salt-api authentication trouble - 401 Unauthorized No permission -- see authorization schemes

[Urs Rau]

when I run

curl -sSk https://127.0.0.1:8000 -H 'Accept: application/x-yaml' -d username='saltapi' -d password=’salt-api-secret'   -d eauth='pam'

I get:

401 Unauthorized No permission -- see authorization schemes

But if I do a 

salt -a pam '*' test.ping

and then enter the username: saltapi and the correct secret password it succeeds pinging all the minions.

my '/etc/salt/master' has the ext_auth section filled in as:

external_auth:

  pam:

    saltapi:

    - .*

    - '@runner'

    - '@wheel'

    - '@jobs'

and I have set the ‘saltapi’ users password to the correct salt-api-secret value

Also if I ‘su’ from one user up to saltapi and enter the appropriate salt-api-secret value it also succeeds. So I have tested in two ways that pam authentication for this saltapi user does work just fine.

This is on a Centos 6 with all the latest patches.

salt —version reports:

salt 2015.5.0 (Lithium)

and salt —-versions reports:

           Salt: 2015.5.0

         Python: 2.6.6 (r266:84292, Jan 22 2014, 09:42:36)

         Jinja2: 2.2.1

       M2Crypto: 0.20.2

 msgpack-python: 0.4.6

   msgpack-pure: Not Installed

       pycrypto: 2.0.1

        libnacl: Not Installed

         PyYAML: 3.09

          ioflo: Not Installed

          PyZMQ: 14.5.0

           RAET: Not Installed

            ZMQ: 4.0.5

           Mako: Not Installed

The full error message on the cmd line is:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>

<head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>

    <title>401 Unauthorized</title>

    <style type="text/css">

    #powered_by {

        margin-top: 20px;

        border-top: 2px solid black;

        font-style: italic;

    }

    #traceback {

        color: red;

    }

    </style>

</head>

    <body>

        <h2>401 Unauthorized</h2>

        <p>No permission -- see authorization schemes</p>

        <pre id="traceback">Traceback (most recent call last):

  File "/usr/lib/python2.6/site-packages/cherrypy/_cprequest.py", line 647, in respond

    self.hooks.run('before_request_body')

  File "/usr/lib/python2.6/site-packages/cherrypy/_cprequest.py", line 112, in run

    raise exc

HTTPError: (401, None)

</pre>

    <div id="powered_by">

    <span>Powered by <a href="http://www.cherrypy.org">CherryPy 3.2.2</a></span>

    </div>

    </body>

</html>

How can I best debug this further? Any ideas on what to try next?

Thanks for any help.

—  

Urs Rau

[Jakub Pinkas]

Hello,

I find similar problem when I connect to API via CherryPy and found problem with versions 3.5.x and must install newer version via pip where is version 3.7.0

Hope this helps :)

Dne neděle 28. června 2015 19:15:40 UTC+2 Urs Rau napsal(a):

[Ramya Ramamurthy]

Hi,

We are also facing the same issue. But not sure which version to upgrade. This 3.5.x to 3.7.0 relates to which module's version : Salt, Python ???

[Seth House]

That's referring to the CherryPy version. If you have the option, try
the latest available version 10.2.x. If not, try 3.7x. or 3.2.3

> --
> You received this message because you are subscribed to the Google Groups
> "Salt-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to salt-users+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/salt-users/1123b6ca-5023-4438-b9da-73a08c30f2e8%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.