Problems with Rundeck API authentication using /j_security_check

[William Hargrove]

Rundeck API authentication question (version 4.9.0) – what am I doing wrong (note real values have been redacted).

I am trying to follow the instructions at https://docs.rundeck.com/docs/api/rundeck-api.html#password-authentication

$ curl -X POST --cookie-jar newcookies.txt http://HOST:POST/j_security_check&j_username=USER&j_password=PASSWORD

The user and password are the admin ones and are able to create tokens if I login to the GUI with them.

This writes out a Cookie value to newcookies.txt, and I then take the JSESSIONID and the cookie value and try and get a list of tokens

 $ curl --cookie "JSESSIONID=valueofthecookie" -X GET -H "Content-Type: application/json" http://HOST:PORT/api/37/tokens

which returns

{"error":true,"apiversion":42,"errorCode":"unauthorized","message":"(unauthenticated) is not authorized for: /api/37/tokens"}

I have checked the above, using both the ansible uri module, as I want to provision a new token using IaC as using curl with the same results, but neither seem to work. Can anyone provide a worked example that does actually, so login and just list the tokens.

Thanks, Will.

[Xavier Humbert]

Hi William,

Use preferably authentication tokens, instead login/passwd

Example :

$ export token='<yourtoken>
$ curl -m10 -sX "GET" -H "Accept: application/json" -H "X-Rundeck-Auth-Token: $token" "http://rundeck:4440/api/41/metrics/healthcheck" | jq -C

gives you

{
  "dataSource.connection.time": {
    "healthy": true,
    "message": "Datasource connection healthy with timeout 5 seconds",
    "duration": 2,
    "timestamp": "2023-01-25T13:40:19.197+01:00"
  },
  "quartz.scheduler.threadPool": {
    "healthy": true,
    "duration": 0,
    "timestamp": "2023-01-25T13:40:19.194+01:00"
  }
}

Le 1/26/23 07:27, William Hargrove a écrit :

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/bae0b2e3-1729-4554-a34c-c0edc246d039n%40googlegroups.com.

-- 
Xavier Humbert
CRT Supervision et Exploitation de Niveau 1
Rectorat de Nancy-Metz
03 83 86 27 39

[rac...@rundeck.com]

Hi Will,

Did you follow this?

Regards!

[William Hargrove]

Thanks - I did and I read that to mean the JSESSIONID would change after the first request after authentication, so in the example above, if I were to make a subsequent API call, I would need to capture the new JSESSIONID from the first call immediately after initial authentication.

[William Hargrove]

Thanks for this and I have looked into X-Rundeck-Auth-Token, but the issue was in how to obtain it. The issue I am trying to address is that I am deploying rundeck through IaC tools. I start rundeck and then I want to carry on provisioning via API calls. In order to get the TOKEN to do this, I do not want to login to the GUI and manually setup a token, and then go back to the IaC playbook and populate it.

I want to be able to programatically obtain an API token on the first startup of rundeck and not login to the GUI. I looked that using the j_security_check method would work - but I can't get it to.

Thoughts? Thanks.

[rac...@rundeck.com]

Hi Will,

Alternatively, you can configure Rundeck to use static tokens (you don't need to use the GUI to create them). After that, you can use API calls based on token (easiest way I think). Check this (scroll down a bit and you can see the tokens.properties section).

Greetings.