Project

General

Profile

Actions

Feature #11317

closed

Hammer + external authentication via FreeIPA

Added by Iakov Gan over 8 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Category:
-
Target version:
-
Difficulty:
Triaged:
Yes
Team Backlog:
Found in Releases:
In Kanboard:

Description

Hi,

I have an external authentication via FreeIPA and it works nice for foreman web UI.

When i use hammer (or any tool based of REST API) FreeIPA user is not autorized. Local foreman users with same rights and permissions work just fine.

Regards,


Related issues 2 (1 open1 closed)

Related to Hammer CLI - Feature #8923: Ability to use Negotiate/Kerberos authentication to API and hammerClosedOndřej EzrActions
Blocked by Foreman - Feature #21765: Add support for FreeIPA external authentication source to the APINewActions
Actions #1

Updated by Iakov Gan over 8 years ago

Hi,

I have an external authentication via FreeIPA and it works nice for foreman web UI.

When i use hammer (or any tool based on REST API) FreeIPA user is not autorized. Local foreman users with same rights and permissions work just fine.

Regards,

Actions #2

Updated by Dominic Cleal over 8 years ago

I can't think why this would be, it should work identically. Could you perhaps attach your production.log showing both a normal UI login and API access with the same user account? With debugging enabled would be most useful: http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting#How-do-I-enable-debugging

Actions #3

Updated by Nagarjuna Rachaneni over 8 years ago

Dominic Cleal wrote:

I can't think why this would be, it should work identically. Could you perhaps attach your production.log showing both a normal UI login and API access with the same user account? With debugging enabled would be most useful: http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting#How-do-I-enable-debugging

Here is my log output for both web login and API access

Web login log output

Started POST "/users/login" for 172.30.46.181 at 2015-08-10 12:05:03 +0200
2015-08-10 12:05:03 [I] Processing by UsersController#login as HTML
2015-08-10 12:05:03 [I]   Parameters: {"utf8"=>"✓", "authenticity_token"=>"UBXIr5IocdR2bUNBOtfAsENgTZ5IsCSulHZ7RqExrIc=", "login"=>{"login"=>"nagarjunar", "password"=>"[FILTERED]"}, "commit"=>"Login"}
2015-08-10 12:05:03 [D] Setting current user thread-local variable to nil
2015-08-10 12:05:03 [D]   Setting Load (0.3ms)  SELECT "settings".* FROM "settings" WHERE "settings"."name" = 'authorize_login_delegation_auth_source_user_autocreate' ORDER BY name LIMIT 1
2015-08-10 12:05:03 [D]   AuthSource Load (0.6ms)  SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."name" = 'External' LIMIT 1
2015-08-10 12:05:03 [D]   User Load (0.4ms)  SELECT "users".* FROM "users" WHERE "users"."lower_login" = 'nagarjunar' LIMIT 1
2015-08-10 12:05:03 [D]    (0.4ms)  SELECT usergroup_id FROM "external_usergroups" WHERE "external_usergroups"."auth_source_id" = 3
2015-08-10 12:05:03 [D]   ExternalUsergroup Load (0.3ms)  SELECT "external_usergroups".* FROM "external_usergroups" WHERE "external_usergroups"."auth_source_id" = 3 AND "external_usergroups"."name" IS NULL
2015-08-10 12:05:03 [D]   Usergroup Load (0.7ms)  SELECT "usergroups".* FROM "usergroups" INNER JOIN "usergroup_members" ON "usergroups"."id" = "usergroup_members"."usergroup_id" WHERE "usergroup_members"."member_id" = 19 AND "usergroup_members"."member_type" = 'User' AND (usergroups.id NOT IN (1)) ORDER BY usergroups.name
2015-08-10 12:05:03 [D]    (0.1ms)  BEGIN
2015-08-10 12:05:03 [D]    (0.3ms)  SELECT COUNT(*) FROM "auth_sources" WHERE "auth_sources"."type" IN ('AuthSourceHidden') AND "auth_sources"."id" = 3
2015-08-10 12:05:03 [D]   User Exists (0.5ms)  SELECT 1 AS one FROM "users" WHERE (LOWER("users"."login") = LOWER('nagarjunar') AND "users"."id" != 19) LIMIT 1
2015-08-10 12:05:03 [D]   AuthSource Load (0.3ms)  SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."id" = 3 LIMIT 1
2015-08-10 12:05:03 [D]   Usergroup Load (0.2ms)  SELECT "usergroups".* FROM "usergroups" ORDER BY usergroups.name
2015-08-10 12:05:04 [I] Expire fragment views/tabs_and_title_records-19 (0.7ms)
2015-08-10 12:05:04 [D]   Role Load (0.4ms)  SELECT "roles".* FROM "roles" WHERE "roles"."name" = 'Anonymous' LIMIT 1
2015-08-10 12:05:04 [D]    (0.7ms)  SELECT "roles".id FROM "roles" INNER JOIN "user_roles" ON "roles"."id" = "user_roles"."role_id" WHERE "user_roles"."owner_id" = 19 AND "user_roles"."owner_type" = 'User'
2015-08-10 12:05:04 [D]    (0.1ms)  COMMIT
2015-08-10 12:05:04 [D]   Usergroup Load (0.4ms)  SELECT "usergroups".* FROM "usergroups" INNER JOIN "usergroup_members" ON "usergroups"."id" = "usergroup_members"."usergroup_id" WHERE "usergroup_members"."member_id" = 19 AND "usergroup_members"."member_type" = 'User' ORDER BY usergroups.name
2015-08-10 12:05:04 [D]    (0.1ms)  BEGIN
2015-08-10 12:05:04 [D]    (0.1ms)  COMMIT
2015-08-10 12:05:04 [D]   AuthSourceHidden Load (0.3ms)  SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."type" IN ('AuthSourceHidden')
2015-08-10 12:05:04 [D]   User Load (0.5ms)  SELECT "users".* FROM "users" WHERE "users"."lower_login" = 'nagarjunar' AND (users.auth_source_id <> 2) ORDER BY firstname LIMIT 1
2015-08-10 12:05:04 [I] Redirected to https://foreman.sys.lab.com/hosts
2015-08-10 12:05:04 [I] Completed 302 Found in 300ms (ActiveRecord: 13.4ms)
2015-08-10 12:05:04 [I] 

CURL command

curl -k -u 'nagarjunar:******' -H 'Accept: application/json' 'https://foreman.sys.lab.com/api/v2/users' -d 'search=login=nagarjunar' -X GET

output

{
  "error": {"message":"Unable to authenticate user nagarjunar"}
}

Log output

Started GET "/api/v2/users" for 172.30.46.181 at 2015-08-10 12:05:44 +0200
2015-08-10 12:05:44 [I] Processing by Api::V2::UsersController#index as JSON
2015-08-10 12:05:44 [I]   Parameters: {"search"=>"login=nagarjunar", "apiv"=>"v2"}
2015-08-10 12:05:44 [D]   Setting Load (0.9ms)  SELECT "settings".* FROM "settings" WHERE "settings"."name" = 'authorize_login_delegation_api' ORDER BY name LIMIT 1
2015-08-10 12:05:44 [D]   User Load (0.7ms)  SELECT "users".* FROM "users" WHERE "users"."lower_login" = 'nagarjunar' LIMIT 1
2015-08-10 12:05:44 [D]   AuthSource Load (0.6ms)  SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."id" = 3 LIMIT 1
2015-08-10 12:05:44 [D] Failed to authenticate Nagarjuna Rachaneni against EXTERNAL authentication source
2015-08-10 12:05:44 [I] invalid user
2015-08-10 12:05:44 [D] Setting current user thread-local variable to nil
2015-08-10 12:05:44 [W] SSO failed
2015-08-10 12:05:44 [I]   Rendered api/v2/errors/unauthorized.json.rabl within api/v2/layouts/error_layout (2.1ms)
2015-08-10 12:05:44 [I] Filter chain halted as :authorize rendered or redirected
2015-08-10 12:05:44 [I] Completed 401 Unauthorized in 28ms (Views: 10.0ms | ActiveRecord: 2.1ms)
Actions #4

Updated by Dominic Cleal over 8 years ago

  • Project changed from Hammer CLI to Foreman

Ah sorry, I misunderstood and thought you meant LDAP, but this is "external", i.e. Apache + Kerberos.

Then yes, using HTTP basic auth against the API isn't going to work - you'd need to actually use SPNEGO/GSS. You could try "curl --negotiate" and see if that works, see the man page too for more details.

If that's working, then it might be possible to add to Hammer/rest-client somehow.

Actions #5

Updated by Nagarjuna Rachaneni over 8 years ago

No luck with curl --negotiate.

curl --negotiate -k -u 'nagarjunar:*****' -H 'Accept: application/json' 'https://foreman.sys.lab.ingenico.com/api/v2/users' -d 'search=login=nagarjunar' -X GET

{
 "error": {"message":"Unable to authenticate user "}
}
Actions #6

Updated by Dominic Cleal over 8 years ago

Try enabling curl's debug (e.g. -v or -i) to see if it's actually performing SPNEGO or if it's simply using HTTP basic auth. I don't think you should give a basic auth password if intending to use GSS. You probably also want to check that GSS is compiled in with -V.

httpd's error logs might also show you if there are issues with auth, and the access log ought to show if it's successful.

Actions #7

Updated by Nagarjuna Rachaneni over 8 years ago

Here is the curl debug output


curl -v --negotiate -k -u 'nagarjunar:******' -H 'Accept: application/json' 'https://foreman.sys.lab.com/api/v2/users' -d 'search=login=nagarjunar' -X GET 

* Hostname was NOT found in DNS cache
*   Trying 172.24.15.7...
* Connected to foreman.sys.lab.com (172.24.15.7) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*      subject: CN=foreman.sys.lab.com
*      start date: 2015-05-20 19:54:03 GMT
*      expire date: 2020-05-19 19:54:03 GMT
*      issuer: CN=Puppet CA: foreman.sys.lab.com
*      SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /api/v2/users HTTP/1.1
> User-Agent: curl/7.35.0
> Host: foreman.sys.lab.com
> Accept: application/json
> Content-Length: 23
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 23 out of 23 bytes
< HTTP/1.1 401 Unauthorized
< Date: Tue, 11 Aug 2015 07:16:19 GMT
* Server Apache/2.2.15 (Red Hat) is not blacklisted
< Server: Apache/2.2.15 (Red Hat)
< Apipie-Checksum: e7ccfeaaa230ae3cfae6bdf538f049e0
< X-UA-Compatible: IE=Edge,chrome=1
< Cache-Control: no-cache
< X-Request-Id: a6901fd4e0cb8d46236a98be3eea26a0
< X-Runtime: 0.012590
< X-Rack-Cache: miss
< X-Powered-By: Phusion Passenger 4.0.18
< Set-Cookie: request_method=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
< Status: 401 Unauthorized
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: application/json; charset=utf-8
< 
{
  "error": {"message":"Unable to authenticate user "}
}
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):

Actions #8

Updated by Dominic Cleal over 8 years ago

Nothing there that suggests it's doing either SPNEGO or even HTTP basic auth to me, do you agree? I'd have a look again at my last suggestions.

(I'd also add, check you have a Kerberos ticket!)

Actions #9

Updated by Nagarjuna Rachaneni over 8 years ago

There is no entry in /var/log/httpd/error_log for this API request

Actions #10

Updated by Nagarjuna Rachaneni over 8 years ago

FYI. I checked the foreman code and it getting failed in below code(User model try_to_login method)

user = unscoped.find_by_login(login) --> this returning user object

user.auth_source.authenticate(login, password) --> This returning nil

Actions #11

Updated by Dominic Cleal over 8 years ago

  • Tracker changed from Bug to Support
  • Category set to Authentication

Sure, if the client isn't performing GSS/SPNEGO with httpd then Foreman won't be able to authenticate it. As I've said already, I don't think it is.

Actions #12

Updated by Dominic Cleal over 8 years ago

  • Related to Feature #8923: Ability to use Negotiate/Kerberos authentication to API and hammer added
Actions #13

Updated by Marek Hulán over 7 years ago

  • Tracker changed from Support to Feature
  • Target version set to 115
  • Bugzilla link set to 1266407
Actions #14

Updated by Marek Hulán over 7 years ago

  • Assignee set to Tomáš Strachota
  • Target version changed from 115 to 1.10.1
Actions #15

Updated by Marek Hulán over 7 years ago

  • Target version changed from 1.10.1 to 115
Actions #16

Updated by Tomer Brisker over 6 years ago

  • Blocked by Feature #21765: Add support for FreeIPA external authentication source to the API added
Actions #17

Updated by Tomáš Strachota over 5 years ago

  • Assignee deleted (Tomáš Strachota)
  • Triaged set to No
Actions #18

Updated by Ondřej Ezr about 3 years ago

  • Triaged changed from No to Yes

I believe this is duplicate for #8923

Actions #19

Updated by Oleh Fedorenko about 1 year ago

  • Project changed from Foreman to Hammer CLI
  • Category deleted (Authentication)
  • Status changed from New to Assigned
  • Assignee set to Oleh Fedorenko
  • Found in Releases deleted (1.8.1)
Actions #20

Updated by The Foreman Bot about 1 year ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/hammer-cli-foreman/pull/609 added
Actions #21

Updated by The Foreman Bot about 1 year ago

  • Fixed in Releases hammer-cli-foreman-3.6.0 added
Actions #22

Updated by Oleh Fedorenko about 1 year ago

  • Status changed from Ready For Testing to Closed
Actions #23

Updated by Oleh Fedorenko about 1 year ago

  • Fixed in Releases hammer-cli-foreman-3.5.1 added
Actions

Also available in: Atom PDF