Hammer CLI

Hi,

I have an external authentication via FreeIPA and it works nice for foreman web UI.

When i use hammer (or any tool based on REST API) FreeIPA user is not autorized. Local foreman users with same rights and permissions work just fine.

Regards,

I can't think why this would be, it should work identically. Could you perhaps attach your production.log showing both a normal UI login and API access with the same user account? With debugging enabled would be most useful: http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting#How-do-I-enable-debugging

Dominic Cleal wrote:

I can't think why this would be, it should work identically. Could you perhaps attach your production.log showing both a normal UI login and API access with the same user account? With debugging enabled would be most useful: http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting#How-do-I-enable-debugging

Here is my log output for both web login and API access

Web login log output

Started POST "/users/login" for 172.30.46.181 at 2015-08-10 12:05:03 +0200
2015-08-10 12:05:03 [I] Processing by UsersController#login as HTML
2015-08-10 12:05:03 [I]   Parameters: {"utf8"=>"✓", "authenticity_token"=>"UBXIr5IocdR2bUNBOtfAsENgTZ5IsCSulHZ7RqExrIc=", "login"=>{"login"=>"nagarjunar", "password"=>"[FILTERED]"}, "commit"=>"Login"}
2015-08-10 12:05:03 [D] Setting current user thread-local variable to nil
2015-08-10 12:05:03 [D]   Setting Load (0.3ms)  SELECT "settings".* FROM "settings" WHERE "settings"."name" = 'authorize_login_delegation_auth_source_user_autocreate' ORDER BY name LIMIT 1
2015-08-10 12:05:03 [D]   AuthSource Load (0.6ms)  SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."name" = 'External' LIMIT 1
2015-08-10 12:05:03 [D]   User Load (0.4ms)  SELECT "users".* FROM "users" WHERE "users"."lower_login" = 'nagarjunar' LIMIT 1
2015-08-10 12:05:03 [D]    (0.4ms)  SELECT usergroup_id FROM "external_usergroups" WHERE "external_usergroups"."auth_source_id" = 3
2015-08-10 12:05:03 [D]   ExternalUsergroup Load (0.3ms)  SELECT "external_usergroups".* FROM "external_usergroups" WHERE "external_usergroups"."auth_source_id" = 3 AND "external_usergroups"."name" IS NULL
2015-08-10 12:05:03 [D]   Usergroup Load (0.7ms)  SELECT "usergroups".* FROM "usergroups" INNER JOIN "usergroup_members" ON "usergroups"."id" = "usergroup_members"."usergroup_id" WHERE "usergroup_members"."member_id" = 19 AND "usergroup_members"."member_type" = 'User' AND (usergroups.id NOT IN (1)) ORDER BY usergroups.name
2015-08-10 12:05:03 [D]    (0.1ms)  BEGIN
2015-08-10 12:05:03 [D]    (0.3ms)  SELECT COUNT(*) FROM "auth_sources" WHERE "auth_sources"."type" IN ('AuthSourceHidden') AND "auth_sources"."id" = 3
2015-08-10 12:05:03 [D]   User Exists (0.5ms)  SELECT 1 AS one FROM "users" WHERE (LOWER("users"."login") = LOWER('nagarjunar') AND "users"."id" != 19) LIMIT 1
2015-08-10 12:05:03 [D]   AuthSource Load (0.3ms)  SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."id" = 3 LIMIT 1
2015-08-10 12:05:03 [D]   Usergroup Load (0.2ms)  SELECT "usergroups".* FROM "usergroups" ORDER BY usergroups.name
2015-08-10 12:05:04 [I] Expire fragment views/tabs_and_title_records-19 (0.7ms)
2015-08-10 12:05:04 [D]   Role Load (0.4ms)  SELECT "roles".* FROM "roles" WHERE "roles"."name" = 'Anonymous' LIMIT 1
2015-08-10 12:05:04 [D]    (0.7ms)  SELECT "roles".id FROM "roles" INNER JOIN "user_roles" ON "roles"."id" = "user_roles"."role_id" WHERE "user_roles"."owner_id" = 19 AND "user_roles"."owner_type" = 'User'
2015-08-10 12:05:04 [D]    (0.1ms)  COMMIT
2015-08-10 12:05:04 [D]   Usergroup Load (0.4ms)  SELECT "usergroups".* FROM "usergroups" INNER JOIN "usergroup_members" ON "usergroups"."id" = "usergroup_members"."usergroup_id" WHERE "usergroup_members"."member_id" = 19 AND "usergroup_members"."member_type" = 'User' ORDER BY usergroups.name
2015-08-10 12:05:04 [D]    (0.1ms)  BEGIN
2015-08-10 12:05:04 [D]    (0.1ms)  COMMIT
2015-08-10 12:05:04 [D]   AuthSourceHidden Load (0.3ms)  SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."type" IN ('AuthSourceHidden')
2015-08-10 12:05:04 [D]   User Load (0.5ms)  SELECT "users".* FROM "users" WHERE "users"."lower_login" = 'nagarjunar' AND (users.auth_source_id <> 2) ORDER BY firstname LIMIT 1
2015-08-10 12:05:04 [I] Redirected to https://foreman.sys.lab.com/hosts
2015-08-10 12:05:04 [I] Completed 302 Found in 300ms (ActiveRecord: 13.4ms)
2015-08-10 12:05:04 [I] 

CURL command

curl -k -u 'nagarjunar:******' -H 'Accept: application/json' 'https://foreman.sys.lab.com/api/v2/users' -d 'search=login=nagarjunar' -X GET

output

{
  "error": {"message":"Unable to authenticate user nagarjunar"}
}

Log output

Started GET "/api/v2/users" for 172.30.46.181 at 2015-08-10 12:05:44 +0200
2015-08-10 12:05:44 [I] Processing by Api::V2::UsersController#index as JSON
2015-08-10 12:05:44 [I]   Parameters: {"search"=>"login=nagarjunar", "apiv"=>"v2"}
2015-08-10 12:05:44 [D]   Setting Load (0.9ms)  SELECT "settings".* FROM "settings" WHERE "settings"."name" = 'authorize_login_delegation_api' ORDER BY name LIMIT 1
2015-08-10 12:05:44 [D]   User Load (0.7ms)  SELECT "users".* FROM "users" WHERE "users"."lower_login" = 'nagarjunar' LIMIT 1
2015-08-10 12:05:44 [D]   AuthSource Load (0.6ms)  SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."id" = 3 LIMIT 1
2015-08-10 12:05:44 [D] Failed to authenticate Nagarjuna Rachaneni against EXTERNAL authentication source
2015-08-10 12:05:44 [I] invalid user
2015-08-10 12:05:44 [D] Setting current user thread-local variable to nil
2015-08-10 12:05:44 [W] SSO failed
2015-08-10 12:05:44 [I]   Rendered api/v2/errors/unauthorized.json.rabl within api/v2/layouts/error_layout (2.1ms)
2015-08-10 12:05:44 [I] Filter chain halted as :authorize rendered or redirected
2015-08-10 12:05:44 [I] Completed 401 Unauthorized in 28ms (Views: 10.0ms | ActiveRecord: 2.1ms)

No luck with curl --negotiate.

curl --negotiate -k -u 'nagarjunar:*****' -H 'Accept: application/json' 'https://foreman.sys.lab.ingenico.com/api/v2/users' -d 'search=login=nagarjunar' -X GET

{
 "error": {"message":"Unable to authenticate user "}
}

Try enabling curl's debug (e.g. -v or -i) to see if it's actually performing SPNEGO or if it's simply using HTTP basic auth. I don't think you should give a basic auth password if intending to use GSS. You probably also want to check that GSS is compiled in with -V.

httpd's error logs might also show you if there are issues with auth, and the access log ought to show if it's successful.

Here is the curl debug output

curl -v --negotiate -k -u 'nagarjunar:******' -H 'Accept: application/json' 'https://foreman.sys.lab.com/api/v2/users' -d 'search=login=nagarjunar' -X GET 

* Hostname was NOT found in DNS cache
*   Trying 172.24.15.7...
* Connected to foreman.sys.lab.com (172.24.15.7) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*      subject: CN=foreman.sys.lab.com
*      start date: 2015-05-20 19:54:03 GMT
*      expire date: 2020-05-19 19:54:03 GMT
*      issuer: CN=Puppet CA: foreman.sys.lab.com
*      SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /api/v2/users HTTP/1.1
> User-Agent: curl/7.35.0
> Host: foreman.sys.lab.com
> Accept: application/json
> Content-Length: 23
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 23 out of 23 bytes
< HTTP/1.1 401 Unauthorized
< Date: Tue, 11 Aug 2015 07:16:19 GMT
* Server Apache/2.2.15 (Red Hat) is not blacklisted
< Server: Apache/2.2.15 (Red Hat)
< Apipie-Checksum: e7ccfeaaa230ae3cfae6bdf538f049e0
< X-UA-Compatible: IE=Edge,chrome=1
< Cache-Control: no-cache
< X-Request-Id: a6901fd4e0cb8d46236a98be3eea26a0
< X-Runtime: 0.012590
< X-Rack-Cache: miss
< X-Powered-By: Phusion Passenger 4.0.18
< Set-Cookie: request_method=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
< Status: 401 Unauthorized
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: application/json; charset=utf-8
< 
{
  "error": {"message":"Unable to authenticate user "}
}
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):

Nothing there that suggests it's doing either SPNEGO or even HTTP basic auth to me, do you agree? I'd have a look again at my last suggestions.

(I'd also add, check you have a Kerberos ticket!)

There is no entry in /var/log/httpd/error_log for this API request

FYI. I checked the foreman code and it getting failed in below code(User model try_to_login method)

user = unscoped.find_by_login(login) --> this returning user object

user.auth_source.authenticate(login, password) --> This returning nil