Feature #11317

Hammer + external authentication via FreeIPA

Added by Iakov Gan over 1 year ago. Updated 3 months ago.

Status:New
Priority:Normal
Assigned To:Tomáš Strachota
Category:Authentication
Target version:Team Marek backlog
Difficulty: Bugzilla link:1266407
Found in release:1.8.1 Pull request:
Story points-
Velocity based estimate-

Description

Hi,

I have an external authentication via FreeIPA and it works nice for foreman web UI.

When i use hammer (or any tool based of REST API) FreeIPA user is not autorized. Local foreman users with same rights and permissions work just fine.

Regards,


Related issues

Related to Hammer CLI - Feature #8923: Ability to use Negotiate/Kerberos authentication to API a... New 01/13/2015

History

#1 Updated by Iakov Gan over 1 year ago

Hi,

I have an external authentication via FreeIPA and it works nice for foreman web UI.

When i use hammer (or any tool based on REST API) FreeIPA user is not autorized. Local foreman users with same rights and permissions work just fine.

Regards,

#2 Updated by Dominic Cleal over 1 year ago

I can't think why this would be, it should work identically. Could you perhaps attach your production.log showing both a normal UI login and API access with the same user account? With debugging enabled would be most useful: http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting#How-do-I-enable-debugging

#3 Updated by Nagarjuna Rachaneni over 1 year ago

Dominic Cleal wrote:

I can't think why this would be, it should work identically. Could you perhaps attach your production.log showing both a normal UI login and API access with the same user account? With debugging enabled would be most useful: http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting#How-do-I-enable-debugging

Here is my log output for both web login and API access

Web login log output

Started POST "/users/login" for 172.30.46.181 at 2015-08-10 12:05:03 +0200
2015-08-10 12:05:03 [I] Processing by UsersController#login as HTML
2015-08-10 12:05:03 [I]   Parameters: {"utf8"=>"✓", "authenticity_token"=>"UBXIr5IocdR2bUNBOtfAsENgTZ5IsCSulHZ7RqExrIc=", "login"=>{"login"=>"nagarjunar", "password"=>"[FILTERED]"}, "commit"=>"Login"}
2015-08-10 12:05:03 [D] Setting current user thread-local variable to nil
2015-08-10 12:05:03 [D]   Setting Load (0.3ms)  SELECT "settings".* FROM "settings" WHERE "settings"."name" = 'authorize_login_delegation_auth_source_user_autocreate' ORDER BY name LIMIT 1
2015-08-10 12:05:03 [D]   AuthSource Load (0.6ms)  SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."name" = 'External' LIMIT 1
2015-08-10 12:05:03 [D]   User Load (0.4ms)  SELECT "users".* FROM "users" WHERE "users"."lower_login" = 'nagarjunar' LIMIT 1
2015-08-10 12:05:03 [D]    (0.4ms)  SELECT usergroup_id FROM "external_usergroups" WHERE "external_usergroups"."auth_source_id" = 3
2015-08-10 12:05:03 [D]   ExternalUsergroup Load (0.3ms)  SELECT "external_usergroups".* FROM "external_usergroups" WHERE "external_usergroups"."auth_source_id" = 3 AND "external_usergroups"."name" IS NULL
2015-08-10 12:05:03 [D]   Usergroup Load (0.7ms)  SELECT "usergroups".* FROM "usergroups" INNER JOIN "usergroup_members" ON "usergroups"."id" = "usergroup_members"."usergroup_id" WHERE "usergroup_members"."member_id" = 19 AND "usergroup_members"."member_type" = 'User' AND (usergroups.id NOT IN (1)) ORDER BY usergroups.name
2015-08-10 12:05:03 [D]    (0.1ms)  BEGIN
2015-08-10 12:05:03 [D]    (0.3ms)  SELECT COUNT(*) FROM "auth_sources" WHERE "auth_sources"."type" IN ('AuthSourceHidden') AND "auth_sources"."id" = 3
2015-08-10 12:05:03 [D]   User Exists (0.5ms)  SELECT 1 AS one FROM "users" WHERE (LOWER("users"."login") = LOWER('nagarjunar') AND "users"."id" != 19) LIMIT 1
2015-08-10 12:05:03 [D]   AuthSource Load (0.3ms)  SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."id" = 3 LIMIT 1
2015-08-10 12:05:03 [D]   Usergroup Load (0.2ms)  SELECT "usergroups".* FROM "usergroups" ORDER BY usergroups.name
2015-08-10 12:05:04 [I] Expire fragment views/tabs_and_title_records-19 (0.7ms)
2015-08-10 12:05:04 [D]   Role Load (0.4ms)  SELECT "roles".* FROM "roles" WHERE "roles"."name" = 'Anonymous' LIMIT 1
2015-08-10 12:05:04 [D]    (0.7ms)  SELECT "roles".id FROM "roles" INNER JOIN "user_roles" ON "roles"."id" = "user_roles"."role_id" WHERE "user_roles"."owner_id" = 19 AND "user_roles"."owner_type" = 'User'
2015-08-10 12:05:04 [D]    (0.1ms)  COMMIT
2015-08-10 12:05:04 [D]   Usergroup Load (0.4ms)  SELECT "usergroups".* FROM "usergroups" INNER JOIN "usergroup_members" ON "usergroups"."id" = "usergroup_members"."usergroup_id" WHERE "usergroup_members"."member_id" = 19 AND "usergroup_members"."member_type" = 'User' ORDER BY usergroups.name
2015-08-10 12:05:04 [D]    (0.1ms)  BEGIN
2015-08-10 12:05:04 [D]    (0.1ms)  COMMIT
2015-08-10 12:05:04 [D]   AuthSourceHidden Load (0.3ms)  SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."type" IN ('AuthSourceHidden')
2015-08-10 12:05:04 [D]   User Load (0.5ms)  SELECT "users".* FROM "users" WHERE "users"."lower_login" = 'nagarjunar' AND (users.auth_source_id <> 2) ORDER BY firstname LIMIT 1
2015-08-10 12:05:04 [I] Redirected to https://foreman.sys.lab.com/hosts
2015-08-10 12:05:04 [I] Completed 302 Found in 300ms (ActiveRecord: 13.4ms)
2015-08-10 12:05:04 [I] 

CURL command

curl -k -u 'nagarjunar:******' -H 'Accept: application/json' 'https://foreman.sys.lab.com/api/v2/users' -d 'search=login=nagarjunar' -X GET

output

{
  "error": {"message":"Unable to authenticate user nagarjunar"}
}

Log output

Started GET "/api/v2/users" for 172.30.46.181 at 2015-08-10 12:05:44 +0200
2015-08-10 12:05:44 [I] Processing by Api::V2::UsersController#index as JSON
2015-08-10 12:05:44 [I]   Parameters: {"search"=>"login=nagarjunar", "apiv"=>"v2"}
2015-08-10 12:05:44 [D]   Setting Load (0.9ms)  SELECT "settings".* FROM "settings" WHERE "settings"."name" = 'authorize_login_delegation_api' ORDER BY name LIMIT 1
2015-08-10 12:05:44 [D]   User Load (0.7ms)  SELECT "users".* FROM "users" WHERE "users"."lower_login" = 'nagarjunar' LIMIT 1
2015-08-10 12:05:44 [D]   AuthSource Load (0.6ms)  SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."id" = 3 LIMIT 1
2015-08-10 12:05:44 [D] Failed to authenticate Nagarjuna Rachaneni against EXTERNAL authentication source
2015-08-10 12:05:44 [I] invalid user
2015-08-10 12:05:44 [D] Setting current user thread-local variable to nil
2015-08-10 12:05:44 [W] SSO failed
2015-08-10 12:05:44 [I]   Rendered api/v2/errors/unauthorized.json.rabl within api/v2/layouts/error_layout (2.1ms)
2015-08-10 12:05:44 [I] Filter chain halted as :authorize rendered or redirected
2015-08-10 12:05:44 [I] Completed 401 Unauthorized in 28ms (Views: 10.0ms | ActiveRecord: 2.1ms)

#4 Updated by Dominic Cleal over 1 year ago

  • Project changed from Hammer CLI to Foreman

Ah sorry, I misunderstood and thought you meant LDAP, but this is "external", i.e. Apache + Kerberos.

Then yes, using HTTP basic auth against the API isn't going to work - you'd need to actually use SPNEGO/GSS. You could try "curl --negotiate" and see if that works, see the man page too for more details.

If that's working, then it might be possible to add to Hammer/rest-client somehow.

#5 Updated by Nagarjuna Rachaneni over 1 year ago

No luck with curl --negotiate.

curl --negotiate -k -u 'nagarjunar:*****' -H 'Accept: application/json' 'https://foreman.sys.lab.ingenico.com/api/v2/users' -d 'search=login=nagarjunar' -X GET

{
 "error": {"message":"Unable to authenticate user "}
}

#6 Updated by Dominic Cleal over 1 year ago

Try enabling curl's debug (e.g. -v or -i) to see if it's actually performing SPNEGO or if it's simply using HTTP basic auth. I don't think you should give a basic auth password if intending to use GSS. You probably also want to check that GSS is compiled in with -V.

httpd's error logs might also show you if there are issues with auth, and the access log ought to show if it's successful.

#7 Updated by Nagarjuna Rachaneni over 1 year ago

Here is the curl debug output


curl -v --negotiate -k -u 'nagarjunar:******' -H 'Accept: application/json' 'https://foreman.sys.lab.com/api/v2/users' -d 'search=login=nagarjunar' -X GET 

* Hostname was NOT found in DNS cache
*   Trying 172.24.15.7...
* Connected to foreman.sys.lab.com (172.24.15.7) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*      subject: CN=foreman.sys.lab.com
*      start date: 2015-05-20 19:54:03 GMT
*      expire date: 2020-05-19 19:54:03 GMT
*      issuer: CN=Puppet CA: foreman.sys.lab.com
*      SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /api/v2/users HTTP/1.1
> User-Agent: curl/7.35.0
> Host: foreman.sys.lab.com
> Accept: application/json
> Content-Length: 23
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 23 out of 23 bytes
< HTTP/1.1 401 Unauthorized
< Date: Tue, 11 Aug 2015 07:16:19 GMT
* Server Apache/2.2.15 (Red Hat) is not blacklisted
< Server: Apache/2.2.15 (Red Hat)
< Apipie-Checksum: e7ccfeaaa230ae3cfae6bdf538f049e0
< X-UA-Compatible: IE=Edge,chrome=1
< Cache-Control: no-cache
< X-Request-Id: a6901fd4e0cb8d46236a98be3eea26a0
< X-Runtime: 0.012590
< X-Rack-Cache: miss
< X-Powered-By: Phusion Passenger 4.0.18
< Set-Cookie: request_method=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
< Status: 401 Unauthorized
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: application/json; charset=utf-8
< 
{
  "error": {"message":"Unable to authenticate user "}
}
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):

#8 Updated by Dominic Cleal over 1 year ago

Nothing there that suggests it's doing either SPNEGO or even HTTP basic auth to me, do you agree? I'd have a look again at my last suggestions.

(I'd also add, check you have a Kerberos ticket!)

#9 Updated by Nagarjuna Rachaneni over 1 year ago

There is no entry in /var/log/httpd/error_log for this API request

#10 Updated by Nagarjuna Rachaneni over 1 year ago

FYI. I checked the foreman code and it getting failed in below code(User model try_to_login method)

user = unscoped.find_by_login(login) --> this returning user object

user.auth_source.authenticate(login, password) --> This returning nil

#11 Updated by Dominic Cleal over 1 year ago

  • Tracker changed from Bug to Support
  • Category set to Authentication

Sure, if the client isn't performing GSS/SPNEGO with httpd then Foreman won't be able to authenticate it. As I've said already, I don't think it is.

#12 Updated by Dominic Cleal over 1 year ago

  • Related to Feature #8923: Ability to use Negotiate/Kerberos authentication to API and hammer added

#13 Updated by Marek Hulán 7 months ago

  • Tracker changed from Support to Feature
  • Target version set to Team Marek backlog
  • Bugzilla link set to 1266407

#14 Updated by Marek Hulán 4 months ago

  • Assigned To set to Tomáš Strachota
  • Target version changed from Team Marek backlog to Team Marek Iteration 7

#15 Updated by Marek Hulán 3 months ago

  • Target version changed from Team Marek Iteration 7 to Team Marek backlog

Also available in: Atom PDF