api wheel access - 401 Unauthorized
416 views
Skip to first unread message
Hober Smith
Mar 16, 2015, 5:36:14 PM3/16/15
to salt-...@googlegroups.com
hi, i'm trying to access the various functions via the API as a wheel client and for some reason i always get an "401 Unauthorized" error even though it looks to me like everything is configured correctly. i have created a user on the salt master that is used for API access, i added '@wheel' for the external authentication for the user in the salt master configuration file and have also added the user to the wheel group on the host even though i haven't seen anything requiring that in the documentation but i always get the authentication error (i always restarted salt-master and salt-api after making any changes for testing). does anybody have any ideas or suggestions? everything seems to work OK if the client argument is set to local. here is the output of curl on the salt master:
[root@srv ~]# curl -i -sSk https://localhost:8888/run -H 'Accept: application/x-yaml' -d username=XXXX -d password=XXXX -d eauth=pam -d fun=salt.wheel.key.list_all -d client=wheel
HTTP/1.1 401 Unauthorized
Content-Length: 1196
Access-Control-Expose-Headers: GET, POST
Vary: Accept-Encoding
Server: CherryPy/3.2.2
Allow: GET, HEAD, POST
Access-Control-Allow-Credentials: true
Date: Mon, 16 Mar 2015 21:31:41 GMT
Access-Control-Allow-Origin: *
Content-Type: text/html;charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
<title>401 Unauthorized</title>
<style type="text/css">
#powered_by {
margin-top: 20px;
border-top: 2px solid black;
font-style: italic;
}
#traceback {
color: red;
}
</style>
</head>
<body>
<h2>401 Unauthorized</h2>
<p>No permission -- see authorization schemes</p>
<pre id="traceback">Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 656, in respond
response.body = self.handler()
File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line 188, in __call__
self.body = self.oldhandler(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/salt/netapi/rest_cherrypy/app.py", line 390, in hypermedia_handler
raise cherrypy.HTTPError(401)
HTTPError: (401, None)
</pre>
<div id="powered_by">
<span>Powered by <a href="http://www.cherrypy.org">CherryPy 3.2.2</a></span>
</div>
</body>
</html>
[root@srv ~]# curl -i -sSk https://localhost:8888/run -H 'Accept: application/x-yaml' -d username=XXXX -d password=XXXX -d eauth=pam -d fun=salt.wheel.key.list_all -d client=wheel
HTTP/1.1 401 Unauthorized
Content-Length: 1196
Access-Control-Expose-Headers: GET, POST
Vary: Accept-Encoding
Server: CherryPy/3.2.2
Allow: GET, HEAD, POST
Access-Control-Allow-Credentials: true
Date: Mon, 16 Mar 2015 21:31:41 GMT
Access-Control-Allow-Origin: *
Content-Type: text/html;charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
<title>401 Unauthorized</title>
<style type="text/css">
#powered_by {
margin-top: 20px;
border-top: 2px solid black;
font-style: italic;
}
#traceback {
color: red;
}
</style>
</head>
<body>
<h2>401 Unauthorized</h2>
<p>No permission -- see authorization schemes</p>
<pre id="traceback">Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 656, in respond
response.body = self.handler()
File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line 188, in __call__
self.body = self.oldhandler(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/salt/netapi/rest_cherrypy/app.py", line 390, in hypermedia_handler
raise cherrypy.HTTPError(401)
HTTPError: (401, None)
</pre>
<div id="powered_by">
<span>Powered by <a href="http://www.cherrypy.org">CherryPy 3.2.2</a></span>
</div>
</body>
</html>
Hober Smith
Mar 17, 2015, 9:36:12 PM3/17/15
to salt-...@googlegroups.com
hi, when trying this with token authentication the same problem occurs. you can see that the user authentication is successful when logging in and that the user has permissions set correctly for the wheel group:
[root@XXX ~]# curl -sSk https://localhost:8888/login -H 'Accept: application/x-yaml' -d username=XXX -d password=XXX -d eauth=pam
return:
- eauth: pam
expire: 1426685169.392385
perms:
- .*
- '@wheel'
- '@runner'
- '@jobs'
start: 1426641969.392382
token: 742dc72e45cbb0f9e59d37b206b9ab33c5b94721
user: XXX
[root@XXX ~]#
yet when i try to list the keys i get an authentication unauthorized/no permissions error:
[root@XXX ~]# curl -sSk https://localhost:8888 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 742dc72e45cbb0f9e59d37b206b9ab33c5b94721' -d fun=wheel.key.list_all -d client=wheel
[root@XXX ~]# curl -sSk https://localhost:8888/login -H 'Accept: application/x-yaml' -d username=XXX -d password=XXX -d eauth=pam
return:
- eauth: pam
expire: 1426685169.392385
perms:
- .*
- '@wheel'
- '@runner'
- '@jobs'
start: 1426641969.392382
token: 742dc72e45cbb0f9e59d37b206b9ab33c5b94721
user: XXX
[root@XXX ~]#
yet when i try to list the keys i get an authentication unauthorized/no permissions error:
[root@XXX ~]# curl -sSk https://localhost:8888 -H 'Accept: application/x-yaml' -H 'X-Auth-Token: 742dc72e45cbb0f9e59d37b206b9ab33c5b94721' -d fun=wheel.key.list_all -d client=wheel
does anybody have any suggestions? after spending a whole day on this and trying everything i can think of besides looking here and at the documentation there is no clear reason as to why this is occuring. if i have something set incorrectly in the key request then i should get a different type of error besides the authorization errorr. i'm currently using salt salt-2014.7.2-1 on centos 7. any kind of help will be appreciated. thanks.
Seth House
Mar 24, 2015, 11:34:24 PM3/24/15
to salt-...@googlegroups.com
Hi, Hober. The `fun` argument should only be `key.list_all`. The rest of both examples looks correct.
This causes an authorization failure because Salt's eauth system performs pattern-matching against the function you are requesting to run and that check does not match any of the eauth patterns in your config. I think this error message can be improved although I'm not sure exactly where or how. I've filled this issue below to collect ideas:
Hober Smith
Mar 28, 2015, 10:57:49 AM3/28/15
to salt-...@googlegroups.com
thanks...i had figured that out as far as the argument list goes and was going to mention it here when i saw your reply. i agree with you that the error message could be improved.
Reply all
Reply to author
Forward
0 new messages