Project

General

Profile

Bug #35473

Kerberos authentication fails for POST, PUT and DELETE api calls

Added by Oleh Fedorenko 3 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Category:
Authentication
Target version:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=2122617

Description of problem:
POST, PUT and DELETE calls fail with "Unable to authenticate user" when using kerberos authentication. At the same time, GET calls pass without any issues.

Version-Release number of selected component (if applicable):
6.12.0 snap 8

How reproducible:
always

Steps to Reproduce:
1. Have a Satellite configured for Kerberos authentication.
2. Run kinit <someuser> to get ticket.
3. Call /extlogin to get session_id and store it in a cookie file:
  1. curl -k -c cookies.txt -u : --negotiate https://satellite.redhat.com/users/extlogin
    4. Using the cookie file try GET call to some endpoint, it works:
  2. curl -b cookies.txt -H "Accept:application/json,version=2" -H "Content-Type:application/json" -X GET -k https://satellite.redhat.com/api/architectures
    5. Using the same cookie file try POST/PUT/DELETE call to create/update/delete an entity:
  3. curl -b cookies.txt -H "Accept:application/json,version=2" -H "Content-Type:application/json" -X POST -d '{"name":"8051"}' -k https://satellite.redhat.com/api/architectures

Actual results:

It fails with this response: {
"error": {"message":"Unable to authenticate user "}
}

In the production log we can see:
2022-08-30T04:38:23 [I|app|0dd98e4b] Started POST "/api/architectures" for 10.11.12.13 at 2022-08-30 04:38:23 -0400
2022-08-30T04:38:23 [I|app|0dd98e4b] Processing by Api::V2::ArchitecturesController#create as JSON
2022-08-30T04:38:23 [I|app|0dd98e4b] Parameters: {"name"=>"8051", "apiv"=>"v2", "architecture"=>{"name"=>"8051"}}
2022-08-30T04:38:23 [W|app|0dd98e4b] Can't verify CSRF token authenticity.
2022-08-30T04:38:23 [I|app|0dd98e4b] Rendering api/v2/errors/unauthorized.json.rabl within api/v2/layouts/error_layout
2022-08-30T04:38:23 [I|app|0dd98e4b] Rendered api/v2/errors/unauthorized.json.rabl within api/v2/layouts/error_layout (Duration: 6.9ms | Allocations: 6931)
2022-08-30T04:38:23 [I|app|0dd98e4b] Filter chain halted as :authorize rendered or redirected
2022-08-30T04:38:23 [I|app|0dd98e4b] Completed 401 Unauthorized in 14ms (Views: 11.1ms | ActiveRecord: 0.5ms | Allocations: 13914)

Expected results:
Successful authentication, entity created/updated/deleted

Additional info:
This issue impacts the hammer CLI functionality too.

Associated revisions

Revision 32884e54 (diff)
Added by Oleh Fedorenko about 1 month ago

Fixes #35473 - Add extlogin API endpoint

/users/extlogin endpoint is designed for UI interaction, thus
using this endpoint to create a session to be used via API will
fail with "Can't verify CSRF token authenticity" for any method
except GET. We need to have a separate endpoint to create a proper
session to be used via API.

Revision 60d07bdb (diff)
Added by Oleh Fedorenko about 1 month ago

Refs #35473 - Configure Apache for API extlogin

History

#1 Updated by Oleh Fedorenko 3 months ago

  • Assignee set to Oleh Fedorenko
  • Status changed from New to Assigned

#2 Updated by The Foreman Bot 3 months ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/9406 added

#3 Updated by The Foreman Bot 3 months ago

  • Pull request https://github.com/theforeman/puppet-foreman/pull/1083 added

#4 Updated by Ewoud Kohl van Wijngaarden about 1 month ago

  • Triaged changed from No to Yes
  • Target version set to 3.5.0

#5 Updated by The Foreman Bot about 1 month ago

  • Fixed in Releases 3.5.0 added

#6 Updated by Oleh Fedorenko about 1 month ago

  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF