolve_client_identity: Could not find bearer token matching [token_here].
That is expected. The tokens are tied to the instance which generated them. The tokens live only in memory.
Do you have code we can look at?
Thanks,
Kory Draughn
Chief Technologist
iRODS Consortium
--
--
The Integrated Rule-Oriented Data System (iRODS) - https://irods.org
iROD-Chat: http://groups.google.com/group/iROD-Chat
---
You received this message because you are subscribed to the Google Groups "iRODS-Chat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irod-chat+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/2a5f8183-a0ce-4ad6-898a-2642600c3247n%40googlegroups.com.
Vasilis Lemonias
Mar 14, 2024, 6:51:49 AM3/14/24
to iRODS-Chat
Hi Kory,
Thank you for your reply, it helped me to clarify some things.
To be honest, I am sort of taking blind steps here. So, the changes I have made are the following:
- In core/src/common.cpp, line 461:
if (const auto ec = clientLoginWithPassword(conn_ptr, rodsadmin_password.data()); ec < 0) {
changed to:
if (const auto ec = clientLoginPam(conn_ptr, rodsadmin_password.data(), 4); ec < 0) {
- In core/src/main.cpp, line 744:
changed to:
if (const auto ec = clientLoginPam(&_comm, pw.data(), 4); ec != 0) {
- In endpoints/authentication/src/main.cpp, line 452:
changed to:
(clientLoginPam(static_cast<RcComm*>(conn), password.data(), 4) == 0);
- In endpoints/data_objects/src/main.cpp, line 96:
if (clientLoginWithPassword(static_cast<RcComm*>(conn_), password.data()) != 0) {
changed to:
if (clientLoginPam(static_cast<RcComm*>(conn_), password.data(), 4) != 0) {
Thank you for your time and help!
Vasilis
Kory Draughn
Mar 18, 2024, 3:20:15 PM3/18/24
to irod...@googlegroups.com
Vasilis,
Nothing in the iRODS server or the icommands uses clientLoginPam so I can't say much about it.
I recommend avoiding that function for now. It may be removed in the future.
I've opened an issue to investigate adding support for PAM to the HTTP API. You can find it at the following URL.
Feel free to leave comments there.
Thanks,
Kory Draughn
Chief Technologist
iRODS Consortium
To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/0995abf2-53c1-4980-bd2b-a8109ef914a0n%40googlegroups.com.
joris luijsterburg
Mar 19, 2024, 5:04:19 AM3/19/24
to iRODS-Chat
Depending on where your PAM authenticaties you might also find a different route. If the PAM of your linux system connects with some central system, it might be that that central system is also reachable via openID connect, which should be supported by the APi as is(I didnt test it yet). In that case you might be able to have the same authentication in practice as PAM.
Reply all
Reply to author
Forward
0 new messages